New SEC cybersecurity rules are putting pressure on businesses to efficiently report on the material impact of data breaches. While the SEC has removed some of the ambiguity on what needs to occur immediately after a cybersecurity breach, the rule is another reminder of the growing convergence between finance and data security, especially for public companies. 

Many businesses will be challenged by the new SEC cybersecurity guidance, and as the heat turns up on cyber protections, CFOs and accounting leaders must be ready to lead their teams in navigating the new data-centric regulatory environment. Data is central to the future of finance functions, and cybersecurity joins the list of familiar items for any future-minded leader. 

New Cybersecurity Rule Effective Date & Requirements

On August 4, 2023, the SEC published their final rule for all publicly traded companies, which is effective on September 5, 2023. The new cybersecurity regulations require SEC registrants to file Form 8-K and disclose the material impact of a security breach in just four business days after materiality has been determined. 

The new cybersecurity requirements will provide information that may sway an individual investor, analyst or money manager into buying or selling affected securities. The new rules require both the prompt sharing of information regarding cybersecurity incidents and annual notifications about management oversight and expertise within their 10-K filings. 

The new requirements go beyond incident reporting and include disclosing company cybersecurity processes, procedures and management oversight details. Non-exchange registered companies should become equally familiar with the regulation. Those that typically follow publicly traded company guidelines—such as portfolio companies and those that use accrual method accounting—will increasingly become expected to follow the SEC regulations by the lenders and investors they work with.

Aggregated information about cybersecurity incidents that collectively expose the business to greater scrutiny and liability claims are also encompassed within the new guidelines.

Why the New Regulations Matter

The threat of a material cybersecurity incident is a costly reality for companies both large and small. Of surveyed companies that have experienced a data breach in a single year, 83 percent have experienced more than one breach, and 60 percent of organizations have had to increase prices to their customers as a result of these costs. 

Cybersecurity complexity continues to grow with the advent of AI, supply chain bottlenecks and remote work. Educating employees, refining detection procedures and conducting risk assessments using formalized frameworks can help all relevant parties understand the complete risk profile of a company. 

With that said, the primary role of the SEC is to protect investors. Public relations concerns and embarrassment have played a major role in allowing the public at large—and investors in particular—to remain in the dark about how much a company is or isn’t doing to protect the data of its customers, vendors and prospects. The new guidelines will shed light onto the inner workings and practices of business executives and their policies. Registered companies will need to provide information on the company’s cybersecurity risk management frameworks, employees involved in managing risk and their board’s expertise and oversight. 

What These Risks & Disclosures Mean for Accounting & Finance Leaders

Whether or not you have dedicated cybersecurity professionals on your team, incorporating internal and external finance experts should be considered a necessity to help develop and manage your cybersecurity risk strategy. 

Considerations at the Tactical Level

Though data security policies are not the responsibility of the finance function, accountants and finance professionals will need to adopt best practices for working with sensitive financial data. Simple physical and electronic access controls—such as enforcing password updates and profile management—can be the beginning of maintaining a strong cybersecurity platform, but more must be considered to fully comply with the new SEC cybersecurity rules. 

  • Cloud security
  • Encryption 
  • Mobile security
  • Network infrastructure
  • Training
  • Physical security

Considerations for CFOs & Finance Leaders

Most importantly, for the CFO, understanding the company’s cybersecurity strategy is key. Who has access to which information? And who should the CFO communicate with in the event of a breach to gain the necessary data for identifying materiality and measuring impact?

With little time to disclose materiality, finance leaders need to have a system in place for quickly reporting on financial position. Finance professionals must ensure that all compliance tasks are assigned and completed with minimal impact to operations. The annual SEC 10-K filing requirements are being updated with details from the new amendments, and CFOs, controllers and financial analysts should be called upon to quantify existing and future risks and report them when necessary.

Additional Dates to Remember

The new SEC cybersecurity rules are effective for registrants on September 5, 2023. Other significant dates for disclosure documents and data element tags to observe include:

  • Companies with fiscal years ending on or after December 15, 2023, must begin including their cybersecurity disclosures on Form 10-K.
  • Form 8-K disclosure dates are dependent on company size. December 18, 2023, is the deadline for most companies, but smaller reporting companies will have until June 15, 2024, to fully comply.
  • Cybersecurity-related electronic structured data is required to be tagged by December 15, 2024.

Prepare for the New SEC Cybersecurity Rules

The SEC’s new cybersecurity rules represent a wake-up call to all businesses and organizations. Viruses, malware and ransomware can— and have— shut down major businesses and government facilities. The impact of a cyberattack on smaller businesses represents an even greater portion of their revenue, so owners must be vigilant about their cybersecurity risk whether or not their business is listed on an exchange.

Paro’s vetted network of fractional finance experts are ready to assist your team in managing compliance and reporting needs, addressing risk management concerns and providing strategic financial guidance for the future. As you build a data-driven organization, have the expertise you need to navigate the challenges and opportunities that come with your data.