www.workiva.com
Open in
urlscan Pro
143.204.215.49
Public Scan
Submitted URL: http://go.workiva.com/MTU0LUxTSy03NTgAAAGQmDo1mf6RIt5j097C7VTEhmcSNDTBtVjkkaojAx9u3MTAooy0KurZgkNtLS0_L1weQQ7SvYXgmDuF...
Effective URL: https://www.workiva.com/blog/sec-cybersecurity-rule?utm_medium=Email&utm_type=Marketing-Outreach&utm_source=Marketo&utm_...
Submission: On January 11 via api from US — Scanned from DE
Effective URL: https://www.workiva.com/blog/sec-cybersecurity-rule?utm_medium=Email&utm_type=Marketing-Outreach&utm_source=Marketo&utm_...
Submission: On January 11 via api from US — Scanned from DE
Form analysis
1 forms found in the DOMGET /search
<form action="/search" method="get" id="views-exposed-form-solr-site-search-search" accept-charset="UTF-8">
<div class="container">
<div class="row">
<div class="form-group js-form-item form-item js-form-type-textfield form-item-keys js-form-item-keys form-no-label">
<input data-drupal-selector="edit-keys" type="text" id="edit-keys" name="keys" value="" size="30" maxlength="128" class="form-text form-control">
</div>
<div data-drupal-selector="edit-actions" class="form-actions" id="edit-actions">
<input data-drupal-selector="edit-submit-solr-site-search" type="submit" id="edit-submit-solr-site-search" value="Submit" class="button js-form-submit form-submit form-control js-button-exists">
<i class="icon icon-search processed"></i>
</div>
</div>
</div>
</form>
Text Content
Skip to main content Javascript is disabled on your browser. In order to display this website properly, please enable javascript. WorkivaWorkiva.com * Platform * Platform Overview * Data Connectivity * Generative AI * About Partners * Marketplace * Security * Solutions * ESG Reporting * Internal Audit Management * Management Reporting * SEC Reporting * SOX Compliance * Statutory Reporting * See All Solutions DEMO THE PLATFORM Watch how you can unite financial reporting, ESG, audit, and risk seamlessly in a single platform with this extended product tour. * Who We Serve * Solutions by Team * Accounting & Finance * ESG & Sustainability * Audit, Risk, & Compliance * Legal * See All Teams * Solutions by Industry * Banking * Energy and Utilities * Government * Higher Education * Insurance * Investments * See All Solutions MEET OUR CUSTOMERS "I would tell my peers it’s a must that they use the Workiva platform. It saves time, allows for collaboration, and makes the entire reporting process so much easier." * Resources * Resource Center * Blog * Customer Stories * Events & Webinars * Education * Community * Help Center * Learning Hub * See All Resources FEATURED RESOURCE Ready to turn ESG insights into action? Browse the ESG Content Hub for the latest trending news, ideas, and resources. * Company * About * Contact * Leadership * Our Sustainability * Careers * Diversity, Equity, and Inclusion * Internships * Investors * Financial Reports * Stock Information * Newsroom * News * Press Releases * Sign In * Request Demo Menu BLOG WHAT THE SEC CYBERSECURITY RULE MEANS FOR YOU Disclosure Management SEC Reporting Security ESG 9 min read * LinkedIn * Email AUTHOR: Steve Soter Vice President and Industry Principal Grant Ostler Industry Principal Published: July 26, 2023 Last Updated: December 20, 2023 IN THIS STORY What’s in the SEC cybersecurity proposalManaging cybersecurity risk while working with SEC filing vendorsBest practices under the SEC cybersecurity mandateHow to build an effective cybersecurity risk management program The U.S. Securities and Exchange Commission has eased off what it initially proposed for cybersecurity disclosures. But the newly adopted SEC cybersecurity rule raises the stakes for how companies assess the materiality of non-financial information, with major impacts across teams from SEC reporting to ESG to audit and risk. Under the final cybersecurity rule, companies have to disclose cybersecurity incidents within four business days of determining an incident is material (with just a narrow exception). The SEC doesn’t specify a timeline for making that determination. The rule also won’t ask companies to detail the cybersecurity expertise of board members in annual reports, but they’ll have to disclose that information for management, among other details. The final rule comes as hacks and breaches continue making headlines. No doubt, incidents can be costly if a hacker is able to disrupt day-to-day operations, collect a hefty ransom, or steal valuable intellectual property or even customers’ data—not to mention harm your corporate reputation as you’re scrambling to contain the damage. Companies will want their legal, IT, risk, audit, and ESG teams to stay in close touch and vet third-party vendors to protect themselves from cyberthreats. Let’s take a look at the final SEC cybersecurity rule and explore how it will impact multiple teams. Plus, we'll review steps you can take to minimize risk when working with contractors and vendors, whose own cybersecurity incidents could affect your operations. WHAT’S IN THE SEC CYBERSECURITY PROPOSAL You can read the full rule online, but generally it includes requirements for disclosures about cybersecurity incidents and about cybersecurity risk management, strategy, and governance. The Director of the Division of Corporation Finance issued a relatively rare statement explaining the rule's purpose, major points, and other considerations that's also worth reading. The rule goes into effect for annual reports for fiscal years ending December 15, 2023, or later. For the rule’s 8-K and 6-K requirements, larger companies have to comply starting December 18, 2023; smaller reporting companies have until June 15, 2024, to start complying. The SEC cybersecurity rule requires: 1. An 8-K filing within four business days of a company determining it has experienced a material cybersecurity incident, with details of the nature, scope, timing, and likely material impacts on the business, plus amended 8-Ks for updates on previously disclosed incidents. The final rule provides a super narrow exception to the four-day requirement, which is if the U.S. attorney general determines a disclosure would pose a substantial threat to national security or public safety. And the attorney general has to provide that determination to the SEC in writing. The rule doesn’t specify the timeframe for you to determine whether a cybersecurity incident is material, but it has to be “without unreasonable delay.” It's possible the SEC could scrutinize the timing of when an incident occurred and when it was ultimately disclosed under the new Form 8-K Item 1.05 under the rule. That will make the timing and documentation of how companies assess materiality incredibly important. 2. Disclosures of policies and procedures to assess, identify, and manage cybersecurity risks and management’s role in implementing them. 3. No required disclosures of board members’ cybersecurity expertise, but companies will have to disclose management’s role and expertise in assessing cybersecurity threats. 4. Disclosures submitted with Inline XBRLTM tagging to enable investors to extract and analyze data faster. (This requirement kicks in one year after compliance with the related disclosure requirement.) For foreign private issuers, cybersecurity incidents are topics that should be reported on a Form 6-K and in the annual report on Form 20-F. We could debate whether those disclosures could give criminals ammunition for future attacks or hinder law enforcement from recovering stolen funds before criminals realize authorities are on to them. But the bottom line is that cybersecurity incidents could happen to any company, and investors want to see how resilient you are if one should happen to you. “Cybersecurity incidents, unfortunately, happen a lot,” SEC Chair Gary Gensler said in announcing the SEC proposal in 2022. “They can have significant financial, operational, legal, and reputational impacts on public issuers. Thus, investors increasingly seek information about cybersecurity risks, which can affect their investment decisions and returns." He said companies and investors alike would benefit with this information being required in a consistent, comparable, and decision-useful manner. MANAGING CYBERSECURITY RISK WHILE WORKING WITH SEC FILING VENDORS In some cases, companies will have to disclose significant hacks involving not only technology they own, but also systems of third-party vendors if the breach is material. Along with staying vigilant toward security threats within your company, you also need to practice cybersecurity risk management when working with contractors, partners, or vendors. * For example, when considering software, look for a native cloud service provider that builds its own software and platform rather than a traditional service provider with digital services bolted on, as Workiva Chief Information Security Officer Eric Anders suggests * Check that your vendor meets or exceeds standards for cloud service providers and employs multiple layers of protection * Also examine whether your vendor’s software or platform itself has built-in controls, so that if hackers break in via compromised login credentials, the information they can access will be limited * While no one is immune from a security breach, make sure your vendors are doing all they can to protect you BEST PRACTICES UNDER THE SEC CYBERSECURITY MANDATE As companies start to prepare for the SEC cybersecurity rule, multiple departments outside of financial reporting will also be affected. This includes audit and risk teams, who will need to consider ways to stay ahead of risk and implement a cybersecurity risk management program. As any major cybersecurity event is inherently stressful, the new rule will not only increase the pressure on organizations going through an incident but will also increase the risk to registrants of non-compliance in two scenarios: 1. The SEC isn’t satisfied with the registrant’s cybersecurity incident disclosure and takes enforcement action 2. The registrant determines a cybersecurity event is not material and makes no disclosure, but the event later comes to light and the SEC takes enforcement action for failure to disclose For compliance with the SEC cybersecurity rule—and given the significant risk and potential consequences of non-compliance—we suggest organizations will want to: * Consider deploying multiple layers of security protections including multi-factor authorization methodologies * Reassess their security breach detection measures so that they would be aware of a breach promptly * Vet their vendors' cybersecurity controls and customer service, so organizations could ensure that they would be kept informed if their vendors should have a security incident * Integrate cybersecurity into the "G" in ESG * Evaluate their current governance, risk, and compliance (GRC) processes and readiness to manage a significant cybersecurity incident with regard to the new disclosure rules * Conduct a cybersecurity risk assessment as a part of their overall enterprise risk management (ERM) process to reflect the potential impact of non-compliance with the new rules * Update existing or implement new policies, procedures, and processes to implement an effective cybersecurity and IT risk management program * Design and implement robust internal controls over their incident management program * Audit the effectiveness of their cybersecurity incident management program to determine if internal controls are properly designed and are operating effectively HOW TO BUILD AN EFFECTIVE CYBERSECURITY RISK MANAGEMENT PROGRAM In light of the new SEC cybersecurity rule, now is a great time for registrants’ audit and risk teams to reassess their existing cybersecurity program and make cyber risk management a top priority. Working closely with IT, legal, and other departments—they can assist in assessing the health of their company’s current cybersecurity program. As audit and risk practitioners look to build an effective cybersecurity and IT risk management program, the following list of cybersecurity practices provides a starting point for consideration: * Review their company’s current GRC cybersecurity practices and ensure that: * Cybersecurity priorities are driven by and aligned with the overall business strategy and risk appetite framework * Cybersecurity is prioritized appropriately based on its impact to the business strategy * Management actively supports the implementation of security measures, allocates necessary resources, and views cybersecurity and IT risk management as an investment to protect the organization's assets and reputation * Practices are established to remain informed about emerging cybersecurity risks, including regulations and compliance standards related to your industry * Cybersecurity governance processes are agile and updated regularly to align with new and emerging risks * Objectives, roles, responsibilities, and reporting structures for cybersecurity are well documented and understood across the entire organization—not just IT * Individual and team roles and responsibilities are clearly defined * All employees understand their role in maintaining security, where to turn for help or if they have questions, and how to report cybersecurity concerns * Assess cybersecurity risks regularly and integrate the results with your organization’s ERM process * Understand known cybersecurity risks, risk mitigation actions, and the residual risk to your company * Document and identify emerging cybersecurity trends, technologies, threats, regulatory changes, and more * Prioritize risks and implement risk mitigation strategies to address them effectively * Adapt your cybersecurity governance process to reflect the threat landscape as it evolves * Develop and enforce cybersecurity policies and procedures that cover all aspects of the organization's operations, including data protection, access control, incident response, and employee training: * Ensure cybersecurity policies are regularly reviewed, updated, and communicated across the company * Educate all employees about cybersecurity best practices, the importance of data protection, and how to recognize and report potential security incidents * Develop a well-defined incident response plan that outlines how to determine if a breach has occurred, assess the materiality of the breach, and coordinate response and communication with third parties * Test and update your incident response plan regularly to improve response effectiveness * Implement continuous monitoring of your systems, networks, and applications to detect anomalies and potential threats and report to responsible parties as quickly as possible * Conduct penetration testing and vulnerability assessments on a regular basis to identify and address weaknesses * Establish key performance indicators (KPIs) and security metrics to measure the effectiveness of your cybersecurity governance process * Report on established KPIs with management and stakeholders to demonstrate progress and highlight areas of improvement * Conduct regular internal and external audits of your cybersecurity governance process to identify any gaps or weaknesses that need to be addressed Being proactive can help protect your organization against cybersecurity threats, will strengthen your organization’s resilience, and will help you be prepared to address, mitigate, and disclose material cybersecurity incidents under the new SEC cybersecurity rule. Learn how legal, risk, ESG, and SEC reporting teams are using the Workiva platform. Request a demo. Inline XBRLTM and iXBRLTM are trademarks of XBRL International, Inc. All rights reserved. The XBRL® standards are open and freely licensed by way of the XBRL International License Agreement. 6 QUESTIONS TO HELP COMPLY WITH THE SEC CYBERSECURITY RULE These six questions can help your team assess the materiality of a cybersecurity incident and whether it should be disclosed. Ebook * Previous * Next About the Author Steve Soter Vice President and Industry Principal Steve is a Vice President and Industry Principal at Workiva. Previously, Steve served as an accounting leader in multiple roles including Vice President and Controller for Backcountry.com, a private equity owned, online retailer of outdoor products, and as the Director of SEC Reporting for Overstock.com (NASDAQ: OSTK), a $2 billion revenue, online retailer of home goods and blockchain technology company. His experience includes multiple acquisitions, debt offerings, an IPO, and the world’s first digital debt and equity offering (by Overstock). Steve is the Executive Advisor of the SEC Professionals Group, and a former member of the US XBRL Data Quality Committee. He began his career as an auditor in public accounting, received his Accounting degree from the University of Arizona, graduating summa cum laude, and received a Master of Accountancy and Information Systems degree from Arizona State University. Grant Ostler Industry Principal Grant Ostler, Industry Principal at Workiva, has more than 30 years of finance and operations experience, primarily in internal audit, enterprise risk management, and process improvement. Ostler served as the chief audit executive over almost two decades for entities ranging from Fortune 500 companies to a pre-IPO technology company, including building internal audit programs from scratch and leading the implementation of SOX 404 compliance programs for three companies. He is an active member of the Twin Cities Chapter of the IIA where he’s held numerous leadership positions, including Chapter President, over the past 20-plus years. YOU MAY ALSO LIKE Customer Story SEC Reporting HOW HERSHEY SIMPLIFIES SEC REPORTING, SOX, AND ESG December 12, 2023 Hershey has brought financial reporting, internal controls, and ESG teams together in the Workiva platform to create audit-ready reports of its corporate performance. Blog Internal Controls Management CONGRATULATIONS TO THE GRC 20/20 2023 BEST IN CLASS AWARD WINNERS 6 min read Blog Financial Reporting HOW CFOS CAN JUMP INTO GEN AI FOR FINANCE AND ACCOUNTING 7 min read Customer Story Internal Controls Management 8X8 UNIFIES SOX AND INTERNAL AUDIT WITH THE WORKIVA PLATFORM Blog ESG Reporting THE RACE TO BRING FINANCIAL REPORTING, ESG, AND GRC TOGETHER 3 min read STAY INFORMED BY SUBSCRIBING TO THE WORKIVA BLOG. Sign Up * Platform * Overview * Data Connectivity * Generative AI * Marketplace * About Partners * Partner Portal * Security * Solutions * Who We Serve * Teams * Accounting & Finance * Audit, Risk, & Compliance * ESG & Sustainability * Legal * Resources * Resource Center * Blog * Customer Stories * Events & Webinars * Support * Community * Customer Support * Developers * Help Center * Learning Hub * Company * About * Contact * Leadership * Careers * Internships * Investors * Financial Reports * Stock Information * Newsroom * News * Press Releases * LinkedIn * Instagram * YouTube Select Region * Cookie Preferences * Legal * Privacy Policy * Careers Privacy Policy * Services Privacy Policy * State Specific Privacy Policy * Sitemap ©2024 Workiva 2900 University Blvd Ames, IA 50010 SELECT REGION * Australia * France * Germany * Hong Kong * Japan * Netherlands * New Zealand * Singapore * Spain * United Kingdom * United States ONLINE REGISTRATION IS CURRENTLY UNAVAILABLE. Please email events@workiva to register for this event. OUR FORMS ARE CURRENTLY DOWN. Please contact us at info@workiva.com OUR FORMS ARE CURRENTLY DOWN. Please contact us at info@workiva.com ✓ Thanks for sharing! AddToAny More…