deloitte.wsj.com
Open in
urlscan Pro
99.86.4.72
Public Scan
Submitted URL: https://wsjpoliticspolicy.cmail20.com/t/d-l-vtidjky-iykyhddhyd-b/
Effective URL: https://deloitte.wsj.com/articles/secs-cyber-disclosure-rule-prepping-for-whats-new-2bb9fcf4?mod=Deloitte_cfo_wsjarticle5...
Submission: On September 09 via manual from US — Scanned from DE
Effective URL: https://deloitte.wsj.com/articles/secs-cyber-disclosure-rule-prepping-for-whats-new-2bb9fcf4?mod=Deloitte_cfo_wsjarticle5...
Submission: On September 09 via manual from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Skip to Main ContentSkip to Search
Skip to...
Select
* Most Popular News
DJIA34576.59 points with a0.22%▲
S&P 5004457.49 points with a0.14%▲
Nasdaq13761.53 points with a0.09%▲
U.S. 10 Yr0/32with a4.271%▼
Crude Oil87.23 points with a0.32%▼
Euro1.0701 points with a0.02%▼
SEC’s Cyber Disclosure Rule: Prepping for What’s New
Share
Resize
--------------------------------------------------------------------------------
Listen
(7 min)
SubscribeSign In
SubscribeSign In
SubscribeSign In
Intro Offer
The Wall Street Journal
Save on a WSJ Membership
Gain Trusted Insights on 2023’s Biggest Stories
Become a WSJ Member Today
Subscribe Now
* English Edition
EditionEnglish中文 (Chinese)日本語 (Japanese)
* Print Edition
* Video
* Audio
* Latest Headlines
* More
MoreOther Products from WSJBuy Side from WSJWSJ ShopWSJ Wine
* World
Topics
Africa
Americas
Asia
China
Europe
Middle East
India
Oceania
Russia
U.K.
More
World Video
* Business
Topics
Airlines
Autos
C-Suite
Deals
Earnings
Energy & Oil
Entrepreneurship
Telecom
Retail
Hospitality
Logistics
Media
C-Suite
CFO Journal
CIO Journal
CMO Today
Logistics Report
Risk & Compliance
The Workplace Report
WSJ Professional
WSJ Pro Bankruptcy
WSJ Pro Central Banking
WSJ Pro Cybersecurity
WSJ Pro Private Equity
WSJ Pro Sustainable Business
WSJ Pro Venture Capital
More
Heard on the Street
Management
Journal Reports
Business Video
Business Podcast
* U.S.
Topics
Climate & Environment
Education
Law
More
U.S. Video
What's News Podcast
* Politics
Topics
Elections
National Security
Policy
More
Politics Video
* Economy
Topics
Central Banking
Consumers
Housing
Jobs
Trade
Global
WSJ Professional
WSJ Pro Bankruptcy
WSJ Pro Central Banking
WSJ Pro Private Equity
WSJ Pro Venture Capital
More
Capital Account
Economic Forecasting Survey
Economy Video
* Tech
Topics
AI
Biotech
Cybersecurity
Personal Technology
More
Christopher Mims
Joanna Stern
Julie Jargon
Nicole Nguyen
CIO Journal
The Future of Everything
Tech Video
Tech Podcast
* Finance
Topics
Banking
Commodities & Futures
Currencies
Investing
Regulation
Stocks
More
Heard on the Street
Greg Ip
Jason Zweig
Laura Saunders
James Mackintosh
CFO Journal
Markets Video
Your Money Briefing Podcast
Market Data
Market Data Home
Companies
U.S. Stocks
Commodities
Bonds & Rates
Currencies Market Data
Mutual Funds & ETFs
* Opinion
Columnists
Gerard Baker
Sadanand Dhume
Allysia Finley
James Freeman
William A. Galston
Daniel Henninger
Holman W. Jenkins
Andy Kessler
William McGurn
Walter Russell Mead
Peggy Noonan
Mary Anastasia O'Grady
Jason Riley
Joseph Sternberg
Kimberley A. Strassel
More
Editorials
Commentary
Future View
Houses of Worship
Cross Country
Letters to the Editor
The Weekend Interview
Potomac Watch Podcast
Foreign Edition Podcast
Free Expression Podcast
Opinion Video
Notable & Quotable
* Arts & Culture
Topics
Books
Film
Fine Art
Food & Cooking
History
Music
Television
Theater
Reviews
Film Reviews
Television Reviews
Theater Reviews
Masterpiece Series
Music Reviews
Dance Reviews
Opera Reviews
Exhibition Reviews
Cultural Commentary
More
WSJ Puzzles
What To Watch
Arts Calendar
* Lifestyle
Topics
Careers
Cars
Fitness
Relationships
Travel
Workplace
More
On Wine
Work & Life
Carry On
On The Clock
Elizabeth Bernstein
Turning Points
WSJ Puzzles
Recipes
* Real Estate
Topics
Commercial Real Estate
Luxury Homes
* Personal Finance
Topics
Retirement
Savings
Credit
Taxes
Mortgages
More
Jason Zweig
Laura Saunders
James Mackintosh
* Health
Topics
Healthcare
Pharma
Wellness
More
Your Health
* Science
Topics
Archaeology
Biology
Environment
Physics
Space & Astronomy
More
The Future of Everything
* Style
Topics
Beauty
Design
Fashion
More
Off Brand
On Trend
My Monday Morning
* Sports
Topics
Baseball
Basketball
Football
Golf
Hockey
Olympics
Soccer
Tennis
More
Jason Gay
SubscribeSign In
* English Edition
EditionEnglish中文 (Chinese)日本語 (Japanese)
* Print Edition
* Video
* Audio
* Latest Headlines
* More
MoreOther Products from WSJBuy Side from WSJWSJ ShopWSJ Wine
* World
Topics
Africa
Americas
Asia
China
Europe
Middle East
India
Oceania
Russia
U.K.
More
World Video
* Business
Topics
Airlines
Autos
C-Suite
Deals
Earnings
Energy & Oil
Entrepreneurship
Telecom
Retail
Hospitality
Logistics
Media
C-Suite
CFO Journal
CIO Journal
CMO Today
Logistics Report
Risk & Compliance
The Workplace Report
WSJ Professional
WSJ Pro Bankruptcy
WSJ Pro Central Banking
WSJ Pro Cybersecurity
WSJ Pro Private Equity
WSJ Pro Sustainable Business
WSJ Pro Venture Capital
More
Heard on the Street
Management
Journal Reports
Business Video
Business Podcast
* U.S.
Topics
Climate & Environment
Education
Law
More
U.S. Video
What's News Podcast
* Politics
Topics
Elections
National Security
Policy
More
Politics Video
* Economy
Topics
Central Banking
Consumers
Housing
Jobs
Trade
Global
WSJ Professional
WSJ Pro Bankruptcy
WSJ Pro Central Banking
WSJ Pro Private Equity
WSJ Pro Venture Capital
More
Capital Account
Economic Forecasting Survey
Economy Video
* Tech
Topics
AI
Biotech
Cybersecurity
Personal Technology
More
Christopher Mims
Joanna Stern
Julie Jargon
Nicole Nguyen
CIO Journal
The Future of Everything
Tech Video
Tech Podcast
* Finance
Topics
Banking
Commodities & Futures
Currencies
Investing
Regulation
Stocks
More
Heard on the Street
Greg Ip
Jason Zweig
Laura Saunders
James Mackintosh
CFO Journal
Markets Video
Your Money Briefing Podcast
Market Data
Market Data Home
Companies
U.S. Stocks
Commodities
Bonds & Rates
Currencies Market Data
Mutual Funds & ETFs
* Opinion
Columnists
Gerard Baker
Sadanand Dhume
Allysia Finley
James Freeman
William A. Galston
Daniel Henninger
Holman W. Jenkins
Andy Kessler
William McGurn
Walter Russell Mead
Peggy Noonan
Mary Anastasia O'Grady
Jason Riley
Joseph Sternberg
Kimberley A. Strassel
More
Editorials
Commentary
Future View
Houses of Worship
Cross Country
Letters to the Editor
The Weekend Interview
Potomac Watch Podcast
Foreign Edition Podcast
Free Expression Podcast
Opinion Video
Notable & Quotable
* Arts & Culture
Topics
Books
Film
Fine Art
Food & Cooking
History
Music
Television
Theater
Reviews
Film Reviews
Television Reviews
Theater Reviews
Masterpiece Series
Music Reviews
Dance Reviews
Opera Reviews
Exhibition Reviews
Cultural Commentary
More
WSJ Puzzles
What To Watch
Arts Calendar
* Lifestyle
Topics
Careers
Cars
Fitness
Relationships
Travel
Workplace
More
On Wine
Work & Life
Carry On
On The Clock
Elizabeth Bernstein
Turning Points
WSJ Puzzles
Recipes
* Real Estate
Topics
Commercial Real Estate
Luxury Homes
* Personal Finance
Topics
Retirement
Savings
Credit
Taxes
Mortgages
More
Jason Zweig
Laura Saunders
James Mackintosh
* Health
Topics
Healthcare
Pharma
Wellness
More
Your Health
* Science
Topics
Archaeology
Biology
Environment
Physics
Space & Astronomy
More
The Future of Everything
* Style
Topics
Beauty
Design
Fashion
More
Off Brand
On Trend
My Monday Morning
* Sports
Topics
Baseball
Basketball
Football
Golf
Hockey
Olympics
Soccer
Tennis
More
Jason Gay
SEC’s Cyber Disclosure Rule: Prepping for What’s New
Share
Resize
--------------------------------------------------------------------------------
Listen
(7 min)
CFO JOURNAL
Content by
The Wall Street Journal news department was not involved in producing this
sponsor content.
This copy is for your personal, non-commercial use only. Distribution and use of
this material are governed by our Subscriber Agreement and by copyright law. For
non-personal use or to order multiple copies, please contact Dow Jones Reprints
at 1-800-843-0008 or visit www.djreprints.com.
https://deloitte.wsj.com/articles/secs-cyber-disclosure-rule-prepping-for-whats-new-2bb9fcf4
1. BUSINESS
--------------------------------------------------------------------------------
2. CYBERSECURITY
SEC’S CYBER DISCLOSURE RULE: PREPPING FOR WHAT’S NEW
CERTAIN DISCLOSURES HAVE BEEN STREAMLINED, AND SOME PROPOSED ELEMENTS LIKE THE
DISCLOSURE OF BOARD EXPERTISE ARE ABSENT FROM THE FINAL RULE, BUT TIME TO
PREPARE IS SHORT
Share
Resize
--------------------------------------------------------------------------------
Listen
(7 min)
The U.S. Securities and Exchange Commission (SEC) has finalized a new rule for
public companies requiring Form 8-K or Form 6-K disclosure of material
cybersecurity incidents as well as annual reporting regarding cybersecurity risk
management, strategy, and governance.
“The SEC had observed some inconsistency in the nature and extent of cyber
disclosures under prior interpretive guidance,” says Sandy Herrygers, a partner
with Deloitte Risk & Financial Advisory at Deloitte & Touche LLP. “The new rule
aims to standardize disclosure by providing more specific guidance on what must
be disclosed, when it must be disclosed, and where it must be disclosed, for
example in Form 8-K or 10-K filings.”
The new cyber disclosure rule requires companies to disclose incidents in a Form
8-K filing (or Form 6-K for foreign private issuers) within four business days
of when a cybersecurity incident is determined to be material. The disclosure is
required to describe the material aspects of an incident’s nature, scope,
timing, and material or reasonable likely material impacts on the registrant.
The rule includes a provision for incident disclosure to be delayed if the U.S.
Attorney General determines that immediate disclosure would pose a substantial
risk to national security or public safety.
The rule reflects that certain required information may not be available at the
time of the initial Form 8-K filing, and it provides instructions to clarify
that updated incident disclosures are required in Form 8-K amendments when
companies have additional information that was not determined or available at
the time of an initial filing, says Christine Mazor, Audit & Assurance partner
with Deloitte & Touche LLP.
The new rule also retains an intentionally broad definition of what constitutes
a cyber incident so that it extends to a series of related unauthorized
breaches, says Mazor. “For example, a series of related cyber intrusions by the
same malicious actor or a series of attacks from multiple actors exploiting the
same vulnerability could lead to a quantitatively or qualitatively material
incident that would require disclosure under the rule,” she says.
In their annual Form 10-K, companies are required by the rule to describe the
processes they have in place for assessing, identifying, and managing material
cybersecurity risks as well as the material effects of risks from cybersecurity
threats, including previous incidents. Further, companies are required to
describe the board’s oversight and management’s role and expertise in assessing
and managing material risks from cybersecurity threats.
All companies will be required to provide disclosures on cybersecurity risk
management, strategy, and governance on Form 10-K (or Form 20-F for foreign
private issuers) beginning with annual reports for fiscal years ending on or
after Dec. 15, 2023. Incident disclosures in Form 8-K or Form 6-K are required
beginning 90 days after publication in the Federal Register or on Dec. 18, 2023,
whichever is later, but smaller reporting companies will have an additional 180
days to comply.
The SEC first proposed new cybersecurity disclosures in March 2022 to provide
investors with more consistent, decision-useful information through enhanced and
standardized disclosures. Following extensive public comment, the SEC’s adopted
final rule does not contain some of the originally proposed requirements, such
as disclosure regarding the board’s cybersecurity expertise or disclosure in a
registrant’s next periodic report when, to the extent known to management, a
series of previously undisclosed individually immaterial cybersecurity incidents
become material in the aggregate.
After the SEC issued its proposed rule in 2022, many companies performed gap
analyses by evaluating their disclosure controls and procedures related to
cybersecurity and identifying differences between those and the proposed
requirements. “Companies that have performed this analysis can refresh it with
the rule now finalized,” says Herrygers.
If companies have not performed this analysis, it’s important to do so now to
prepare for disclosures that will be required at the end of their current fiscal
year, says Herrygers. “The gap analysis provides a basis for developing a road
map for planning and implementing updates and improvements to disclosure
processes to comply with the new requirements,” she says.
Given the short timeline to the effective date of the new standard—less than six
months for calendar-year companies, for example—companies might consider
beginning drafting of new disclosures for year-end filings soon, says Mazor.
“There may be people involved in producing these disclosures who are not
normally part of the year-end reporting process, so there should be adequate
time built into the review process to allow for this,” she says.
The new disclosure requirements provide companies with an opportunity to improve
their cyber risk management, strategy, and governance, says Adnan Amjad, a
partner and U.S. Cyber & Strategic Risk leader with Deloitte & Touche LLP.
“Companies can take several steps to integrate their business and cyber
strategy, improve risk management and governance, and refresh incident
management processes to enhance their cyber posture while also complying with
new disclosure requirements,” he says.
Prepare for disclosures. Companies can evaluate current reporting practices
relative to the new requirements and identify how the company’s reporting
practices are affected. They can also deploy a cross-functional team to include
the CISO, CIO, legal, and internal audit to develop and implement controls and
procedures for producing needed disclosures regarding cybersecurity incidents in
current and periodic reports; the company’s risk management, strategy, and
governance related to cyber; and the board’s oversight and management’s
expertise in managing cybersecurity.
Fortify cyber governance. If they have not already, companies can establish a
risk-based cyber strategy that aligns with the business strategy and defines
enterprisewide cybersecurity policies, standards, and procedures. They can
develop a governance framework and organization model and invest in maturing
cybersecurity and incident response capabilities. Risk metrics and reporting
with ongoing monitoring can help improve cyber risk management discipline.
Enhance response and recovery. Organizations can implement or refresh an
incident management framework with incident response plans, develop a consistent
structure, and formally define criteria for cybersecurity incident materiality
specific to their operating environment. They can build dedicated incident
management teams and deploy automation to support the incident management
function. A formalized process for root cause analysis can enhance incident
response, and testing can confirm readiness. Cross-functional cyber readiness
exercises, such as tabletops or cyber simulations, can help teams improve
response when a material cybersecurity incident occurs.
—by Tammy Whitehouse, senior writer, Executive Perspectives in The Wall Street
Journal, Deloitte Services LP
Published on Aug 2, 2023, 9:00 PM
This publication contains general information only and Deloitte is not, by means
of this publication, rendering accounting, business, financial, investment,
legal, tax, or other professional advice or services. This publication is not a
substitute for such professional advice or services, nor should it be used as a
basis for any decision or action that may affect your business. Before making
any decision or taking any action that may affect your business, you should
consult a qualified professional advisor. Deloitte shall not be responsible for
any loss sustained by any person who relies on this publication.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private
company limited by guarantee (“DTTL”), its network of member firms, and their
related entities. DTTL and each of its member firms are legally separate and
independent entities. DTTL (also referred to as “Deloitte Global”) does not
provide services to clients. In the United States, Deloitte refers to one or
more of the US member firms of DTTL, their related entities that operate using
the “Deloitte” name in the United States and their respective affiliates.
Certain services may not be available to attest clients under the rules and
regulations of public accounting. Please see www.deloitte.com/about to learn
more about our global network of member firms.
WHAT TO READ NEXT...
THE CFO AGENDA: TALENT AND LEADERSHIP
FIRST BIAS AUDIT LAW STARTS TO SET STAGE FOR TRUSTWORTHY AI
ECONOMIC BRIEF: RETOOLING THE BRICS ALLIANCE
LEVERAGING IRA TAX CREDITS TO ENHANCE CLIMATE, COMMUNITIES, AND BUSINESS VALUE
SEARCH DELOITTE ARTICLES
WHAT'S TRENDING
1.
THE CFO AGENDA: TALENT AND LEADERSHIP
2.
MAYO CLINIC CFO ON ADVANCING THE FUTURE OF DIGITAL HEALTH
3.
PERSEFONI CEO: HOW CARBON ACCOUNTING ADVANCES CLIMATE STRATEGY, DISCLOSURE
4.
CFOS LOWER ASSESSMENTS OF NORTH AMERICA’S ECONOMIC OUTLOOK: CFO SIGNALS
5.
BLACKSTONE CTO: ‘WHAT CAN TECHNOLOGY DO BETTER FOR YOU?’
EXECUTIVE PERSPECTIVES
Deloitte’s Executive Perspectives dives deeper into critical business issues to
deliver timely and actionable content to help support decision-making and build
careers. Through research, technology perspectives and analyses, interviews, and
more, Executive Perspectives for CFOs provides finance executives a customized
resource to help them address the strategic, operational, and regulatory issues
they face in managing their organizations and careers.Learn more about
Deloitte's executive programs.
Newsletter Sign-up
WSJ | CFO Journal
The Morning Ledger provides daily news and insights on corporate finance from
the CFO Journal team.
Preview
Subscribe
* The Wall Street Journal
* English Edition
EditionEnglish中文 (Chinese)日本語 (Japanese)
* Subscribe NowSign In
* Back to Top «
WSJ Membership
* Buy Side Exclusives
* Subscription Options
* Why Subscribe?
* Corporate Subscriptions
* WSJ Higher Education Program
* WSJ High School Program
* Public Library Program
* WSJ Live
* Commercial Partnerships
Customer Service
* Customer Center
* Contact Us
* Cancel My Subscription
Tools & Features
* Newsletters & Alerts
* Guides
* Topics
* My News
* RSS Feeds
* Video Center
* Watchlist
* Podcasts
* Visual Stories
Ads
* Advertise
* Commercial Real Estate Ads
* Place a Classified Ad
* Sell Your Business
* Sell Your Home
* Recruitment & Career Ads
* Coupons
* Digital Self Service
More
* About Us
* Content Partnerships
* Corrections
* Jobs at WSJ
* News Archive
* Register for Free
* Reprints & Licensing
* Buy Issues
* WSJ Shop
* WSJ Membership Benefits
* Customer Center
* Cancel My Subscription
* Legal Policies
* Manage Cookies
* Facebook
* Twitter
* Instagram
* YouTube
* Podcasts
* Snapchat
* Google Play
* App Store
Dow Jones Products
* Barron's
* BigCharts
* Dow Jones Newswires
* Factiva
* Financial News
* Mansion Global
* MarketWatch
* Risk & Compliance
* Buy Side from WSJ
* WSJ Pro
* WSJ Video
* WSJ Wine
* Privacy Notice
* Cookie Notice
* Manage Cookies
* Copyright Policy
* Data Policy
* Subscriber Agreement & Terms of Use
* Your Ad Choices
* Accessibility
* Copyright ©2023 Dow Jones & Company, Inc. All Rights Reserved.
Back to Top «
English Edition
EditionEnglish中文 (Chinese)日本語 (Japanese)
--------------------------------------------------------------------------------
* Facebook
* Twitter
* Instagram
* YouTube
* Podcasts
* Snapchat
WSJ Membership
* Buy Side Exclusives
* Subscription Options
* Why Subscribe?
* Corporate Subscriptions
* WSJ Higher Education Program
* WSJ High School Program
* Public Library Program
* WSJ Live
* Commercial Partnerships
Customer Service
* Customer Center
* Contact Us
* Cancel My Subscription
Tools & Features
* Newsletters & Alerts
* Guides
* Topics
* My News
* RSS Feeds
* Video Center
* Watchlist
* Podcasts
* Visual Stories
Ads
* Advertise
* Commercial Real Estate Ads
* Place a Classified Ad
* Sell Your Business
* Sell Your Home
* Recruitment & Career Ads
* Coupons
* Digital Self Service
More
* About Us
* Content Partnerships
* Corrections
* Jobs at WSJ
* News Archive
* Register for Free
* Reprints & Licensing
* Buy Issues
* WSJ Shop
* WSJ Membership Benefits
* Customer Center
* Cancel My Subscription
* Legal Policies
* Manage Cookies
* Google Play
* App Store
--------------------------------------------------------------------------------
Sign In
Copyright ©2023 Dow Jones & Company, Inc. All Rights Reserved.
Copyright ©2023 Dow Jones & Company, Inc. All Rights Reserved
This copy is for your personal, non-commercial use only. Distribution and use of
this material are governed by our Subscriber Agreement and by copyright law. For
non-personal use or to order multiple copies, please contact Dow Jones Reprints
at 1-800-843-0008 or visit www.djreprints.com.
INTRO OFFER
€2 per month
Subscribe Now