Article
Strategies to address the new SEC cyber disclosure rule (and how to do it!)
Sept. 6, 2023 · Authored by Jeff Krull, Joe Shusko, Jim Kearney
A new SEC cyber disclosure rule requires public companies to disclose information about their cybersecurity governance practices as well as impacts associated with material cyber incidents. While they include information on what is required to be disclosed, they don’t address how organizations might design their processes and controls to accurately address those disclosure requirements. One approach may be to utilize the American Institute of Certified Public Accountants (AICPA) cybersecurity risk management framework. The framework was published in anticipation of an increased need for more organizations to disclose what their cybersecurity risk management programs look like.
While organizations have several options for how best to address and comply with the new SEC rule, leveraging AICPA’s robust framework may prove to be the most helpful and direct approach when implementing cyber governance, oversight and risk management activities.
Through 19 different description criteria, the AICPA framework presents a broad focus covering the entire cyber risk management governance structure — including the policies, processes and controls that tie it all together.
The advantage of the AICPA framework is it makes you put pen to paper on this question. It forces you to think about your inherent cybersecurity risk, your cybersecurity risk governance structure and assessment process, your cybersecurity communications (and the quality of information therein), how you monitor your cybersecurity risk management program, your control processes and much, much more.
But the true benefit of such a robust framework is that it aligns nicely with SEC disclosure requirements. The AICPA cybersecurity risk management reporting framework addresses topics consistent with the adopted SEC cyber disclosure rule, including:
