SEC Cybersecurity Disclosure Consulting

Primary Contact:  Carl N. Kriebel CISSP

Schneider Downs can help your organization meet the materiality assessments and disclosure requirements of the SEC Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure Rule (SEC Cybersecurity Disclosure Rule).

Our team of experienced cybersecurity and IT risk professionals have the regulatory and technical knowledge to help organizations establish the necessary processes and controls to assess the materiality of cybersecurity incidents and the reporting process with the SEC.

Key cybersecurity incident materiality assessment services include incident response planning, procedure development, security assessments and specialized reporting.

 How Can Organizations Meet the SEC Cybersecurity Disclosure Rule?

There are ways for organizations to get ahead of the SEC’s new regulations. To make compliance as easy as possible, registrants should focus on developing processes and shoring up communication regarding cyber incidents. If registrants do not already have processes in place, they should consider developing the following: 

  • Process for inventorying and documenting all incidents, regardless of their individual materiality
  • Procedures for updating documentation associated with each incident 
  • Processes and measurements to determine materiality
  • Process for aggregating and applying the materiality definition to a population of incidents
  • Guidelines for retaining the information necessary to provide disclosures 

Additionally, registrants may want to consider whether their current cybersecurity monitoring infrastructure can accommodate this type of assessment and reporting and if their third-party risk management program is sufficient. Companies should ask themselves: 

  • Can my incident response plan address the four-day reporting requirement? 
  • Who on our management team is responsible for managing the cybersecurity program?
  • What third parties do we use to assist in meeting the program’s objectives?
  • Who is the board member or committee responsible for cybersecurity? Have we documented their experience in this space?
  • Have we done all we can to both protect/detect a cyber incident and recover/continue to operate?

What is the SEC Cybersecurity Disclosure Rule?

The SEC Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure Rule (SEC Cybersecurity Disclosure Rule) requires registrants to disclose, on the new Item 1.05 of Form 8-K, any cybersecurity incident determined to be material and to describe the material aspects of the incident's nature, scope and timing, as well as its material impact or reasonably likely material impact on the registrant. This report is generally due within four days after the registrant determines a cybersecurity incident is material. 

What are the SEC Cybersecurity Disclosure Rule Key Dates?

  • The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023.
  •  The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023.
  • Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure.

What is Regulation S-K Item 106?

The new rule also adds Regulation S-K Item 106, which requires public companies to disclose information on their cybersecurity risk management, strategy and governance plans in their annual report on Form 10-K in an effort to provide more transparency to investors.

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

To learn more, visit our dedicated Cybersecurity page or contact the team directly.

View our additional IT Risk Advisory services and capabilities

Learn More Contact Us
Get the latest insights and news in our bi-weekly newsletter, Focus on Cybersecurity
subscribe for Cybersecurity updates

contact us

Pittsburgh
Columbus
Metropolitan Washington
follow us
client portal