How can managed services strengthen SEC cyber disclosures?

  • Publication
  • January 29, 2024

Now that the SEC’s cyber disclosure rules are in effect, companies are still working through their approaches to compliance. You may be a CISO tasked with getting your team up to speed quickly amid tight staffing and security budgets, emerging technology and a growing threat landscape. If you find it difficult to go it alone, integrating managed services into your cybersecurity operations can help your organization establish trust, maintain transparency and simplify future reporting obligations as they arise. 

The SEC’s final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure puts the onus on companies to give investors current, consistent and “decision-useful” information about how they manage cyber risks. A managed services provider can quickly provide the people, processes and technology to help establish a sustainable, consistent practice and the speed to keep pace with evolving regulations. 

Filling the gaps to meet the new cyber standards

For a cybersecurity program to be truly mature, processes need to be tested and easily replicated to quickly determine and report the materiality of an incident. A managed services provider can continuously adapt its services to provide you process consistency and integrity. 

Managed services providers offer round-the-clock support and can help scale and strategize. Yet only 25% of companies are establishing protocols with major technology providers (e.g., cloud, device manufacturers, managed services) to coordinate an incident response, according to PwC’s 2024 Global Digital Trust Insights survey. It’s not just about using managed services, but as a CISO determining how to effectively work with a third party to achieve the desired return on these investments. 

Harmonizing dozens of processes and investments as part of a larger, dynamic system can help accelerate preparation, streamline operations and maintenance, and strategize. An effective managed services provider can help close capability gaps, better control your technology spend and can help derive greater return on investment (ROI). 

Here are a few scenarios to consider as you think through your needs:

Talent upskilling, augmentation

Large organizations may face eight to ten regulatory changes on an annual basis. Hiring additional in-house talent and bringing them up to speed to meet each challenge may be neither practical nor cost-efficient, and the ongoing cycle of various certifications can impact employee morale. Ask yourself:

  • Are we ready to fulfill new regulatory requirements? 
  • Are we creating systems and processes from scratch?
  • Do we have the capacity to run a multiyear operational system?

Retention and the commitment to continuous compliance

Ongoing economic uncertainty and budget restraints force many companies to make do. In PwC’s 2024 Global Digital Trust Insights Survey, 40% of business, technology and security executives say they plan to prioritize ongoing security training in their cyber budget over the next 12 months. The spend ranks closely behind the top three priorities in respondents’ cyber budgets:

  • Modernization of technology, including cyber infrastructure: 49%
  • Optimization of current technology and investments: 45%
  • Ongoing improvements in risk posture based on cyber roadmap: 42%

That pace of training, along with the other demands on your team’s time may overwhelm your employees. Outsourcing repeatable, outcome-based tasks can remove the burden on strained cybersecurity professionals and free them to focus on other tasks. It’s important to ask:

  • Are our resources burning out, putting our institutional knowledge at risk? 
  • Is our staff motivated to keep upskilling?
Q: Which of the following is your organization prioritizing in its cyber talent strategy over the next 12 months? (Ranked in top three)
Source: PwC’s Digital Trust Insights Surveys, Final Results, August 2023: base of 3,876

Consistent technology infrastructure and processes

The SEC cyber disclosure rule requires companies to describe their processes to assess, identify and manage material risks from cybersecurity threats. Many companies struggle with a patchwork of systems that hinder the consistent reporting that helps determine the materiality of an incident. They may lack the infrastructure to generate a continuous loop of information because  processes are ad hoc and/or technology is outdated. If this sounds familiar, it may be time to to consider the following questions:

  • Do our current systems and controls allow us to timely capture, manage and report cyber risks and incidents to comply with existing and new SEC requirements?
  • Are our cyber incident detection and response capabilities adequate? 

It’s not up to the managed services provider to determine whether an event is material, but these third parties can be helpful in providing information that is helpful with incident reporting. Their first step would be working with a client to understand what information is necessary to make a determination. Beyond detection and incident reporting, a managed services provider can help put preventive measures in place. Things like vulnerability management, patch management and other types of risk-reduction services are going to become increasingly important as the stakes of having a breach increase. 

Expanding oversight 

In addition to issuing the final disclosure rule in July, the SEC has increased its enforcement division to focus on compliance with existing securities laws. This comes as stakeholders — consumers, investors, CEOs and boards — also demand more information about how companies manage cyber risk exposure. It’s increasingly important for the CISO to identify resources to enhance your external cyber reporting capabilities.  

The final rule requires that, in annual 10-K filings, all SEC registrants reporting under the Securities Exchange Act of 1934 describe the processes, if any, for assessing, identifying and managing material risks from cybersecurity threats, management’s role in assessing and managing those risks, and the board of directors’ oversight of risks from cybersecurity threats. It also requires prompt disclosure of material cyber incidents on Form 8-K — within four business days of determining that an incident is material.

Cybersecurity program lifecycle

Assess
  • Assess your current security event monitoring and detection processes to confirm that your technology and processes are aligned to meet the requirements around disclosure of cyber incidents within four business days of determining an incident is material.
Build
  • Build a robust program, one that can be tested, repeated over time and that will assist you in understanding the materiality and reporting of an incident.
  • Use tabletop exercises and simulations to stress-test your processes.
Activate and maintain (managed services)
  • Whether in-house or handled by managed services, this element requires a highly skilled workforce that is always available to detect, respond and triage those alerts.
  • Manage the monitoring program continuously to provide support for investigating and reporting as required.

Effective date: Material incident disclosure requirements are effective as of December 18, 2023. Smaller reporting companies have a 180-day deferral.

Advantage: A well-managed security operations program helps establish trust when a material incident is reported in a timely manner.

Assess
  • Assess the current state of your program by conducting a risk assessment.
  • Identify the core components essential for reporting if and when an incident happens.
Build
  • Leverage technology to drive implementation and enforcement of policy and track exceptions.
  • Develop a scalable reporting and metrics program for management and the board.
  • Develop a materiality, disclosure and controls framework to establish reporting thresholds and processes for risks and incidents.
Activate and maintain (managed services)
  • Management and maintenance of these elements is critical not only for ROI but also for transparency.
  • Maintain the risk register and risk mitigation plans in collaboration with other business units.
  • Conduct ongoing reassessments at defined checkpoints.
  • Maintain policies, procedures and standards on an ongoing basis.
  • Maintain controls mapping and testing against regulatory standards.
  • Maintain the GRC/reporting platform on an ongoing basis, share reports, KPIs and KRIs.

Effective date: Disclosures for risk management, strategy and governance are effective for all registrants for fiscal years ending on or after December 15, 2023.

Advantage: A fully operational cybersecurity program offers confidence to investors and regulatory bodies and helps reduce the effort required to comply with reporting requirements.

Assess
  • Determine how the board will govern cybersecurity risks and whether the board should pursue any members with specific cybersecurity experience to serve on the board.
Build
  • Develop disclosure controls and procedures.
  • Develop processes to review and submit cybersecurity disclosure statement(s).
  • Implement and test the aforementioned processes.
Activate and maintain (managed services)
  • Leverage a well-defined and functional metrics and reporting platform to maintain the disclosure reporting process.
  • In addition, after every 8-K filing, update the risk reporting and triage process, remediation playbooks and procedures.

Effective date: Disclosures for risk management, strategy and governance are effective for all registrants for fiscal years ending on or after December 15, 2023.

Advantage: A mature program reporting consistent KPIs and KRIs shows investors and regulatory bodies that both leadership and the board have visibility into and oversight of the program.


In a nutshell

SEC’s disclosure requirements for public companies:

Report “material” cybersecurity incidents on a Form 8-K within four business days of materiality determination.

Describe the nature, scope and timing of the incident and material impact or reasonably likely material impact on the registrant.  To the extent required information is not determined or is unavailable at the time of the filing, the 8-K should include disclosure of this fact, and the 8-K should be later amended when the information is determined or becomes available.

Materiality determination should be based on federal securities law materiality, including consideration of quantitative and qualitative factors.

Effective dates: The material incident disclosure requirements are effective as of December 18, 2023. Smaller reporting companies have a 180-day deferral.

Describe the company's process, if any, for assessing, identifying and managing material risks from cybersecurity threats, including: 

  • Whether cybersecurity is part of the overall risk management program, engages consultants, auditors or other third parties, and processes to oversee and identify risks from use of third-parties.

  • Whether and how any risks from cybersecurity threats have materially affected or are reasonably likely to affect the registrant's business strategy, results of operations or financial condition.

Effective dates: Disclosures for risk management, strategy and governance are effective for all registrants for fiscal years that ended on or after December 15, 2023.

Describe the company’s governance of cybersecurity risks as it relates to:

The board’s oversight of cybersecurity risk, including identification of any board committee or subcommittee responsible for oversight and the process by which they are informed about cyber risks.

Management’s role and expertise in assessing and managing material cybersecurity risk and implementing cybersecurity policies, procedures and strategies.

Specific disclosure of any management positions or committees responsible for assessing and managing cyber risks, including discussion of their relevant expertise.

Effective dates: Disclosures for risk management, strategy and governance are effective for all registrants for fiscal years that ended on or after December 15, 2023.

Bottom line

Cybersecurity is often addressed episodically, when an audit occurs or a breach happens, rather than continuously. With each new regulation, some organizations form a separate team to address it, paving the way for bad actors to enter and narrowing your ability to build transparency and confidence with employees and consumers. Failing to respond persistently is like locking the front door and leaving the back door open. Working with a managed services provider can facilitate compliance that’s necessary to build stakeholder confidence and trust.   

The role of the CISO and the security team is increasingly vital to the lifeblood of the organization. By strategically integrating managed services into your operations, you have an opportunity to foster a culture of continuous improvement in cybersecurity. This means taking a top-down approach and investing in the resources and support needed to safeguard against potential threats and vulnerabilities, report with confidence and manage a mature operating program. The SEC’s new cyber disclosure rule is your opportunity to get ahead of the next regulatory update by working closely with a managed services provider.

Contact us

Mihir Mistry

Managed GRC Leader, PwC US

Follow us