Leaders Embrace New SEC Cybersecurity Regulations

New cybersecurity requirements from the SEC

On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) voted to adopt new cybersecurity requirements for publicly traded companies, creating new obligations for reporting “material” cybersecurity incidents and requiring more detailed disclosure of cybersecurity risk management, expertise, and governance. Companies will be required to disclose risks in their annual reports beginning on December 15, 2023.

While some may view this as another new regulation that diverts attention away from their day-to-day responsibilities, many cybersecurity leaders are embracing this momentous occasion as strategic advancement to cement their critical role in the business: 

  • Stronger relationship with C-suite and Board. Cybersecurity leaders know that increased regulatory requirements provide them greater access to the C-suite and Board. Cybersecurity leaders want to be seen as valuable contributors to the company’s growth. By speaking to these stakeholders more regularly, leaders have greater opportunity to explain their programs and provide assurance that those programs are effective and drive growth for the business. Some cybersecurity leaders also aspire to be on corporate boards; they know that interacting with senior executives and leaders is important training for future roles in business.

  • Using performance metrics to describe a successful program. Cybersecurity leaders love to talk about establishing critical risk metrics and achieving measurable risk reduction that protects the business and enables growth. They are proud of the programs they create and want internal and external stakeholders alike to know what they’ve accomplished and how they’ve achieved meaningful risk reduction. They want to provide regular, informative updates to their business leaders regarding their program performance. They highlight performance metrics, benchmarking data, and quantitative data—as opposed to technical jargon and qualitative narratives—so that stakeholders clearly understand how their program is performing. While achieving “perfect” security is impossible, they’ve built a program that addresses critical hygiene issues and is based on sound risk management practices. 

  • Financial quantification of risk. Cybersecurity leaders understand the language of the business. They know that managing “material” risk—per the SEC regulations—requires them to prioritize their protection of the most important data, systems, and assets. To focus on “material” risk management, they must know the business inside and out—such as what intellectual property and trade secrets are most valuable, and what systems and assets must be up and running to support critical functions within the business. They also know their company’s financial exposure across multiple types of cyber events and impact scenarios and can calculate a range of potential financial losses that may result in a material impact to the business. By building these analysis, they can create a comprehensive cyber risk management program that mitigates or transfers risk. Ultimately, this provides assurance to internal and external stakeholders alike.

  • Assure all stakeholders, but particularly shareholders. The SEC regulations are designed to provide more information to the shareholder community. Cybersecurity leaders recognize that cyber risk has become a major concern for investors—in fact, Nomura calls it “the biggest hidden ESG risk.” By regularly meeting with their company’s Investor Relations department, they can effectively explain their cybersecurity investments and how they measurably reduce risk. When cyber leaders show metrics and measurements about program performance, they provide greater assurance to investors and make their company a more attractive investment.

  • Grow budget. These new regulations give cybersecurity leaders a way to grow their budget. They will not need to use fear, uncertainty, and doubt to demand more investment from business leaders; rather, they will leverage information about their performance as well as cyber risk quantification exercises to thoughtfully explain challenges in their existing investments and advocate for increased resources.

  • Differentiate their company in the market. Cybersecurity leaders know that demonstrating strong cybersecurity to the marketplace will be an important differentiator for their companies and will likely attract more business and investment. They know that investors, business partners, and other stakeholders want to work with companies with strong cybersecurity programs. They know that these new regulations will allow them to demonstrate the effectiveness of their cybersecurity programs and benchmark against industry peers.

The new SEC regulations offer cybersecurity professionals an opportunity to become business leaders, critical to achieving risk reduction and business growth goals. Bitsight is excited to work with leaders who embrace these opportunities for themselves and their organizations. Don’t hesitate to reach out to learn how Bitsight can help you prioritize your cybersecurity investments, perform industry and sector benchmarking, build greater trust with stakeholders, and reduce your organization’s chances of experiencing financial loss. 


CISOs Guide to Cyber Risk Disclosure - SEC

This guide will help cybersecurity leaders understand the SEC regulation and get started on a journey to satisfying the requirements, meeting investor expectations, and creating a cybersecurity program that will stand the test of time.