Request a demo

With the rapidly increasing number of cyber threats, the U.S. Securities and Exchange Commission (SEC) has released new guidelines to help public companies protect their data and investors. The new guidelines would require public companies to file periodic disclosures about their cybersecurity practices and notify the SEC within 96 hours of a material breach. Let's look at how these regulations can help protect companies from cybercrime.

The SEC's new guidelines, released in May 2022, outline a set of Disclosure Controls and Procedures (DCP) that public companies must follow when filing periodic reports. The DCP includes the company's cybersecurity risk management program, risk assessment processes, incident response plan, and cyber insurance policies. Companies must also disclose any "material" cybersecurity events that could hurt the company or its investors.

The new rules, issued by SEC Chair Gary Gensler earlier this year, replace previous guidelines on handling and disclosing cyber risk. Companies must disclose data breaches within 96 hours and information about management's and the board's oversight of cybersecurity risks, the company's cybersecurity policies and procedures, and how cybersecurity risks and incidents are likely to impact the company's financials. They also released a fact sheet to help streamline the process.

EU is in Step with the SEC

According to the Global Digital Trust Insights report from PwC, only 9 percent of the respondents feel confident that they can effectively meet all disclosure requirements — even as pressure mounts from regulators to report cyber incidents. In Europe, for instance, the European Union Agency for Cybersecurity (ENISA) requires critical service providers to report to national authorities in the event of any significant cybersecurity incident.

The U.S. Securities and Exchange Commission is considering a rule requiring publicly held companies to disclose their cyber risk management, strategy, governance, and “material” cyber incidents. Proposed U.S. Cybersecurity and Infrastructure Security Agency (CISA) rules, mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) signed into law last March, would require critical infrastructure organizations to report major cyber attacks and breaches within 72 hours and report within 24 hours any ransomware payments they make.

Regulatory Drivers and Implications

Given the rising number of cyber-attacks, public companies must have robust security protocols. The new regulations help ensure that all public companies implement cybersecurity measures that meet industry standards. Additionally, they provide greater transparency for investors to make more informed decisions when investing in a company. A vital element of these new regulations is that companies must report any material breaches to the SEC within 96 hours of being discovered, not necessarily having them remediated. This transparency allows regulators to investigate any suspicious activity quickly, reducing the risk of further damage or loss. It also makes it easier for investors to assess a company's security posture before making an investment decision.

Reporting Requirements and Benefits

The new guidelines require that publicly traded companies provide periodic disclosures about their cybersecurity preparation and implementation plans and updates on any material breaches they may experience during this period. These reports will give investors an accurate picture of how well-prepared a company is to handle potential cyber threats and any vulnerabilities in its systems or networks. In addition, it allows them to gauge whether or not management is taking adequate steps to protect company assets and customer information.

5 Steps for Cyber Compliance and Transparency

  1. Enhance Your Cybersecurity Risk Management Program: Companies need to rethink their cybersecurity risk management program that identifies, mitigates, and continuously monitors the various risks associated with their systems and data. This program should include procedures to assess the severity of threats and identify appropriate actions to mitigate them.
  2. Risk Assessment Process: Organizations must implement a risk assessment process to analyze their threats and develop strategies to minimize them. Companies should also be prepared to respond quickly in case of a breach, with straightforward plans for restoring operations as soon as possible.
  3. Incident Response Plans: Companies must have an incident response plan that outlines steps they need to take in the event of a security breach. Plans should include measures to contain and mitigate the damage quickly, as well as any steps to protect customer data and notify authorities.
  4. Live-Fire Cyber Exercises for Continuous Security Improvements: Companies need to implement a continuous security improvement program that leverages live-fire exercises. Crisis response programs should create new incident response programs to consider the stages of response to a cyber breach. Crisis response programs should develop proactive steps to test, train, identify, and optimize security teams, techniques, and technology.
  5. Strategic Disclosure Program: Companies must also implement new policies to model crisis simulations that meet the 96-hour regulation and provide an investigative drumbeat to manage updates and notifications for impacted parties. This can include a description of the company's risk management program, incident response plans, and any material cybersecurity events. The SEC also requires companies to provide details of their efforts to protect customer data and other sensitive information, such as credit card numbers and Social Security numbers. For example, companies will need to demonstrate their efforts to monitor networks for intrusions and other malicious activity and the methods they use to detect unauthorized access.

By following these five steps, public companies can ensure compliance with the SEC's new cyber security disclosure regulations and protect their data and investments from cyber threats. Security has never been a one-and-done responsibility, and it must be treated as an area for continuous investment, automation, training, and improvement.


The new guidelines released by the SEC ensure that publicly traded companies take appropriate measures to protect themselves against cyber threats and investor interests. By requiring reporting obligations and timely notification requirements, these regulations will help create greater visibility into a company's preparedness against emerging cyber risks while providing investors with more confidence when deciding where to invest their money. These regulations are critical for helping maintain trust between businesses, customers, and investors alike in today's digital world.

Blog byShaun Walsh
Shaun Walsh
Shaun Walsh
Shaun Walsh is the VP of Global Marketing at SimSpace. He has spent over 20 years in senior leadership positions for leading companies in the cybersecurity, cloud computing, AI and enterprise networking industries.