SEC's Proposed Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies

Learn more about the SEC's Proposed Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies.

“Today, cybersecurity is an emerging risk with which public issuers increasingly must contend” states SEC Chair Garry Censler.

Indeed, the SEC’s proposed amendments and rules would take it a step further by enhancing standardized disclosure procedures related to cybersecurity risk management, strategy, governance, and incident reporting by public companies that are subject to the Securities Exchange Act of 1934.

The main component of the amendment, proposed in March of 2022, would be a requirement that mandates all public companies to disclose cybersecurity incidents within four business days once it has been determined material to the disclosing company.

This requirement contains specific additional and related conditions that are further outlined in the proposal. Hence, the new additions are meant to supplement forms 10-K and 10-Q in terms of providing investors with more timely information regarding registrants’ cybersecurity disposition.

What Does the SEC's Proposed Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies Mean?

In the words of SEC Chair Gary Gensler, the “SEC disclosure regime has evolved alongside the evolving risks and investor needs”. More specifically, however, the core of the proposal is around item 1.05 dedicated to Form 8-K filing which would mandate companies to not only disclose a material cybersecurity incident within 4 business days but also provide additional details about the incidents; details such as whether the incident is ongoing, date of occurrence, whether the incident has caused data loss (including but not limited to unauthorized access, theft, and alteration of data), and whether an entity was able to remediate the incident.

Furthermore, the 106(d) Regulation S-K of the amendment to forms 10-Q and 10-K would now require companies to disclose information regarding any previous cybersecurity incidents and whether they have been determined to be material.

Another notable amendment among many would be Item 407 of regulation S-K that would mandate companies to disclose their board of director members’ cybersecurity experience, should they have any.

Additionally, the proposal would also require periodic reporting on registrants’ policies and procedures to identify and manage cybersecurity risks along with management’s role in implementing such policies and procedures. Lastly, the SEC would require all cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language.  

What Does the SEC's Proposed Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Mean for Public Companies?

Cybersecurity controls have historically been out of scope from Sarbanes Oxley (SOX) testing for public companies, however, this proposed amendment may see those controls become incorporated into that testing process going forward. Internal Audit and External Auditors traditionally perform a yearly cyber interview based only on inquiry testing for several years to obtain a list of cyber initiatives and controls and then seek to determine if the organization has “experienced a breach within the past 12 months?”.  

Within SOX, this inquiry testing process will likely no longer be good enough and it is expected that companies will need to provide evidence through observations as well as detailed evidence. SOX and the auditors also require data sets (populations) to ensure completeness and accuracy.

Will companies be prepared to provide logs of cyber incidents and the way they are aggregated for materiality? This is a key point that organizations need to start thinking about.

The early indications are that organizations will need to implement key cyber controls within their SOX control framework. Companies should take the time to review the proposal, and familiarize themselves with the requirements so that discussions with auditors (both Internal and External) can be held to better understand what the expectations are likely to be. The potential impact of these rulings is likely to be far reaching and we anticipate forthcoming information relating to the final rulings, scope, and key dates in June of 2023. 

If you have any questions about the proposed rules or SOX testing for public companies, feel free to reach out to our team at [email protected].

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind. 

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, at

 To learn more, visit our dedicated Cybersecurity page.


You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2024 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Get the Low Down Before You Download: Exploring the Temu App’s Security Risks
Understanding SOC Report Opinions
Six-Figure Ransomware Attack Hits Washington County, PA
SOC 2 - What is ACTUALLY required?
Romance Scams: Guarding Your Heart and Wallet
Update on GLBA for Higher Ed
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.