11 Ways to Streamline

SEC Cybersecurity
Compliance with
Risk Cloud ®

Ensure a smooth transition

to new SEC cyber rules
Cyber attacks are growing in frequency, sophistication,
and severity as more of life shifts to the digital realm, more work is
conducted remotely, and technology becomes more advanced.

Most organizations face hundreds of attacks each year,

and each costs millions to respond to and recover from.

The federal government has taken notice of this trend — and now they’re taking
action. Most recently, that’s come in the form of new cybersecurity rules from the U.S.
Security and Exchange Commission (SEC).

Here’s a summary of what the new rules require:

• Introduce strict reporting requirements around material cybersecurity incidents.

• Tighten cybersecurity oversight requirements for publicly traded companies with the
goal of forcing organizations and their boards of directors to take cybersecurity risk
management more seriously.

• Carry broad implications for the galaxy of privately-held companies that contract with
larger, public peers, or that plan on going public in the near future.

To ensure compliance with the new rules, organizations that have established cybersecurity
programs will need to update them quickly, while organizations with nascent or
underdeveloped cyber risk programs will need to put them into place.

This guide dives into the new regulations and explores how LogicGate Risk Cloud’s
modern GRC platform can simplify compliance efforts and ensure consistency across
your organization.

11 Ways to Streamline SEC Cybersecurity Compliance with Risk Cloud® 1

The SEC’s New Cybersecurity Rules:
What They Require
At their core, the SEC’s new rules are all about
increasing transparency and standardizing
disclosure around:

• How often public organizations experience

cybersecurity incidents
• The extent of the damage they cause
• How they’re managing cyber incident
preparedness, response, and recovery

Having this information available benefits

investors and other stakeholders by enabling
them to make more accurate and timely
decisions, and requiring organizations to report
it ensures they are paying adequate attention
to their cyber defenses.

So what’s in the rules?

Let’s take a look at the general requirements, and which common SEC forms correspond
with them:

• Once an incident has been determined to be material in nature the organization has four
business days to report it to the SEC.
• In cases where disclosure of an incident could pose a threat to national security or public
safety, organizations will have up to 60 days to report.
• Organizations will need to be able to describe how they’re managing cyber risk. That
includes explaining how any incidents they’ve experienced have affected or altered their
overall business strategy, and proving that their board of directors is adequately involved in
and informed of cybersecurity processes.
• Organizations will need to provide information on how they choose, vet, and manage the
third-party vendors and service providers they work with.

Let’s take a look at how some common SEC forms will be changing under the new rules.

11 Ways to Streamline SEC Cybersecurity Compliance with Risk Cloud® 2

Form 8-K

• Disclose major changes or significant events that could affect shareholders

• Report those incidents within four business days
• Describe when and how the incident occurred, whether it’s been addressed or if it’s
still ongoing, the scope of the incident, and any impact on company operations

Form 10-Q/K

• Provide a summary of all disclosed incidents that occurred within the reporting
period, including any incidents that were determined to have been immaterial at the
time but have come material in aggregate
• Provide a description of the overall program and any business continuity and
recovery plans, how previous cyber incidents have led to changes to the program,
how cyber risks and incidents are impacting finances and operations, and how third-
party cyber risks are being managed
• Report which board members have cybersecurity expertise, how the board is being
informed about cybersecurity risks and risk management, how often, and how that
information informs the business’s strategy and governance

Form 6-K and Form 20-F

Foreign private issuers will need to make similar disclosures about material cybersecurity
incidents on Form 6-K, and about their cybersecurity risk management, strategy, and
governance on Form 20-F.

11 Ways to Streamline SEC Cybersecurity Compliance with Risk Cloud® 3

What are the compliance deadlines?
Organizations governed by the new rules must come into compliance by December 15,
2023 for Forms 10-K and 20-F, and by December 18, 2023 for Forms 8-K and 6-K. Smaller
companies will have an additional 180 days past those deadlines to begin providing
8-K disclosures.

Form Deadline

10-K and 20-F December 15, 2023

8-K and 6-K December 18, 2023

8-K for smaller organizations 180 days after each above deadline

How to improve cybersecurity resilience and

transparency with Risk Cloud
With all of these new requirements being imposed on public companies, it’s more critical
than ever that organizations develop and implement robust cybersecurity risk management
programs or improve their existing programs and processes.

Beyond the SEC’s rules, the Biden Administration is engaging in a broader push to strengthen
the United States’ cybersecurity defenses and place more of the burden for preventing cyber
attacks on the private sector, which is so often targeted by hackers and criminals. Other
federal agencies and foreign governments are pursuing similar aims. Having an effective,
modern cybersecurity risk management program will soon no longer be considered a nice-to-
have — it will be an imperative.

Whether you’re spinning up a cyber risk program from scratch or upgrading one that’s already
in place, here are some best practices for ensuring your cyber risk management operations will
be able to keep up with changing cybersecurity rules and regulations — and how to use Risk
Cloud to put them into play.

11 Ways to Streamline SEC Cybersecurity Compliance with Risk Cloud® 4

 1 Centralize risk assessment and incident data to improve disclosure timelines

Two sure-fire ways to make complying with the new SEC cybersecurity rules a nightmare
is to leave all of your risk assessment and cybersecurity incident data strewn about your
organization in a mess of spreadsheets or siloed away with risk owners without a process for
collecting and centralizing it all.

That’s why it’s important to develop processes and implement the tools you need to centralize
your risk, critical asset, controls, incident response and recovery, and assessment data in
one shared repository. Ideally, you’ll be able to automate this so that all of the information
is continuously being fed into that repository, ready to quickly generate reports for
SEC disclosure.

LogicGate Risk Cloud and its flexible graph database is an excellent tool for achieving this.
These systems often have the ability to integrate with your other critical business systems
to build that centralized view of assets, risks, and controls, and include robust reporting
functionality to quickly export data to generate disclosure reports.

Having a single, centralized view of your cyber risk landscape will also help you harden your
cyber defenses to avoid many incidents altogether, eliminating the need for disclosures.

11 Ways to Streamline SEC Cybersecurity Compliance with Risk Cloud® 5

 Determine materiality and business impact of incidents through
2 cyber risk quantification

Material cybersecurity incidents are events that a reasonable shareholder would consider
important in making decisions around investing in a company or one that “significantly alters
the total mix of information available.”

Traditionally, organizations have relied on qualitative methods to determine the significance

or severity of a cyber incident, and the SEC rules note that information gleaned from
such methods should be taken into consideration when determining materiality. But using
quantitative risk assessment methods provides much more accurate assessments based on
true financial impact.

Insights gained from cyber risk quantification using tools like Risk Cloud Quantify can also help
organizations take stock of their cyber risk landscape, understand which threats could cause
the most harm to their business, and avoid them. Again, this can help you avoid having to make
disclosures altogether.

11 Ways to Streamline SEC Cybersecurity Compliance with Risk Cloud® 6

 3 Improve incident identification, response, and recovery

Having well-defined incident management processes and workflows can help you identify,
respond to, recover from, and report cyber incidents. The data that you obtain from each
incident can be used to improve these processes and inform planning for future incidents.
Thus, spending the time to build effective incident management processes can help streamline
SEC reporting to meet disclosure deadlines.

Organizations with existing incident management programs should evaluate their

effectiveness and make any updates deemed necessary, while organizations that have not yet
put these processes in place should begin doing so. In both cases, ensure these updates or
implementations meet the standards necessary to comply with the new rules.

Leveraging the right modern risk management software can help you build and automate
these processes to ensure they’re effective, consistent, and able to be adjusted as conditions
change. LogicGate’s implementation or professional services teams are experts in constructing
effective compliance workflows, and can be engaged to help their clients improve their
processes based on what they’ve seen work elsewhere.

11 Ways to Streamline SEC Cybersecurity Compliance with Risk Cloud® 7

 4 Enhance cyber risk governance and communication

Beyond the ongoing incident disclosure requirements, a large portion of the new rules is dedicated
to improving cybersecurity governance and ensuring boards of directors are adequately informed
about cybersecurity operations and risk management across their organization.

If your board is still struggling to understand cyber risk operations at your organization — or
worse, discounting its importance altogether — it’s time to start changing that. The most
effective way to do this is to develop a common language for communicating cyber risk that
any stakeholder can relate to: money.

Cyber risk quantification also helps here, since it allows you to pin hard financial figures to
each cyber risk and paint a clear picture of the true impact it could have on the bottom line.
You can also quantify the costs of noncompliance with the SEC rules to make the case for
investing in cyber risk management programs.

LogicGate Risk Cloud includes both cyber risk quantification features and centralized,
connected data in out-of-the-box reports that can be configured to the needs of board. Using
these features to centralize your cybersecurity risk management operations also makes it
much easier to provide at-a-glance breakdowns of what your program looks like, both to the
board and to the SEC.

5 Automate evidence collection

Speed is imperative when you’re trying to

report cybersecurity incidents under such tight
deadlines. Automating as many parts of your
cyber risk management program as possible
can go a long way in streamlining disclosure.

In particular, automating evidence collection in

Risk Cloud to connect with and pull data from
your other critical business systems can help
ensure you always have the information you
need to generate disclosure reports , evaluate
your controls’ effectiveness, and communicate
incidents up to leadership and the board at
your fingertips.

11 Ways to Streamline SEC Cybersecurity Compliance with Risk Cloud® 8

 6 Ensure third-party and supply chain compliance

No matter how bulletproof your cyber defenses and cyber risk management processes are,
your organization is only as secure as the amount of effort your third-party vendors and
service providers put into their own cybersecurity management. Ensuring third parties don’t
open doors for threat actors to infiltrate your systems comes down to how well you assess
each of them — and the SEC wants to know exactly how your organization is going about
doing so.

If you already have a third-party risk management program up and running, now is a good
time to assess it and ensure it aligns to best practices. If you don’t have a third-party risk
management program, consider standing one up. Risk Cloud’s Third-Party Risk Management
Solution can speed this process up by building custom, logic-based questionnaires to
automate vendor assessment.

11 Ways to Streamline SEC Cybersecurity Compliance with Risk Cloud® 9

 7 Bolster business continuity planning

The SEC rules also require organizations to

be able to provide information on business
continuity and recovery planning. Now is a
good time to make sure you’ve carried out
those exercises and have plans in place.
If you have already developed business
continuity plans, you should conduct
testing to ensure that they’re up-to-date
and effective.

Providing your business continuity

planning information to the SEC can be
streamlined by centralizing all of your plans in one place, rather than allowing them to be kept
in departmental silos across your organization. Doing this can also help you execute on your
plans right away in moments of crisis, rather than wasting valuable time hunting them down.

8 Develop real-time cyber risk reporting

Cybersecurity threats are constantly changing and evolving in response to attempts to get
ahead of them. As such, you need to always be watching for the next novel threat. Every
organization needs to have the right tools in place for constantly monitoring their cybersecurity
risk landscape to intercept cyber attacks and flag ineffective or broken controls.

The better your ability to gather real-time insights on your cybersecurity posture, the more
likely it will be that you’ll avoid or quickly respond to cyber incidents, reducing the need to file
disclosures with the SEC.

Risk Cloud supports numerous integrations with third-party vulnerability management and
cybersecurity intelligence solutions like Tenable, Black Kite, and ServiceNow. Combining these
technologies can provide a 360-degree view of your cyber risk and help you stay a step or
two ahead.

11 Ways to Streamline SEC Cybersecurity Compliance with Risk Cloud® 10

 9 Enhance auditing and controls evaluation

Extensive auditing cycles are the enemy of

tight reporting deadlines. Now is a good time
to explore ways to increase the efficiency of
your auditing capabilities, streamlining and
automating them wherever possible.

Risk Cloud’s pre-built audit reporting,

automated evidence collection, and
automated control testing go a long way
in speeding up your audits to ensure
your organization remains secure and
that you’re able to effortlessly meet SEC
reporting deadlines.

10 Stay in the know on regulatory changes

The SEC’s cybersecurity requirements will certainly not be the last cybersecurity regulations
we see from governments in the United States and globally. Make sure your team is up-to-
speed on what additional rules and regulations are on the horizon.

LogicGate’s implementation and professional services teams are also a good resource for this,
since they’re constantly adding content to Risk Cloud as new regulations and frameworks
are released. As such, they’re well-informed about what’s going on in the world of risk and
compliance. Otherwise, industry publications, news outlets, and industry thought leaders are
other good sources of this information.

Improve employee awareness, training, and foster a healthy

11 cyber risk culture

Cybersecurity risk management is a team sport, and that means every single person in your
organization needs to do their part to keep your networks and assets safe and secure. That’s
why it’s important to conduct regular cybersecurity training to keep cyber risk top of mind, and
to build a healthy culture of cyber risk awareness, so cybersecurity risks don’t remain siloed
out of view until they become a problem — and the subject of an 8-K report straight to the SEC.

11 Ways to Streamline SEC Cybersecurity Compliance with Risk Cloud® 11

Using modern GRC technology to achieve and remain
in SEC cybersecurity compliance
Leveraging the above strategies will ensure your organization is ready to meet the rapidly
approaching SEC cybersecurity compliance deadlines and having the right GRC technology
available to you can streamline the process, both in standing up or improving your
cybersecurity risk management processes and in reporting to the SEC post-deadline.

From cyber risk and controls compliance to incident management, third-party risk
management, and operational resiliency, LogicGate’s Risk Cloud platform includes solutions to
help you put these steps into action to navigate these new cybersecurity rules with confidence
and improve your organization’s overall cybersecurity posture.

Meet Your SEC Cyber Compliance Solution

Cyber Risk Management

Incident Management
Identify, quantify, and prioritize
Centrally report and triage
Comply cyber risks then share findings
incidents, then streamline response
and prioritize response across
assignments to track and ensure
your entire organization with
timely remediation.
centralized reporting.

Third-Party
Risk Management Risk Quantification
Connect vendor controls, audits, Enhance Quantify and communicate risk
and findings for accelerated vendor in the language every stakeholder
onboarding and clear prioritization of understands — money.
third-party risks.

Policy &
Controls Management
Procedure Management
Avoid redundant controls and
Centralize and automate policy evaluations, automate evidence
creation, review, and approval
Operationalize
collection, and improve program
processes while tracking efficiency by dynamically linking risks,
revision history and employee controls, evaluations, and evidence.
acknowledgment status.

11 Ways to Streamline SEC Cybersecurity Compliance with Risk Cloud® 12

Learn more about how Risk Cloud can help prepare your organization
for compliance with the SEC’s new cybersecurity rules.

Connect with our team today.

320 W Ohio St., Suite 600W,

Chicago, IL 60654
(312) 279-2775
logicgate.com