Strategies to address the new SEC cyber disclosure rule (and how to do it!)

The SEC recently released a new cyber disclosure rule requiring public companies to disclose information about their cybersecurity governance practices as well as impacts associated with material cyber incidents. While they include information on what is required to be disclosed, they don’t address how organizations might design their processes and controls to accurately address those disclosure requirements. One approach may be to utilize the American Institute of Certified Public Accountants (AICPA) cybersecurity risk management framework. The framework was published in anticipation of an increased need for more organizations to disclose what their cybersecurity risk management programs look like.  

While organizations have several options for how best to address and comply with the new SEC rule, leveraging AICPA’s robust framework may prove to be the most helpful and direct approach when implementing cyber governance, oversight and risk management activities.  

Through 19 different description criteria, the AICPA framework presents a broad focus covering the entire cyber risk management governance structure — including the policies, processes and controls that tie it all together. 

The advantage of the AICPA framework is it makes you put pen to paper on this question. It forces you to think about your inherent cybersecurity risk, your cybersecurity risk governance structure and assessment process, your cybersecurity communications (and the quality of information therein), how you monitor your cybersecurity risk management program, your control processes and much, much more. 

But the true benefit of such a robust framework is that it aligns nicely with SEC disclosure requirements. The AICPA cybersecurity risk management reporting framework addresses topics consistent with the adopted SEC cyber disclosure rule, including: 

• Data security, confidentiality and availability 
• Internal and external environment 
• Laws, regulations and enforcement 
• Risk management and appetite 
• Board oversight and communication 
• Management and monitoring of cyber risk 
• Third party risk management 

In short, utilizing the AICPA framework to develop, define and optimize your cyber risk management program in accordance with the SEC disclosure rule allows you to: 

• Build a more mature program through an extensively defined framework 
• Engage independent implementation guidance 
• Lessen your known and unknown risk bias 

True, working through the AICPA framework is often a daunting process filled with tough questions — but this process and these questions help you discover a better understanding where you may need to shore things up, or dedicate further management attention, or better educate your board, or bring in different expertise at different levels to permeate through your entire organization.