www.workiva.com Open in urlscan Pro
143.204.215.49  Public Scan

Submitted URL: http://go.workiva.com/MTU0LUxTSy03NTgAAAGQmDo1mf6RIt5j097C7VTEhmcSNDTBtVjkkaojAx9u3MTAooy0KurZgkNtLS0_L1weQQ7SvYXgmDuF...
Effective URL: https://www.workiva.com/blog/sec-cybersecurity-rule?utm_medium=Email&utm_type=Marketing-Outreach&utm_source=Marketo&utm_...
Submission: On January 11 via api from US — Scanned from DE

Form analysis 1 forms found in the DOM

GET /search

<form action="/search" method="get" id="views-exposed-form-solr-site-search-search" accept-charset="UTF-8">
  <div class="container">
    <div class="row">
      <div class="form-group js-form-item form-item js-form-type-textfield form-item-keys js-form-item-keys form-no-label">
        <input data-drupal-selector="edit-keys" type="text" id="edit-keys" name="keys" value="" size="30" maxlength="128" class="form-text form-control">
      </div>
      <div data-drupal-selector="edit-actions" class="form-actions" id="edit-actions">
        <input data-drupal-selector="edit-submit-solr-site-search" type="submit" id="edit-submit-solr-site-search" value="Submit" class="button js-form-submit form-submit form-control js-button-exists">
        <i class="icon icon-search processed"></i>
      </div>
    </div>
  </div>
</form>

Text Content

Skip to main content
Javascript is disabled on your browser. In order to display this website
properly, please enable javascript.

WorkivaWorkiva.com
 * Platform
    * Platform Overview
      * Data Connectivity
      * Generative AI
      * About Partners
      * Marketplace
      * Security
    * Solutions
      * ESG Reporting
      * Internal Audit Management
      * Management Reporting
      * SEC Reporting
      * SOX Compliance
      * Statutory Reporting
      * See All Solutions
   
   DEMO THE PLATFORM
   
   Watch how you can unite financial reporting, ESG, audit, and risk seamlessly
   in a single platform with this extended product tour.
   
   
 * Who We Serve
    * Solutions by Team
      * Accounting & Finance
      * ESG & Sustainability
      * Audit, Risk, & Compliance
      * Legal
      * See All Teams
    * Solutions by Industry
      * Banking
      * Energy and Utilities
      * Government
      * Higher Education
      * Insurance
      * Investments
      * See All Solutions
   
   MEET OUR CUSTOMERS
   
   "I would tell my peers it’s a must that they use the Workiva platform. It
   saves time, allows for collaboration, and makes the entire reporting process
   so much easier."
   
   
 * Resources
    * Resource Center
      * Blog
      * Customer Stories
      * Events & Webinars
    * Education
      * Community
      * Help Center
      * Learning Hub
      * See All Resources
   
   FEATURED RESOURCE
   
   Ready to turn ESG insights into action? Browse the ESG Content Hub for the
   latest trending news, ideas, and resources.
   
   
 * Company
    * About
      * Contact
      * Leadership
      * Our Sustainability
    * Careers
      * Diversity, Equity, and Inclusion
      * Internships
    * Investors
      * Financial Reports
      * Stock Information
    * Newsroom
      * News
      * Press Releases

 * Sign In
 * Request Demo

Menu
BLOG


WHAT THE SEC CYBERSECURITY RULE MEANS FOR YOU

Disclosure Management
SEC Reporting
Security
ESG

9 min read
 * LinkedIn
 * Email

AUTHOR:
Steve Soter
Vice President and Industry Principal
Grant Ostler
Industry Principal
Published: July 26, 2023
Last Updated: December 20, 2023
IN THIS STORY
What’s in the SEC cybersecurity proposalManaging cybersecurity risk while
working with SEC filing vendorsBest practices under the SEC cybersecurity
mandateHow to build an effective cybersecurity risk management program

The U.S. Securities and Exchange Commission has eased off what it initially
proposed for cybersecurity disclosures. But the newly adopted SEC cybersecurity
rule raises the stakes for how companies assess the materiality of non-financial
information, with major impacts across teams from SEC reporting to ESG to audit
and risk.

Under the final cybersecurity rule, companies have to disclose cybersecurity
incidents within four business days of determining an incident is material (with
just a narrow exception). The SEC doesn’t specify a timeline for making that
determination. The rule also won’t ask companies to detail the cybersecurity
expertise of board members in annual reports, but they’ll have to disclose that
information for management, among other details. 

The final rule comes as hacks and breaches continue making headlines. No doubt,
incidents can be costly if a hacker is able to disrupt day-to-day operations,
collect a hefty ransom, or steal valuable intellectual property or even
customers’ data—not to mention harm your corporate reputation as you’re
scrambling to contain the damage.

Companies will want their legal, IT, risk, audit, and ESG teams to stay in close
touch and vet third-party vendors to protect themselves from cyberthreats.

Let’s take a look at the final SEC cybersecurity rule and explore how it will
impact multiple teams. Plus, we'll review steps you can take to minimize risk
when working with contractors and vendors, whose own cybersecurity incidents
could affect your operations.


WHAT’S IN THE SEC CYBERSECURITY PROPOSAL

You can read the full rule online, but generally it includes requirements for
disclosures about cybersecurity incidents and about cybersecurity risk
management, strategy, and governance. The Director of the Division of
Corporation Finance issued a relatively rare statement explaining the rule's
purpose, major points, and other considerations that's also worth reading.

The rule goes into effect for annual reports for fiscal years ending December
15, 2023, or later. For the rule’s 8-K and 6-K requirements, larger companies
have to comply starting December 18, 2023; smaller reporting companies have
until June 15, 2024, to start complying.

The SEC cybersecurity rule requires:

1. An 8-K filing within four business days of a company determining it has
experienced a material cybersecurity incident, with details of the nature,
scope, timing, and likely material impacts on the business, plus amended 8-Ks
for updates on previously disclosed incidents.

The final rule provides a super narrow exception to the four-day requirement,
which is if the U.S. attorney general determines a disclosure would pose a
substantial threat to national security or public safety. And the attorney
general has to provide that determination to the SEC in writing.

The rule doesn’t specify the timeframe for you to determine whether a
cybersecurity incident is material, but it has to be “without unreasonable
delay.”

It's possible the SEC could scrutinize the timing of when an incident occurred
and when it was ultimately disclosed under the new Form 8-K Item 1.05 under the
rule.

That will make the timing and documentation of how companies assess materiality
incredibly important.

2. Disclosures of policies and procedures to assess, identify, and manage
cybersecurity risks and management’s role in implementing them.

3. No required disclosures of board members’ cybersecurity expertise, but
companies will have to disclose management’s role and expertise in assessing
cybersecurity threats.

4. Disclosures submitted with Inline XBRLTM tagging to enable investors to
extract and analyze data faster. (This requirement kicks in one year after
compliance with the related disclosure requirement.)

For foreign private issuers, cybersecurity incidents are topics that should be
reported on a Form 6-K and in the annual report on Form 20-F.

We could debate whether those disclosures could give criminals ammunition for
future attacks or hinder law enforcement from recovering stolen funds before
criminals realize authorities are on to them. But the bottom line is that
cybersecurity incidents could happen to any company, and investors want to see
how resilient you are if one should happen to you. 

“Cybersecurity incidents, unfortunately, happen a lot,” SEC Chair Gary Gensler
said in announcing the SEC proposal in 2022. “They can have significant
financial, operational, legal, and reputational impacts on public issuers. Thus,
investors increasingly seek information about cybersecurity risks, which can
affect their investment decisions and returns."

He said companies and investors alike would benefit with this information being
required in a consistent, comparable, and decision-useful manner.


MANAGING CYBERSECURITY RISK WHILE WORKING WITH SEC FILING VENDORS

In some cases, companies will have to disclose significant hacks involving not
only technology they own, but also systems of third-party vendors if the breach
is material.

Along with staying vigilant toward security threats within your company, you
also need to practice cybersecurity risk management when working with
contractors, partners, or vendors. 

 * For example, when considering software, look for a native cloud service
   provider that builds its own software and platform rather than a traditional
   service provider with digital services bolted on, as Workiva Chief
   Information Security Officer Eric Anders suggests
 * Check that your vendor meets or exceeds standards for cloud service providers
   and employs multiple layers of protection
 * Also examine whether your vendor’s software or platform itself has built-in
   controls, so that if hackers break in via compromised login credentials, the
   information they can access will be limited
 * While no one is immune from a security breach, make sure your vendors are
   doing all they can to protect you


BEST PRACTICES UNDER THE SEC CYBERSECURITY MANDATE

As companies start to prepare for the SEC cybersecurity rule, multiple
departments outside of financial reporting will also be affected. This includes
audit and risk teams, who will need to consider ways to stay ahead of risk and
implement a cybersecurity risk management program.

As any major cybersecurity event is inherently stressful, the new rule will not
only increase the pressure on organizations going through an incident but will
also increase the risk to registrants of non-compliance in two scenarios:

 1. The SEC isn’t satisfied with the registrant’s cybersecurity incident
    disclosure and takes enforcement action
 2. The registrant determines a cybersecurity event is not material and makes no
    disclosure, but the event later comes to light and the SEC takes enforcement
    action for failure to disclose

For compliance with the SEC cybersecurity rule—and given the significant risk
and potential consequences of non-compliance—we suggest organizations will want
to:

 * Consider deploying multiple layers of security protections including
   multi-factor authorization methodologies
 * Reassess their security breach detection measures so that they would be aware
   of a breach promptly
 * Vet their vendors' cybersecurity controls and customer service, so
   organizations could ensure that they would be kept informed if their vendors
   should have a security incident
 * Integrate cybersecurity into the "G" in ESG
 * Evaluate their current governance, risk, and compliance (GRC) processes and
   readiness to manage a significant cybersecurity incident with regard to the
   new disclosure rules
 * Conduct a cybersecurity risk assessment as a part of their overall enterprise
   risk management (ERM) process to reflect the potential impact of
   non-compliance with the new rules
 * Update existing or implement new policies, procedures, and processes to
   implement an effective cybersecurity and IT risk management program
 * Design and implement robust internal controls over their incident management
   program
 * Audit the effectiveness of their cybersecurity incident management program to
   determine if internal controls are properly designed and are operating
   effectively


HOW TO BUILD AN EFFECTIVE CYBERSECURITY RISK MANAGEMENT PROGRAM

In light of the new SEC cybersecurity rule, now is a great time for registrants’
audit and risk teams to reassess their existing cybersecurity program and make
cyber risk management a top priority. 

Working closely with IT, legal, and other departments—they can assist in
assessing the health of their company’s current cybersecurity program. As audit
and risk practitioners look to build an effective cybersecurity and IT risk
management program, the following list of cybersecurity practices provides a
starting point for consideration:

 * Review their company’s current GRC cybersecurity practices and ensure that:
   * Cybersecurity priorities are driven by and aligned with the overall
     business strategy and risk appetite framework
   * Cybersecurity is prioritized appropriately based on its impact to the
     business strategy
   * Management actively supports the implementation of security measures,
     allocates necessary resources, and views cybersecurity and IT risk
     management as an investment to protect the organization's assets and
     reputation
   * Practices are established to remain informed about emerging cybersecurity
     risks, including regulations and compliance standards related to your
     industry
   * Cybersecurity governance processes are agile and updated regularly to align
     with new and emerging risks
   * Objectives, roles, responsibilities, and reporting structures for
     cybersecurity are well documented and understood across the entire
     organization—not just IT
   * Individual and team roles and responsibilities are clearly defined
   * All employees understand their role in maintaining security, where to turn
     for help or if they have questions, and how to report cybersecurity
     concerns
 * Assess cybersecurity risks regularly and integrate the results with your
   organization’s ERM process
   * Understand known cybersecurity risks, risk mitigation actions, and the
     residual risk to your company
   * Document and identify emerging cybersecurity trends, technologies, threats,
     regulatory changes, and more
   * Prioritize risks and implement risk mitigation strategies to address them
     effectively
   * Adapt your cybersecurity governance process to reflect the threat landscape
     as it evolves
 * Develop and enforce cybersecurity policies and procedures that cover all
   aspects of the organization's operations, including data protection, access
   control, incident response, and employee training:
   * Ensure cybersecurity policies are regularly reviewed, updated, and
     communicated across the company
 * Educate all employees about cybersecurity best practices, the importance of
   data protection, and how to recognize and report potential security incidents
 * Develop a well-defined incident response plan that outlines how to determine
   if a breach has occurred, assess the materiality of the breach, and
   coordinate response and communication with third parties
 * Test and update your incident response plan regularly to improve response
   effectiveness
 * Implement continuous monitoring of your systems, networks, and applications
   to detect anomalies and potential threats and report to responsible parties
   as quickly as possible
 * Conduct penetration testing and vulnerability assessments on a regular basis
   to identify and address weaknesses
 * Establish key performance indicators (KPIs) and security metrics to measure
   the effectiveness of your cybersecurity governance process 
 * Report on established KPIs with management and stakeholders to demonstrate
   progress and highlight areas of improvement
 * Conduct regular internal and external audits of your cybersecurity governance
   process to identify any gaps or weaknesses that need to be addressed

Being proactive can help protect your organization against cybersecurity
threats, will strengthen your organization’s resilience, and will help you be
prepared to address, mitigate, and disclose material cybersecurity incidents
under the new SEC cybersecurity rule.

Learn how legal, risk, ESG, and SEC reporting teams are using the Workiva
platform. Request a demo.

Inline XBRLTM and iXBRLTM are trademarks of XBRL International, Inc. All rights
reserved. The XBRL® standards are open and freely licensed by way of the XBRL
International License Agreement.

 


6 QUESTIONS TO HELP COMPLY WITH THE SEC CYBERSECURITY RULE

These six questions can help your team assess the materiality of a cybersecurity
incident and whether it should be disclosed.

Ebook
 * Previous
 * Next

About the Author
Steve Soter

Vice President and Industry Principal



Steve is a Vice President and Industry Principal at Workiva. Previously, Steve
served as an accounting leader in multiple roles including Vice President and
Controller for Backcountry.com, a private equity owned, online retailer of
outdoor products, and as the Director of SEC Reporting for Overstock.com
(NASDAQ: OSTK), a $2 billion revenue, online retailer of home goods and
blockchain technology company. His experience includes multiple acquisitions,
debt offerings, an IPO, and the world’s first digital debt and equity offering
(by Overstock). Steve is the Executive Advisor of the SEC Professionals Group,
and a former member of the US XBRL Data Quality Committee. He began his career
as an auditor in public accounting, received his Accounting degree from the
University of Arizona, graduating summa cum laude, and received a Master of
Accountancy and Information Systems degree from Arizona State University.



Grant Ostler

Industry Principal

Grant Ostler, Industry Principal at Workiva, has more than 30 years of finance
and operations experience, primarily in internal audit, enterprise risk
management, and process improvement. Ostler served as the chief audit executive
over almost two decades for entities ranging from Fortune 500 companies to a
pre-IPO technology company, including building internal audit programs from
scratch and leading the implementation of SOX 404 compliance programs for three
companies. He is an active member of the Twin Cities Chapter of the IIA where
he’s held numerous leadership positions, including Chapter President, over the
past 20-plus years.


YOU MAY ALSO LIKE

Customer Story
SEC Reporting


HOW HERSHEY SIMPLIFIES SEC REPORTING, SOX, AND ESG

December 12, 2023

Hershey has brought financial reporting, internal controls, and ESG teams
together in the Workiva platform to create audit-ready reports of its corporate
performance.

Blog
Internal Controls Management


CONGRATULATIONS TO THE GRC 20/20 2023 BEST IN CLASS AWARD WINNERS

6 min read
Blog
Financial Reporting


HOW CFOS CAN JUMP INTO GEN AI FOR FINANCE AND ACCOUNTING

7 min read
Customer Story
Internal Controls Management


8X8 UNIFIES SOX AND INTERNAL AUDIT WITH THE WORKIVA PLATFORM

Blog
ESG Reporting


THE RACE TO BRING FINANCIAL REPORTING, ESG, AND GRC TOGETHER

3 min read

STAY INFORMED BY SUBSCRIBING TO THE WORKIVA BLOG.

Sign Up
 * Platform
   * Overview
     * Data Connectivity
     * Generative AI
     * Marketplace
     * About Partners
     * Partner Portal
     * Security
     * Solutions
 * Who We Serve
   * Teams
     * Accounting & Finance
     * Audit, Risk, & Compliance
     * ESG & Sustainability
     * Legal
 * Resources
   * Resource Center
     * Blog
     * Customer Stories
     * Events & Webinars
   * Support
     * Community
     * Customer Support
     * Developers
     * Help Center
     * Learning Hub
 * Company
   * About
     * Contact
     * Leadership
   * Careers
     * Internships
   * Investors
     * Financial Reports
     * Stock Information
   * Newsroom
     * News
     * Press Releases

 * LinkedIn
 * Instagram
 * YouTube

Select Region
 * Cookie Preferences 
 * Legal
 * Privacy Policy
 * Careers Privacy Policy
 * Services Privacy Policy
 * State Specific Privacy Policy
 * Sitemap

©2024 Workiva

2900 University Blvd
Ames, IA 50010





SELECT REGION

 * Australia
 * France
 * Germany
 * Hong Kong
 * Japan
 * Netherlands
 * New Zealand
 * Singapore
 * Spain
 * United Kingdom
 * United States


ONLINE REGISTRATION IS CURRENTLY UNAVAILABLE.

Please email events@workiva to register for this event.


OUR FORMS ARE CURRENTLY DOWN.

Please contact us at info@workiva.com


OUR FORMS ARE CURRENTLY DOWN.

Please contact us at info@workiva.com



✓
Thanks for sharing!
AddToAny
More…