A lot has been discussed on the new SEC requirement on required 8-K w/in a 4 day of the realization of a material cyber incident – but not much has been stated on the new cyber component of the regular 10-K’s and 10-Q’s. The SEC has updated the cyber statement requirements on these 10-K’s and 10-Q’s in 2024.
What are the SEC 10-K’s and 10-Q’s?
A 10-K is a comprehensive report filed annually by a publicly-traded company about its financial performance and is required by the U.S. Securities and Exchange Commission (SEC).
Information required in a 10-K includes its history, organizational structure, financial statements, earnings per share, subsidiaries, executive compensation, and any other relevant data.
The Form 10-Q includes unaudited financial statements and provides a continuing view of the company’s financial position during the year. The report must be filed for each of the first three fiscal quarters of the company’s fiscal year.
What is the cyber component update for the 10-K’s
The SEC proposes to amend Form 10-K to require disclosures of an enterprise’s cybersecurity risk management systems. The update also specifies the enterprise include in the 10-K methods in identifying, assessing, and managing the risks. This of course, means the general policy – but also now implies that enterprises be more detailed on people, practices and tools utilized.
Itemized, the 10-K should include: (Credit: Sidley Privacy and Cybersecurity update)
- The enterprise has a cybersecurity risk assessment program
- The enterprise engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program
- The enterprise has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider
- The enterprise undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents
- The enterprise has business continuity, contingency, and recovery plans in the event of a cybersecurity incident
Cyber Incidents: Overview Required in 10-K and 10-Q’s
In the updated rule, the SEC mandates that previous “material” cybersecurity incidents, over the covered timeframe, be detailed. Information should include what the enterprise has updated in its governance, policies and procedures, or technologies.
This means the hacks over the previous year and quarter that are deemed material events – should be detailed. Not only in occurrence but updates in practices, policies and procedures conducted to ensure minimal damage from these types of events.
Identity Governance and the Cyber Component of the 10-Ks
As stated above – the enterprise is required to detail its risk assessment and risk management practices, procedures and people. Identities are the most at risk cyber component in the enterprise. Thus for any enterprise to be secure – they must have an identity governance program to monitor the users granted access to key resources.
The practice and procedures updates should be noted in the 10-K’s.
In addition, any reporting of cyber incident should include information on how the enterprise has improved its identity governance and oversight of its identities to ensure against future manipulation. Also, identity discoveries and reviews of effected identity resources are always recommended after a breach involving identities.
YouAttest for Improved Identity Governance:
YouAttest provides the fastest time-to-value identity governance solution in the marketplace. It is the missing piece for most enterprise in their governance program.
With YouAttest enterprises can:
- Automate their access reviews on key resources
- Ensure that only the designated users have access
- Enforce the “Principle of Least Privilege”
- Stop “Privilege Creep” across accounts
- Identify ghost and orphan accounts
And after the breach:
- Run an “Access Discovery” on relevant resources
- To determine privileges both changes and possibly excessive and overly permissive.
Image #2: YouAttest automates the user and admin access reviews crucial for security and compliance – and creates the evidence of a completed user access review for compliance.
YouAttest is the only cloud-based IGA platform that deploys in minutes via application SSO into your existing IAM platforms. Contact us to learn how YouAttest can automate your access review process and help your enterprise can improve your identity governance program for security and SEC compliance.