GreenPages Blog

As an IT professional, you need to stay current on all things tech; with articles from industry experts and GreenPages' staff, you get the info you need to help your organization compete and succeed!

All Posts

New SEC Rules for Reporting Cybersecurity Incidents Are Coming

By Jay Pasteris, GreenPages CIO and CISO

The SEC is proposing new cybersecurity rules for public companies. GreenPages' Chief Information Officer & Chief Information Security Officer, Jay Pasteris, looks at the pros and cons of these rules and offers advice on how your company can prepare.

In February 2022, the U.S. Securities and Exchange Commission (SEC) proposed new rules to enhance and standardize cybersecurity disclosure by public companies. Cybersecurity is one of the most pressing issues facing publicly traded companies today. Recent research from Morningstar showed a company's stock price declines by almost 5% on average within 60 days of a cybersecurity incident—and often stays down for up to a year after—costing American investors and shareholders billions of dollars. So, the SEC's proposed rules were in response to the increasingly frequent, sophisticated, and costly cybersecurity attacks that unnerve investors during an already unstable economic environment. 

The SEC's goal was to mandate how public companies assess, mitigate, and oversee their cybersecurity risks internally then disclose "material cybersecurity incidents" externally in a consistent and comprehensive way. After a short public comment period that ended in April 2022, most executives at public companies and the registered investment firms servicing them were preparing for these new SEC rules to go into effect during Spring 2023. Some executives at private firms were also preparing for how their operations might be affected in case the SEC's new rules trickled down to them, too. 


However, the SEC issued separate press releases on March 15, 2023 about not only reopening the public comment period for the cybersecurity rules proposed in 2022 but also proposing some new rules "to address cybersecurity risks to the U.S. securities markets." While never mentioned by name, it's very likely the new rules for securities are the result of the added scrutiny of the banking system due to the Silicon Valley Bank failure just days before.


The SEC won't take public comments until after re-publishing the proposal to the Federal Register. However, this reopening of comments gives CISOs, CIOs, and other cybersecurity-focused business executives at publicly traded companies a chance to reexamine the SEC's regulatory proposals.


The Pros and Cons of the New SEC Cybersecurity Risk Management Rules 

Looking at the SEC's cybersecurity risk management rules originally published in February 2022, public companies must disclose: ero trust is a business strategy, not just a technology play.

  • The role and responsibilities of the board of directors in overseeing cybersecurity risk management 
  • The qualifications and experience of key personnel involved in cybersecurity risk management
  • The framework or standards used to assess and manage cybersecurity risks 
  • The material cybersecurity risks identified by the company and how they are prioritized 
  • The material cybersecurity controls implemented by the company to prevent, detect, respond to, and recover from cyberattacks 
  • The frequency and results of cybersecurity testing and audits 
  • The material cyber incidents experienced by the company in the past three years, including their nature, impact, response, remediation, costs, and lessons learned

The proposed rules would also require public companies to report material cyber incidents within four business days after becoming aware of them. This would reduce the current reporting lag that can leave investors in the dark about significant cyber events affecting a company's operations or financial condition. 

Here is a list of the pros and cons for public companies required to enact the proposed SEC cybersecurity rules:



  • Businesses would be able to communicate more effectively with investors about their cybersecurity efforts and achievements 
  • Businesses would be encouraged to adopt best practices for cybersecurity risk management that could enhance their resilience against cyber threats 
  • Businesses would be able to leverage the SEC's guidance and feedback to improve their cybersecurity disclosure processes and quality 
  • Businesses would be able to reduce the legal and reputational risks associated with inadequate or misleading cybersecurity disclosure 
  • Businesses would have to incur additional costs and resources to comply with the new disclosure requirements, such as hiring experts, conducting audits, updating systems, etc. 
  • Businesses would have to disclose sensitive information that could expose them to competitive disadvantages or increased cyberattacks 
  • Businesses would have to deal with more complexity and uncertainty in determining what constitutes material cybersecurity risks and incidents 
  • Businesses would have to face more scrutiny and liability from regulators, investors, customers, and other stakeholders if they fail to comply with the new disclosure rules or experience cyber incidents 


The SEC believes their proposed rules would benefit both investors and issuers. Investors would be able to make more informed investment decisions based on a better understanding of a company's cybersecurity risk profile. Issuers would be able to communicate more effectively with investors about their cybersecurity efforts and achievements. Moreover, issuers would be encouraged to adopt best practices for cybersecurity risk management that could enhance their resilience against cyber threats.  

Divided Opinions on the Proposed SEC Cybersecurity Risk Management Rules 

In the United States, new government rules are not created unilaterally without the consent of the governed. The public comment period is crucial for CISOs, IT leaders, and cybersecurity professionals to provide the SEC with valuable new perspectives on how regulatory proposals adversely affect businesses. 

During the first round of public comments for the SEC's proposed cybersecurity rules back in 2022, a consortium of industry associations, including the Healthcare Information and Management Systems Society (HIMSS), the Consumer Technology Association (CTA), the American Property Casualty Insurance Association (APCIA), Professional Services Council (PSC), and 30 other groups argued the rules are too broad, vague, and inconsistent with other standards, and that they would impose significant costs and burdens on regulated entities. The HIMSS suggest alternative approaches to enhance cybersecurity disclosure and governance without harming innovation and competitiveness such as:

  • Aligning the SEC's definition of a "material cybersecurity incident" with existing government standards, such as those in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which was signed into law less than a week prior to the SEC's proposed rule change was announced or the National Institute of Standards and Technology (NIST) SP 800-61 Rev. 2 Computer Security Incident Handling Guide
  • Adopting a risk-based approach to cybersecurity disclosure that considers the materiality, severity, and impact of incidents.
  • Leveraging existing frameworks and best practices for cybersecurity governance, such as the respected NIST Cybersecurity Framework 

The US Chamber of Commerce (CoC), the Nasdaq stock exchange, the American Bar Association (ABA), and other groups warned that the detailed public disclosure of a cybersecurity incident should accommodate a reasonable amount of time required by law enforcement for criminal investigations. Not only are there existing laws passed by all 50 states to authorize delayed disclosures to consumers of data breaches to avoid compromising an ongoing law enforcement investigation (and the Gramm-Leach-Bliley Act similarly authorizing delayed disclosure by financial institutions), but these groups also argued that detailed public reporting of cybersecurity incidents within just four days hands over valuable intelligence to cyber criminals for conducting future successful attacks. 


The SEC's proposed rules on public disclosures of cybersecurity incidents, according to a letter signed by eighteen state attorneys general, will also be burdensome to the companies in terms of systems and skills. Even large publicly traded companies with dozens of lawyers, business analysts, and other compliance professionals on staff will likely require outside consultants to recalibrate or outright build new cybersecurity incident reporting regimes. The state AGs noted that the SEC's reporting requirements "would compel public companies to gather, create, and disclose a crushing amount of information. Such disclosures far exceed any information investors reasonably need. And in reality, they would empower [the SEC] to regulate disfavored industries into oblivion." 


How You Can Prepare for the New SEC Cybersecurity Risk Management Rules

Most CISOs and business executives will agree investors need access to reliable and relevant information about how public companies manage their cybersecurity risks and deal with cyber incidents. If you objectively looked at the pros and cons of the SEC's proposed rules and have strong opinions either way, then I encourage you to engage in the debate once the public comment is opened in either late March or early April 2023.

Regardless of how the public comments pan out, the top three things a CISO can do to prepare for the new SEC cybersecurity risk management rules are: 

  1. Assess your cybersecurity risk management approach – A good risk assessment will analyze any gaps in your current security posture and using the NIST Cybersecurity Framework will likely cover the same ground as the proposed SEC rules. In conjunction with a risk assessment, your organization should conduct extensive penetration tests and tabletop exercises to see exactly how your company would handle these threats.  
  2. Work with general counsel and other senior executives – By assessing the potential impact of the SEC's proposed rules with Legal, Finance, and other business groups, your organization will be better prepared to translate strategy and practices into an accurate, cohesive, and compelling narrative on the company's cyber risk management practices.  
  3. Focus on security visibility and reporting – Building systems to identify cybersecurity threats and forensically analyze breaches after the fact is crucial for companies to adhere to the SEC's new rules. Most importantly, you'll need to present that information in a way that is understandable and actionable for your internal and external stakeholders. 

Cybersecurity is not only a technical issue but also a strategic one. GreenPages can help remove concerns public companies have about the new SEC cybersecurity risk management and reporting proposal. We offer support to build and manage sustainable cybersecurity programs for regulated companies created by a GreenPages CxO as a Service expert and backed by our IT/security resources. GreenPages can also provide risk assessments, develop actionable IR playbooks, and run an advanced cybersecurity program customized for your business as a managed service.  

Contact GreenPages for a cybersecurity assessment today. 

Jay Pasteris
Jay Pasteris
As CIO and CISO, Jay drives and expands GreenPages’ intellectual property and services portfolio; oversees systems security, compliance, and quality assurance; and leads the technical pre-sales and business advisory services teams. He also serves as executive sponsor and security subject matter expert to the company’s key enterprise clients. Formerly, Jay served as the CIO & CISO for the Massachusetts Medical Society / New England Journal of Medicine; senior vice president of global IT for Houghton Mifflin Harcourt; and CIO & CISO for Veracode—a Boston-based cyber security firm. Throughout his career, Jay has been responsible for leading and delivering scalable enterprise technology solutions; product engineering; global infrastructure; end user experience; and security and compliance across cloud and software as a service platforms. Jay is a highly accomplished senior business technology executive with experience in aligning technology with business strategy and driving innovation across organizations. His deep experience as a vision-driven technology leader and his history of successfully delivering enterprise technology solutions has enabled him to build high performing and results-driven technology teams that not only deliver business value, but transform organizations to excel in the digital era.

Related Posts

The Benefits of Microsoft Intune Suite for Modern Workplaces

By Josh Morganthall, Microsoft Practice Manager, GreenPages Microsoft Intune Suite unifies several endpoint management and security solutions into one bundle. In this blog post, I discuss the business value of Microsoft's cloud-based service and the operational efficiencies and enhanced user experience it brings to IT teams and users. 

CIO Fireside Chat Recap: Cloud & FinOps

By Mario Brum, VP of Practice Area and Technical Advisory Services Mario hosted the second in GreenPages' ongoing series of CIO Fireside Chats discussing how an industry-leading retail technology company partnered with GreenPages to use FinOps for optimizing the company's cloud costs. 

Preparing Your Business for the End of Windows Server 2012 Support

By Josh Morganthall, GreenPages Senior Solutions Architect for Microsoft Cloud In this blog post, Josh outlines the steps that CIOs need to take to prepare for Windows Server 2012 reaching its end of support on October 10, 2023 to ensure their IT operations remain secure, productive, and running without interruption.