Professional Documents
Culture Documents
SEC Cybersecurity
Compliance with
Risk Cloud ®
The federal government has taken notice of this trend — and now they’re taking
action. Most recently, that’s come in the form of new cybersecurity rules from the U.S.
Security and Exchange Commission (SEC).
• Tighten cybersecurity oversight requirements for publicly traded companies with the
goal of forcing organizations and their boards of directors to take cybersecurity risk
management more seriously.
• Carry broad implications for the galaxy of privately-held companies that contract with
larger, public peers, or that plan on going public in the near future.
To ensure compliance with the new rules, organizations that have established cybersecurity
programs will need to update them quickly, while organizations with nascent or
underdeveloped cyber risk programs will need to put them into place.
This guide dives into the new regulations and explores how LogicGate Risk Cloud’s
modern GRC platform can simplify compliance efforts and ensure consistency across
your organization.
Let’s take a look at the general requirements, and which common SEC forms correspond
with them:
• Once an incident has been determined to be material in nature the organization has four
business days to report it to the SEC.
• In cases where disclosure of an incident could pose a threat to national security or public
safety, organizations will have up to 60 days to report.
• Organizations will need to be able to describe how they’re managing cyber risk. That
includes explaining how any incidents they’ve experienced have affected or altered their
overall business strategy, and proving that their board of directors is adequately involved in
and informed of cybersecurity processes.
• Organizations will need to provide information on how they choose, vet, and manage the
third-party vendors and service providers they work with.
Let’s take a look at how some common SEC forms will be changing under the new rules.
Form 10-Q/K
• Provide a summary of all disclosed incidents that occurred within the reporting
period, including any incidents that were determined to have been immaterial at the
time but have come material in aggregate
• Provide a description of the overall program and any business continuity and
recovery plans, how previous cyber incidents have led to changes to the program,
how cyber risks and incidents are impacting finances and operations, and how third-
party cyber risks are being managed
• Report which board members have cybersecurity expertise, how the board is being
informed about cybersecurity risks and risk management, how often, and how that
information informs the business’s strategy and governance
Foreign private issuers will need to make similar disclosures about material cybersecurity
incidents on Form 6-K, and about their cybersecurity risk management, strategy, and
governance on Form 20-F.
Form Deadline
8-K for smaller organizations 180 days after each above deadline
Beyond the SEC’s rules, the Biden Administration is engaging in a broader push to strengthen
the United States’ cybersecurity defenses and place more of the burden for preventing cyber
attacks on the private sector, which is so often targeted by hackers and criminals. Other
federal agencies and foreign governments are pursuing similar aims. Having an effective,
modern cybersecurity risk management program will soon no longer be considered a nice-to-
have — it will be an imperative.
Whether you’re spinning up a cyber risk program from scratch or upgrading one that’s already
in place, here are some best practices for ensuring your cyber risk management operations will
be able to keep up with changing cybersecurity rules and regulations — and how to use Risk
Cloud to put them into play.
Two sure-fire ways to make complying with the new SEC cybersecurity rules a nightmare
is to leave all of your risk assessment and cybersecurity incident data strewn about your
organization in a mess of spreadsheets or siloed away with risk owners without a process for
collecting and centralizing it all.
That’s why it’s important to develop processes and implement the tools you need to centralize
your risk, critical asset, controls, incident response and recovery, and assessment data in
one shared repository. Ideally, you’ll be able to automate this so that all of the information
is continuously being fed into that repository, ready to quickly generate reports for
SEC disclosure.
LogicGate Risk Cloud and its flexible graph database is an excellent tool for achieving this.
These systems often have the ability to integrate with your other critical business systems
to build that centralized view of assets, risks, and controls, and include robust reporting
functionality to quickly export data to generate disclosure reports.
Having a single, centralized view of your cyber risk landscape will also help you harden your
cyber defenses to avoid many incidents altogether, eliminating the need for disclosures.
Material cybersecurity incidents are events that a reasonable shareholder would consider
important in making decisions around investing in a company or one that “significantly alters
the total mix of information available.”
Insights gained from cyber risk quantification using tools like Risk Cloud Quantify can also help
organizations take stock of their cyber risk landscape, understand which threats could cause
the most harm to their business, and avoid them. Again, this can help you avoid having to make
disclosures altogether.
Having well-defined incident management processes and workflows can help you identify,
respond to, recover from, and report cyber incidents. The data that you obtain from each
incident can be used to improve these processes and inform planning for future incidents.
Thus, spending the time to build effective incident management processes can help streamline
SEC reporting to meet disclosure deadlines.
Leveraging the right modern risk management software can help you build and automate
these processes to ensure they’re effective, consistent, and able to be adjusted as conditions
change. LogicGate’s implementation or professional services teams are experts in constructing
effective compliance workflows, and can be engaged to help their clients improve their
processes based on what they’ve seen work elsewhere.
Beyond the ongoing incident disclosure requirements, a large portion of the new rules is dedicated
to improving cybersecurity governance and ensuring boards of directors are adequately informed
about cybersecurity operations and risk management across their organization.
If your board is still struggling to understand cyber risk operations at your organization — or
worse, discounting its importance altogether — it’s time to start changing that. The most
effective way to do this is to develop a common language for communicating cyber risk that
any stakeholder can relate to: money.
Cyber risk quantification also helps here, since it allows you to pin hard financial figures to
each cyber risk and paint a clear picture of the true impact it could have on the bottom line.
You can also quantify the costs of noncompliance with the SEC rules to make the case for
investing in cyber risk management programs.
LogicGate Risk Cloud includes both cyber risk quantification features and centralized,
connected data in out-of-the-box reports that can be configured to the needs of board. Using
these features to centralize your cybersecurity risk management operations also makes it
much easier to provide at-a-glance breakdowns of what your program looks like, both to the
board and to the SEC.
No matter how bulletproof your cyber defenses and cyber risk management processes are,
your organization is only as secure as the amount of effort your third-party vendors and
service providers put into their own cybersecurity management. Ensuring third parties don’t
open doors for threat actors to infiltrate your systems comes down to how well you assess
each of them — and the SEC wants to know exactly how your organization is going about
doing so.
If you already have a third-party risk management program up and running, now is a good
time to assess it and ensure it aligns to best practices. If you don’t have a third-party risk
management program, consider standing one up. Risk Cloud’s Third-Party Risk Management
Solution can speed this process up by building custom, logic-based questionnaires to
automate vendor assessment.
Cybersecurity threats are constantly changing and evolving in response to attempts to get
ahead of them. As such, you need to always be watching for the next novel threat. Every
organization needs to have the right tools in place for constantly monitoring their cybersecurity
risk landscape to intercept cyber attacks and flag ineffective or broken controls.
The better your ability to gather real-time insights on your cybersecurity posture, the more
likely it will be that you’ll avoid or quickly respond to cyber incidents, reducing the need to file
disclosures with the SEC.
Risk Cloud supports numerous integrations with third-party vulnerability management and
cybersecurity intelligence solutions like Tenable, Black Kite, and ServiceNow. Combining these
technologies can provide a 360-degree view of your cyber risk and help you stay a step or
two ahead.
The SEC’s cybersecurity requirements will certainly not be the last cybersecurity regulations
we see from governments in the United States and globally. Make sure your team is up-to-
speed on what additional rules and regulations are on the horizon.
LogicGate’s implementation and professional services teams are also a good resource for this,
since they’re constantly adding content to Risk Cloud as new regulations and frameworks
are released. As such, they’re well-informed about what’s going on in the world of risk and
compliance. Otherwise, industry publications, news outlets, and industry thought leaders are
other good sources of this information.
Cybersecurity risk management is a team sport, and that means every single person in your
organization needs to do their part to keep your networks and assets safe and secure. That’s
why it’s important to conduct regular cybersecurity training to keep cyber risk top of mind, and
to build a healthy culture of cyber risk awareness, so cybersecurity risks don’t remain siloed
out of view until they become a problem — and the subject of an 8-K report straight to the SEC.
From cyber risk and controls compliance to incident management, third-party risk
management, and operational resiliency, LogicGate’s Risk Cloud platform includes solutions to
help you put these steps into action to navigate these new cybersecurity rules with confidence
and improve your organization’s overall cybersecurity posture.
Third-Party
Risk Management Risk Quantification
Connect vendor controls, audits, Enhance Quantify and communicate risk
and findings for accelerated vendor in the language every stakeholder
onboarding and clear prioritization of understands — money.
third-party risks.
Policy &
Controls Management
Procedure Management
Avoid redundant controls and
Centralize and automate policy evaluations, automate evidence
creation, review, and approval
Operationalize
collection, and improve program
processes while tracking efficiency by dynamically linking risks,
revision history and employee controls, evaluations, and evidence.
acknowledgment status.