Cybersecurity for Public Companies
ICE for Public Companies
Public companies must adapt to these new standards or face regulatory consequences.
Governance
The SEC’s cybersecurity rule, effective December 18, 2023, introduces specific governance requirements for public companies:
-
Board Oversight
Companies must have board members qualified to understand cybersecurity risks. -
Risk Management
Cyber risk must now be integrated into business strategy, financial planning, and capital allocation. -
Disclosure
Annual 10-K filings must include statements regarding the company’s cybersecurity program.
Cyber Incident Reporting
Significant changes to incident response requirements have been mandated by the SEC, including:
-
Monitoring and Detection
Companies must have teams, processes, and tools in place for continuous security event monitoring. -
Incident & Crisis Response
Teams, processes, and tools must be established to manage and respond to incidents effectively. -
Materiality
Defined criteria are required to assess the materiality of cybersecurity incidents. -
Reporting
Companies must maintain an incident register and file an 8-K statement within four days of discovering a reportable incident.
Cyber Risk Management
To comply with these requirements, public companies must adopt a comprehensive cybersecurity risk management strategy that the board regularly reviews, including:
-
Cybersecurity Risk Management Program
A documented plan detailing the team, processes, tools, and metrics used to manage cyber risk. -
Enterprise Risk Assessment
Companies must conduct an annual risk assessment, ideally following a recognized cybersecurity framework like CIS or NIST. -
Policies and Procedures
Written cybersecurity policies and standards are now required; informal or undocumented practices are no longer acceptable. -
Monitoring and Reporting
Cybersecurity teams must regularly report on the company’s cybersecurity posture and overall resilience.
Why Partner with ICE?
At ICE, we bring decades of experience working with public companies. From Sarbanes-Oxley requirements to the latest SEC Cybersecurity Rule, our team, processes, and tools are designed to meet regulatory standards while providing practical, cost-effective solutions. Let us help you navigate these new requirements and manage cyber risk effectively.