top of page

Preparing for SEC's Upcoming Cybersecurity Disclosure Rule: Identifying Compliance Gaps

Las Vegas, Nevada — As the deadline for the implementation of the Securities and Exchange Commission's (SEC) forthcoming cybersecurity disclosure rule approaches, organizations are urged to proactively assess their readiness by conducting meticulous reviews to identify potential compliance gaps. Mary Tarchinski-Krzoska, a respected market adviser for risk and compliance at Auditboard, emphasized the importance of this preparatory measure.

Preparing for SEC's Upcoming Cybersecurity Disclosure Rule: Identifying Compliance Gaps

Tarchinski-Krzoska shared her insights during a recent presentation at the Governance, Risk, and Control Conference held in Las Vegas. This event, jointly sponsored by ISACA and the Institute of Internal Auditors, proved to be an opportune platform for her to delve into the transformative aspects of the SEC's disclosure rules.

A pivotal component of these rules entails companies reporting new information. This requirement is set to be implemented at the close of the current fiscal year, specifically on December 15. The disclosed information should comprehensively outline an organization's cybersecurity policies and programs, shedding light on the strategies employed for risk identification and mitigation.

Concurrently, the second aspect of the new regulations is focused on cybersecurity breaches. Within a condensed timeline of about one week, companies must gauge the materiality of a breach. Should the breach be deemed significant, a swift and comprehensive report containing pertinent details must be promptly submitted to the SEC within just four days.

The backdrop against which these regulations are being implemented is characterized by a surge in cyberattacks. Tarchinski-Krzoska highlighted that the confluence of factors contributing to these regulations includes the far-reaching impact of the Covid-19 pandemic. The urgency and extent of the pandemic-induced remote work paradigm propelled a rapid digital transformation across sectors.

Amid this transformation, organizations worldwide collectively invested an astounding $1.8 trillion in digitization during 2022. While this expedited digitization fostered impressive progress, it concurrently exposed vulnerabilities. As Tarchinski-Krzoska aptly put it, "Many companies transformed while in a crisis mode, and they overlooked diligent cyber protection."

Furthermore, the introduction of software that was rapidly developed to address the pressing demands of the pandemic created a new layer of risk. This software, developed under accelerated timelines, often lacked the rigorous testing required for robust cyber protection. A disconcerting revelation surfaced: approximately 88% of open-source software, widely used by prominent enterprises, remained stagnant without updates for up to two years.

The mounting adoption of "shadow IT" emerged as another critical concern. Tarchinski-Krzoska defines this phenomenon as the integration of automated devices, services, or software beyond the purview of direct IT oversight. This decentralized approach to IT management poses the risk of losing track of digital assets and data, thereby exacerbating security vulnerabilities.

As organizations confront these dynamic challenges, the heightened reliance on third-party providers for digital services introduces another layer of complexity. This evolving dependence necessitates diligent due diligence to ascertain alignment in cybersecurity standards.

The cumulative effect of these multifaceted challenges is evident in the escalating frequency of cyberattacks. Businesses are increasingly compelled to explore comprehensive cybersecurity investments and strategies to reinforce their digital security.

Tarchinski-Krzoska offers valuable insights into constructing robust cyber risk programs. She emphasizes that collaboration, context, and communication form the bedrock of effective cyber risk management. Collaboration entails alignment between the executive team, board members, and stakeholders. Context involves identifying and dedicating time to elements relevant to the organization's operations. Effective communication, both internally and externally, is reinforced through consistent utilization of risk language.

The SEC's regulatory requirements are detailed in the annual filing, Form 10-K. This mandates companies to disclose their cybersecurity risk management program, the extent of management's involvement, board oversight, and program maturity. Additionally, Form 8-K addresses the imperative of reporting breaches, necessitating well-defined processes for identification, materiality assessment, and prompt reporting.

In anticipation of these impending regulations, Tarchinski-Krzoska recommends a comprehensive review of the SEC's guidelines to identify potential compliance gaps. Moreover, she underscores the need for continuous vigilance, as certain requirements that were initially curtailed may resurface in the future.

In conclusion, businesses must navigate the evolving regulatory landscape with diligence and foresight. With cyber risks escalating in complexity and frequency, the proactive adoption of cybersecurity measures is pivotal. By embracing stringent compliance standards and fortifying their defenses, businesses can forge a resilient path forward in an increasingly digital world.



bottom of page