{"id":1662,"date":"2023-08-08T14:49:00","date_gmt":"2023-08-08T19:49:00","guid":{"rendered":"https:\/\/www.mgocpa.com\/?post_type=perspective&#038;p=1662"},"modified":"2025-07-08T07:27:39","modified_gmt":"2025-07-08T12:27:39","slug":"sec-adopts-rules-on-cybersecurity-risk-management","status":"publish","type":"perspective","link":"https:\/\/www.mgocpa.com\/perspective\/sec-adopts-rules-on-cybersecurity-risk-management\/","title":{"rendered":"SEC Adopts Rules for Cybersecurity Risk Management"},"content":{"rendered":"\n<p><strong>Executive Summary:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The <a href=\"https:\/\/www.sec.gov\/\" target=\"_blank\" rel=\"noreferrer noopener\">Securities and Exchange Commission (SEC)<\/a> is promoting the enhancement and standardization of registrants\u2019 disclosures related to cybersecurity risk management, strategy, and governance by adopting a rule that requires public companies to disclose \u201cmaterial\u201d cybersecurity breaches within four days of determining its materiality.<\/li>\n\n\n\n<li>The SEC wants to know: the processes the companies use to assess, identify, and manage cybersecurity risks, as well as the board\u2019s oversight of such risks and management\u2019s role in assessing and managing those risks.<\/li>\n\n\n\n<li>The rules apply to nearly all registrants that file periodic reports with the SEC (including foreign private issuers and smaller reporting companies).<\/li>\n\n\n\n<li>Registrants must also include their risk management, strategy, and governance disclosures in their 2023 annual reports.<\/li>\n<\/ul>\n\n\n\n<p>&#8212;<\/p>\n\n\n\n<p>The SEC wants public companies to be more transparent with its investors about cybersecurity. On July 26, 2023, it voted 3-2 to <a href=\"https:\/\/www.sec.gov\/news\/press-release\/2023-139\" target=\"_blank\" rel=\"noreferrer noopener\">adopt new rules on disclosure to promote clarity surrounding \u201cmaterial\u201d breaches and what\u2019s being done to combat them<\/a>. And it wants them to do this within four days of determining if a cybersecurity breach was material on Form 8-K. However, delays may be permitted if immediate disclosure of the breach could pose a national security or public safety risk.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Defining &#8220;Material&#8221; Disclosures<\/h2>\n\n\n\n<p>According to the U.S. Supreme Court, a piece of information is material to investors when its disclosure \u201cwould be viewed by the reasonable investor as having significantly altered the \u2018total mix\u2019 of information made available.\u201d<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why Is the SEC Implementing This Rule Change?<\/h2>\n\n\n\n<p>The SEC seeks to protect companies and investors as cybersecurity incidents have increased in number and sophistication in recent years. In their fact sheet they note: \u201cCybersecurity risks have increased alongside the digitalization of registrants\u2019 operations, the growth of remote work, the ability of criminals to monetize cybersecurity incidents, the use of digital payments, and the increasing reliance on third party service providers for information technology services, including cloud computing technology (\u2026) All of these trends underscored the need for improved disclosure.\u201d<\/p>\n\n\n\n<p>But corporations are contesting the rules, arguing this short announcement period is unreasonable \u2014 and could reveal vulnerabilities that could be exploited by more cybercriminals looking to take advantage of a company mid-breach.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What Are the Requirements for Risk Management, Strategy, and Governance Disclosures?<\/h2>\n\n\n\n<p>Public companies will be required to disclose their cybersecurity breaches within a four-day time period. This disclosure must include additional details too, like the timing of the incident, its impact on the company, and management\u2019s expertise on cybersecurity in Form 10-Ks (and Form 20-Fs for Foreign Filers).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How Will the SEC Cybersecurity Rules Affect You?<\/h2>\n\n\n\n<p>The SEC has observed that previous cybersecurity announcements have been inconsistent and inadequate.<\/p>\n\n\n\n<p>Many public companies already have plans in place to share sensitive information about their cyber incidents with federal agencies (FBI). Last year, the <a href=\"https:\/\/www.cisa.gov\/topics\/cyber-threats-and-advisories\/information-sharing\/cyber-incident-reporting-critical-infrastructure-act-2022-circia\" target=\"_blank\" rel=\"noreferrer noopener\">Cybersecurity and Infrastructure Security Agency (CISA) adopted cybersecurity rules<\/a> that require critical infrastructure entities to report breaches within three days to CISA. This reporting duplication could prove confusing and time-consuming.<\/p>\n\n\n\n<p>Ultimately, all public companies need robust internal controls and reporting systems to maintain compliance with the SEC requirements. This assumes issuers already have top-tier cybersecurity technology and processes in place. If not, they\u2019ll need to build these functions out to minimize subsequent fallout from investors and regulators when these inadequacies are made public in their reporting.<\/p>\n\n\n\n<p>The SEC strives to protect investors, which isn\u2019t a bad thing. However, the enforcement of these new rules may not be the most logical option to do so.<\/p>\n\n\n\n<p>Ultimately, the question may not necessarily be how many days you should take to disclose your breach but who should actually be regulating cybersecurity, and who has the authority to call the shots. Cybersecurity is no longer a \u201cnice to have\u201d function in an organization.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How We Can Help<\/h2>\n\n\n\n<p>It\u2019s important to stay vigilant to protect your organization from risk and maintain compliance. Our <a href=\"\/solution-and-industry\/cybersecurity\/#contact\" target=\"_blank\" rel=\"noreferrer noopener\">Technology and Cybersecurity Practic<\/a>e can help verify you are compliant and strengthen your overall cybersecurity, so these incidents are less likely to occur. And, if they do, you\u2019ll be ready to mitigate risks sooner\u2014 and make progress towards compliance with the SEC\u2019s new rules.<\/p>\n\n\n\n<p>If you are ready to assess your cybersecurity posture, or you have questions about<br>how the SEC\u2019s new requirements could affect you, schedule a conversation with our <a href=\"\/solution-and-industry\/cybersecurity\/#contact\" target=\"_blank\" rel=\"noreferrer noopener\">Technology and Cybersecurity team today<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Executive Summary: &#8212; The SEC wants public companies to be more transparent with its investors about cybersecurity. On July 26, 2023, it voted 3-2 to adopt new rules on disclosure to promote clarity surrounding \u201cmaterial\u201d breaches and what\u2019s being done to combat them. And it wants them to do this within four days of determining [&hellip;]<\/p>\n","protected":false},"featured_media":1663,"template":"","meta":{"_acf_changed":false,"content-type":"","_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"perspective_topic":[104,50,234,109,155,62,122,168],"perspective-type":[42],"class_list":["post-1662","perspective","type-perspective","status-publish","has-post-thumbnail","hentry","perspective_topic-cybercrime","perspective_topic-cybersecurity","perspective_topic-governance","perspective_topic-information-security","perspective_topic-internal-audit","perspective_topic-internal-controls","perspective_topic-public-company","perspective_topic-sec","perspective-type-articles"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.8 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>SEC Adopts Rules for Cybersecurity Risk Management - MGO CPA | Tax, Audit, and Consulting Services<\/title>\n<meta name=\"description\" content=\"Understand the SEC\u2019s new cybersecurity rules and how public companies must now manage, report, and disclose cyber risk more transparently.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.mgocpa.com\/perspective\/sec-adopts-rules-on-cybersecurity-risk-management\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SEC Adopts Rules for Cybersecurity Risk Management - MGO CPA | Tax, Audit, and Consulting Services\" \/>\n<meta property=\"og:description\" content=\"Understand the SEC\u2019s new cybersecurity rules and how public companies must now manage, report, and disclose cyber risk more transparently.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mgocpa.com\/perspective\/sec-adopts-rules-on-cybersecurity-risk-management\/\" \/>\n<meta property=\"og:site_name\" content=\"MGO CPA | Tax, Audit, and Consulting Services\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/mgocpa\" \/>\n<meta property=\"article:modified_time\" content=\"2025-07-08T12:27:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mgocpa.com\/wp-content\/uploads\/2024\/12\/iStock-539948780-2048x1540-1.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"2048\" \/>\n\t<meta property=\"og:image:height\" content=\"1540\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mgocpa.com\/perspective\/sec-adopts-rules-on-cybersecurity-risk-management\/\",\"url\":\"https:\/\/www.mgocpa.com\/perspective\/sec-adopts-rules-on-cybersecurity-risk-management\/\",\"name\":\"SEC Adopts Rules for Cybersecurity Risk Management - MGO CPA | Tax, Audit, and Consulting Services\",\"isPartOf\":{\"@id\":\"https:\/\/www.mgocpa.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mgocpa.com\/perspective\/sec-adopts-rules-on-cybersecurity-risk-management\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mgocpa.com\/perspective\/sec-adopts-rules-on-cybersecurity-risk-management\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mgocpa.com\/wp-content\/uploads\/2024\/12\/iStock-539948780-2048x1540-1.webp\",\"datePublished\":\"2023-08-08T19:49:00+00:00\",\"dateModified\":\"2025-07-08T12:27:39+00:00\",\"description\":\"Understand the SEC\u2019s new cybersecurity rules and how public companies must now manage, report, and disclose cyber risk more transparently.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mgocpa.com\/perspective\/sec-adopts-rules-on-cybersecurity-risk-management\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mgocpa.com\/perspective\/sec-adopts-rules-on-cybersecurity-risk-management\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mgocpa.com\/perspective\/sec-adopts-rules-on-cybersecurity-risk-management\/#primaryimage\",\"url\":\"https:\/\/www.mgocpa.com\/wp-content\/uploads\/2024\/12\/iStock-539948780-2048x1540-1.webp\",\"contentUrl\":\"https:\/\/www.mgocpa.com\/wp-content\/uploads\/2024\/12\/iStock-539948780-2048x1540-1.webp\",\"width\":2048,\"height\":1540,\"caption\":\"server room\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mgocpa.com\/perspective\/sec-adopts-rules-on-cybersecurity-risk-management\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.mgocpa.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SEC Adopts Rules for Cybersecurity Risk Management\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mgocpa.com\/#website\",\"url\":\"https:\/\/www.mgocpa.com\/\",\"name\":\"MGO CPA\",\"description\":\"Tax, Audit, and Consulting Services\",\"publisher\":{\"@id\":\"https:\/\/www.mgocpa.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mgocpa.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mgocpa.com\/#organization\",\"name\":\"MGO CPA\",\"url\":\"https:\/\/www.mgocpa.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mgocpa.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mgocpa.com\/wp-content\/uploads\/2024\/10\/mgocpa-logo.svg\",\"contentUrl\":\"https:\/\/www.mgocpa.com\/wp-content\/uploads\/2024\/10\/mgocpa-logo.svg\",\"width\":134,\"height\":32,\"caption\":\"MGO CPA\"},\"image\":{\"@id\":\"https:\/\/www.mgocpa.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/mgocpa\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"SEC Adopts Rules for Cybersecurity Risk Management - MGO CPA | Tax, Audit, and Consulting Services","description":"Understand the SEC\u2019s new cybersecurity rules and how public companies must now manage, report, and disclose cyber risk more transparently.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.mgocpa.com\/perspective\/sec-adopts-rules-on-cybersecurity-risk-management\/","og_locale":"en_US","og_type":"article","og_title":"SEC Adopts Rules for Cybersecurity Risk Management - MGO CPA | Tax, Audit, and Consulting Services","og_description":"Understand the SEC\u2019s new cybersecurity rules and how public companies must now manage, report, and disclose cyber risk more transparently.","og_url":"https:\/\/www.mgocpa.com\/perspective\/sec-adopts-rules-on-cybersecurity-risk-management\/","og_site_name":"MGO CPA | Tax, Audit, and Consulting Services","article_publisher":"https:\/\/www.facebook.com\/mgocpa","article_modified_time":"2025-07-08T12:27:39+00:00","og_image":[{"width":2048,"height":1540,"url":"https:\/\/www.mgocpa.com\/wp-content\/uploads\/2024\/12\/iStock-539948780-2048x1540-1.webp","type":"image\/webp"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.mgocpa.com\/perspective\/sec-adopts-rules-on-cybersecurity-risk-management\/","url":"https:\/\/www.mgocpa.com\/perspective\/sec-adopts-rules-on-cybersecurity-risk-management\/","name":"SEC Adopts Rules for Cybersecurity Risk Management - MGO CPA | Tax, Audit, and Consulting Services","isPartOf":{"@id":"https:\/\/www.mgocpa.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mgocpa.com\/perspective\/sec-adopts-rules-on-cybersecurity-risk-management\/#primaryimage"},"image":{"@id":"https:\/\/www.mgocpa.com\/perspective\/sec-adopts-rules-on-cybersecurity-risk-management\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mgocpa.com\/wp-content\/uploads\/2024\/12\/iStock-539948780-2048x1540-1.webp","datePublished":"2023-08-08T19:49:00+00:00","dateModified":"2025-07-08T12:27:39+00:00","description":"Understand the SEC\u2019s new cybersecurity rules and how public companies must now manage, report, and disclose cyber risk more transparently.","breadcrumb":{"@id":"https:\/\/www.mgocpa.com\/perspective\/sec-adopts-rules-on-cybersecurity-risk-management\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mgocpa.com\/perspective\/sec-adopts-rules-on-cybersecurity-risk-management\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mgocpa.com\/perspective\/sec-adopts-rules-on-cybersecurity-risk-management\/#primaryimage","url":"https:\/\/www.mgocpa.com\/wp-content\/uploads\/2024\/12\/iStock-539948780-2048x1540-1.webp","contentUrl":"https:\/\/www.mgocpa.com\/wp-content\/uploads\/2024\/12\/iStock-539948780-2048x1540-1.webp","width":2048,"height":1540,"caption":"server room"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mgocpa.com\/perspective\/sec-adopts-rules-on-cybersecurity-risk-management\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.mgocpa.com\/"},{"@type":"ListItem","position":2,"name":"SEC Adopts Rules for Cybersecurity Risk Management"}]},{"@type":"WebSite","@id":"https:\/\/www.mgocpa.com\/#website","url":"https:\/\/www.mgocpa.com\/","name":"MGO CPA","description":"Tax, Audit, and Consulting Services","publisher":{"@id":"https:\/\/www.mgocpa.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mgocpa.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mgocpa.com\/#organization","name":"MGO CPA","url":"https:\/\/www.mgocpa.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mgocpa.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.mgocpa.com\/wp-content\/uploads\/2024\/10\/mgocpa-logo.svg","contentUrl":"https:\/\/www.mgocpa.com\/wp-content\/uploads\/2024\/10\/mgocpa-logo.svg","width":134,"height":32,"caption":"MGO CPA"},"image":{"@id":"https:\/\/www.mgocpa.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/mgocpa"]}]}},"_links":{"self":[{"href":"https:\/\/www.mgocpa.com\/wp-json\/wp\/v2\/perspective\/1662","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mgocpa.com\/wp-json\/wp\/v2\/perspective"}],"about":[{"href":"https:\/\/www.mgocpa.com\/wp-json\/wp\/v2\/types\/perspective"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mgocpa.com\/wp-json\/wp\/v2\/media\/1663"}],"wp:attachment":[{"href":"https:\/\/www.mgocpa.com\/wp-json\/wp\/v2\/media?parent=1662"}],"wp:term":[{"taxonomy":"perspective_topic","embeddable":true,"href":"https:\/\/www.mgocpa.com\/wp-json\/wp\/v2\/perspective_topic?post=1662"},{"taxonomy":"perspective-type","embeddable":true,"href":"https:\/\/www.mgocpa.com\/wp-json\/wp\/v2\/perspective-type?post=1662"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}