Skip to the main content.

Cybersecurity for Public Companies

ICE for Public Companies

Publicly traded companies in the U.S. have distinct cybersecurity requirements, from pre-IPO preparation and initial filings to ongoing governance and compliance. With recent SEC rule changes, cybersecurity is now a mandated focus area.

Public companies must adapt to these new standards or face regulatory consequences.

Governance

The SEC’s cybersecurity rule, effective December 18, 2023, introduces specific governance requirements for public companies:

  • Board Oversight
    Companies must have board members qualified to understand cybersecurity risks.

  • Risk Management
    Cyber risk must now be integrated into business strategy, financial planning, and capital allocation.

  • Disclosure
    Annual 10-K filings must include statements regarding the company’s cybersecurity program.

Toolbox--Streamline-Cyber

Cyber Incident Reporting

Significant changes to incident response requirements have been mandated by the SEC, including:

  • Monitoring and Detection
    Companies must have teams, processes, and tools in place for continuous security event monitoring.

  • Incident & Crisis Response
    Teams, processes, and tools must be established to manage and respond to incidents effectively.

  • Materiality
    Defined criteria are required to assess the materiality of cybersecurity incidents.

  • Reporting
    Companies must maintain an incident register and file an 8-K statement within four days of discovering a reportable incident.

Garage--Streamline-Cyber

Cyber Risk Management

To comply with these requirements, public companies must adopt a comprehensive cybersecurity risk management strategy that the board regularly reviews, including:

  • Cybersecurity Risk Management Program
    A documented plan detailing the team, processes, tools, and metrics used to manage cyber risk.

  • Enterprise Risk Assessment
    Companies must conduct an annual risk assessment, ideally following a recognized cybersecurity framework like CIS or NIST.

  • Policies and Procedures
    Written cybersecurity policies and standards are now required; informal or undocumented practices are no longer acceptable.

  • Monitoring and Reporting
    Cybersecurity teams must regularly report on the company’s cybersecurity posture and overall resilience.

Business-Male-Money--Streamline-Cyber

Why Partner with ICE?

At ICE, we bring decades of experience working with public companies. From Sarbanes-Oxley requirements to the latest SEC Cybersecurity Rule, our team, processes, and tools are designed to meet regulatory standards while providing practical, cost-effective solutions. Let us help you navigate these new requirements and manage cyber risk effectively.

Branding--Streamline-Cyber
Hexagon Background Element - Version 3-2