SEC Cybersecurity: Guidance for Compliance

Editor's note: This article does not provide legal guidance. We recommend that those responsible for SEC compliance consult with appropriate legal counsel to determine their organization's risk and potential liability.

In the latter half of 2023, the Securities and Exchange Commission (SEC) adopted new sweeping cybersecurity reporting and disclosure rules for public companies and foreign private issuers.

Data breaches are expensive and severely damage investor confidence—and have quite the lasting effect on stock prices—and before these rules were implemented, there was an unfortunate amount of secrecy and deception when it came to data breaches of publicly traded companies.

The SEC has stepped in and announced that companies must be transparent about cybersecurity risks for their stakeholders. High-profile cases have shown the fallout of mishandled data breaches—think hefty fines, legal battles, and shattered reputations.

The Risks: What’s at Stake for CISOs and Other C-Suite Executives

The new SEC regulations can be a double-edged sword for chief information security officers (CISOs) and other top-level business executives.

On one side, clear SEC cybersecurity guidelines on disclosure and risk management remove the temptation to disguise the extent and severity of a data breach.

Conversely, the spotlight is squarely on CISOs and anyone else with a ‘C’ at the front of their title. Slip-ups or delays in reporting can lead to personal and corporate legal challenges.

Recently, bad actors have added extortion to their ransomware attacks, using the new SEC rules against corporations.

ALPHV, otherwise known as BlackCat, successfully breached MeridianLink in late 2023. When MeridianLink refused to pay BlackCat’s ransom demands, the hacker group filed a complaint with the SEC, alleging MeridianLink failed to disclose “a significant breach compromising customer data and operational information.”

Shifting the Burden with a vCISO

As organizations face exponentially more sophisticated attacks, they turn to virtual chief information security officers (vCISOs) to offload some of that cybersecurity risk.

A vCISO brings expertise from a wide range of clients across many different industry verticals and vigilance in helping organizations manage their cyber defenses so they can focus on the big picture.

SEC Cybersecurity Checklist

Tackling SEC compliance doesn’t have to be a regulatory hurdle; it can be a strategic advantage. By aligning the following guidelines, you’re safeguarding investor interests and fortifying your company against an ever-changing cybersecurity threat landscape.

1. Understand Materiality: Determine what constitutes a “material” cybersecurity incident in your business’ context. If it’s significant for investors, it’s significant for the SEC.
2. Timely Reporting: Aim for transparency and speed. You’ve got a four-day window once you have determined the incident is material to make your disclosure.
3. Annual Reflections: Beyond immediate incidents, disclose your risk management strategies and how you’re bulletproofing your cyber operations annually.
4. Consider a vCISO: Evaluate the benefits of having an external expert to help steer your cybersecurity strategy.

Need Help?

We strongly recommend engagement with a vCISO. With a cybersecurity leader who can deliver security leadership and a supporting team of analysts and engineers who can solve unique security challenges, your security posture greatly improves. 

Contact HBS to learn more about how a vCISO can help your organization establish a vision, prioritize initiatives, and reduce risk.