Three requirements now govern how public company boards disclose cybersecurity oversight. The Securities and Exchange Commission adopted these rules in July 2023. Two years later, organizations describe compliance to the SEC cyber rules. Fewer demonstrate genuine understanding of them.
Loading ...Read the full article: What Your Board Is Accountable for After the SEC Cyber Disclosure Rules.
The Three Requirements Boards Are Still Misreading from the SEC Cyber Rules
Requirement One: The Four-Day Incident Clock
The SEC requires a Form 8-K filing within four business days of a company determining that a cyber incident is material. That determination must happen without unreasonable delay after discovery.
Where boards misread this: the four-day clock starts at the determination of materiality, not at discovery of the incident. Boards without a defined materiality framework cannot make that determination quickly. Delays in determination create delays in disclosure. Delays in disclosure attract regulatory attention.
The practical implication is immediate. Every board needs a defined process for making materiality determinations about cyber incidents. That process must be documented, tested, and integrated with incident response plans before an incident occurs.
Requirement Two: Annual Governance Disclosure
Every annual Form 10-K must describe the board’s oversight of cybersecurity risk. That description must identify which committee holds oversight responsibility and explain how that committee receives information about cyber threats and incidents.
Where boards misread this: a general statement about cybersecurity governance does not satisfy the requirement. The SEC expects specific, verifiable processes. If the board receives a quarterly briefing from the CISO, that process must be described. If a committee reviews a cyber risk register, that process must be described.
Generic disclosures invite closer examination. Specific disclosures create accountability.
Requirement Three: Management Expertise Disclosure
Companies must describe management’s role and expertise in assessing and managing material cybersecurity risks. This does not require executives to hold technical certifications. It requires the company to be honest about who does what and what qualifications they bring to it.
Where boards misread this: this requirement extends beyond the CISO’s credentials. It covers how executive leadership engages with cybersecurity risk at the governance level. If the CEO delegates entirely to the CISO with no independent verification, that delegation is part of what must be disclosed.
What These Misreadings of the SEC Cyber Rules Cost
Research from Columbia Law School found that boards without cybersecurity expertise engage in symbolic oversight rather than substantive governance. Symbolic governance satisfies a disclosure requirement without managing actual risk.
That distinction matters when an incident occurs. A board that filed accurate disclosures has documented its oversight processes. A board that filed optimistic disclosures has created the foundation for a securities claim alongside the cybersecurity incident response.
The Independent Advisory Layer
Boards that read these requirements correctly take a specific action. They add an advisory layer between the internal security function and the board’s oversight responsibility.
That layer performs two functions. First, it provides an independent assessment of actual cyber risk posture, separate from what internal teams report. Second, it prepares board members to ask substantive questions rather than symbolic ones.
The difference in the questions a board asks determines the quality of the governance process it can honestly describe.
Loading ...About Citanex
Citanex provides independent cybersecurity advisory to boards, executive leadership teams, and family offices. The firm’s founder, Matthew D. Ferrante, served as a US Secret Service Electronic Crimes Agent before building an advisory practice spanning $1 trillion in global assets and 109 countries.
Two services are directly relevant to the governance obligations this article describes.
Independent Assessments evaluate an organization’s actual cyber risk posture from outside the internal reporting chain. The assessment identifies gaps that internal teams cannot surface objectively, and produces findings structured for board-level review and regulatory disclosure, not just technical remediation.
Virtual C-Suite Services place qualified technology and cybersecurity executives, fractional CIO, CISO, or COO, inside an organization on a flexible basis. For boards that need credible, independent cyber leadership reporting to them rather than to internal staff, a virtual executive provides the oversight accountability the SEC rules now require.
Citanex Seraphim™ extends that same framework to executive and family cyber protection.
Read the full article: What Your Board Is Accountable for After the SEC Cyber Disclosure Rules.
Sources
U.S. Securities and Exchange Commission: SEC.gov | SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies
KPMG: SEC’s final cybersecurity rules: A board lens
Columbia Law School: The Gap Between Cybersecurity Oversight and Boardroom Expertise | CLS Blue Sky Blog
Info Security Magazine: A Third of CISOs Have Been Dismissed “Out of Hand” By the Board – Infosecurity Magazine
