Published :        Last Updated :         Reading Time: 3 mins

Understanding the 2024 Cybersecurity Disclosure (CYD) Taxonomy

To enhance transparency regarding cybersecurity incidents, the SEC has finalized a cybersecurity disclosure taxonomy. While less stringent than initially proposed, the rule imposes new responsibilities on public companies to evaluate and report cybersecurity risks. Compliance now extends beyond IT, requiring collaboration among SEC reporting, audit, risk management, and Environmental, Social, and Governance (ESG) teams to meet these updated standards.

 

What the SEC Cybersecurity Rule Requires

The SEC’s cybersecurity rule mandates that companies disclose significant cybersecurity incidents promptly. Specifically, incidents deemed “material” must be disclosed within four business days of the determination. While the SEC does not define how long companies have to make this assessment, it emphasizes that it must occur “without unreasonable delay.”

The rule also requires reporting on management’s cybersecurity responsibilities, although it does not mandate board members to have specific cybersecurity expertise.

Compliance timelines previously set for companies depended on their size, with larger firms adhering earlier and smaller firms having extended deadlines. Organizations are expected to ensure their compliance measures align with these requirements moving forward.

The rule covers four key areas:

  1. Incident Disclosure: Within four business days of determining an incident’s materiality, companies must file an 8-K form detailing the nature, scope, timing, and potential impacts of the incident. There is an exception which allows for a delay if the U.S. Attorney General believes the disclosure could pose a public safety or national security threat.
  2. Risk Management: Companies must outline their cybersecurity risk management policies and procedures, along with the management’s role in implementing them.
  3. Governance: Companies now need to disclose the cybersecurity experience and responsibilities of their management team, although they are not required to provide details on the board’s expertise. 
  4. XBRL Tagging: A year after businesses comply with the requirement, disclosures must be tagged with Inline XBRL to increase data accessibility.

 

Cross-Functional Coordination

Cybersecurity incidents can disrupt business, hurt reputations, and impact finances, making strong teamwork across departments a must. The new rule underscores the importance of coordination among legal, IT, audit, risk, and ESG teams. Companies also need to assess the cybersecurity practices of their vendors since a security breach in a third-party system could have serious repercussions for their own operations.

 

Strengthening Your Cybersecurity Program

The SEC rule encourages companies to enhance their cybersecurity practices. Here are some steps to consider:

  1. Add Security Layers: Multi-factor authentication (MFA) adds an extra layer of security, making unauthorized access difficult. Regularly test breach detection to catch and manage threats early.
  2. Evaluate Vendor Risks: Make sure your vendors have strong cybersecurity standards. Choose cloud providers that offer integrated security and confirm that vendors will alert you immediately if they experience a security breach.
  3. Integrate Governance and Compliance: Incorporate cybersecurity into ESG goals to align with company values. Regular risk checks within your Enterprise Risk Management (ERM) process help spot new threats and stay compliant.
  4. Develop Incident Management Controls: Clear incident controls allow fast, compliant responses, help reduce disruptions and show resilience in today’s threat environment.
  5. Regular Audits: Conduct regular audits to keep cybersecurity protocols up-to-date and identify areas for improvement.

 

Best Practices for Cybersecurity Governance

Strong cybersecurity starts with clear policies, defined roles, and alignment with the company’s business goals. Here’s how businesses can improve their governance:

  1. Align with Business Goals: Make sure cybersecurity efforts match the company’s goals and risk tolerance, with management backing these initiatives.
  2. Regular Risk Assessments: Frequent risk checks within your ERM process help spot and prioritize potential threats.
  3. Clear Policies and Response Plans: Develop and regularly update data protection policies and incident response plans to stay ready for quick, effective action if a breach occurs.
  4. Continuous Monitoring: It is crucial to detect threats early. Set up continuous monitoring systems and conduct regular vulnerability assessments to keep defenses strong and adaptable.
  5. Track Key Performance Indicators (KPIs): Use KPIs to measure program effectiveness and report to management regularly to get a clear view of areas needing improvement.

 

Conclusion

The SEC’s CYD taxonomy highlights the need for transparency and resilience across companies. Compliance demands comprehensive governance, well-established incident management, and collaboration across departments. With cybersecurity incidents on the rise, companies must prepare to disclose material events promptly and set up controls to mitigate and manage risks.

DataTracks provides secure XBRL tagging solutions to help companies meet these requirements more easily, improve data access for stakeholders, and streamline the reporting process.