The US Securities and Exchange Commission (SEC) recently finalized regulations designed to improve transparency by requiring registrants to disclose details of material cybersecurity incidents and annually disclose material information regarding registrants’ cybersecurity risk management, strategy, and governance programs. The following FAQs (frequently asked questions) summarize the particulars and recommend next steps for covered organizations.

This regulation impacts “registrants” (i.e., issuers of securities, such as public companies and investment firms) with reporting obligations to the SEC.

If your organization is an SEC registrant (as noted above), the regulations outline new cybersecurity-focused data elements required for filing Form 8-K, 6-K (for foreign private issuers), 20-F, and 10-K. These data elements include disclosures about an organization’s cybersecurity risk management, strategy, and governance programs. The regulations also compel registrants to promptly report details of a material cybersecurity incident, including incident nature, scope, and timing, and a determination of actual or reasonably likely material impact on the registrant. As with many SEC filings, registrants must structure these reports in Inline eXtensible Business Reporting Language (XBRL).

The SEC announced the adoption of the new regulations on July 26, 2023. The regulations will take effect thirty (30) days after publication to the Federal Register. Timing for implementing filing requirements vary by disclosure form.

Registrants should identify and gather information pertinent to the new reporting requirements. This includes details about the organization’s:

  • Cybersecurity risk management strategy and program, including a description of how the organization’s cybersecurity risk management activities align to an overall risk management program, and information about internal and external cybersecurity risk management expertise.
  • Cybersecurity governance structure, including a description of the role of the board of directors and executive management in overseeing the management of cybersecurity risks.

Registrants should also review their existing incident response and data breach notification programs to ensure alignment with SEC’s new reporting requirements.

Used by cybersecurity leaders for organizations small and large, the TrustMAPP platform helps users identify, measure, prioritize, and report on the maturity of controls and processes in support of the organization’s cybersecurity program. TrustMAPP users benefit from a powerful reporting engine that can produce reports designed to inform SEC disclosure requirements. Leveraging built-in recommendations and estimates for improving maturity over time, organizations can use TrustMAPP to boost the effectiveness of their cybersecurity risk management and governance processes.

To learn more about board reporting best practices, view leading CISO’s advice here:

To learn more about Board Reporting Best Practices view leading CISO’s advice here: