Take a look at the changes we've made to our privacy policy effective May 25, 2018. By continuing on this site you agree to the terms stated in this policy

Read More Close

The Current


October 2023’s SEC cybersecurity ruling: What it means for your business

The new SEC ruling goes into effect December 15, 2023. It will require companies to report “material” cybersecurity incidents and cybersecurity risk management processes in a standardized way and according to certain timelines. Level up without the legalese →

October is Cybersecurity Awareness Month, which must have influenced the SEC (Securities and Exchange Commission) when they set the deadline for their ruling on website cybersecurity.

While the ruling mostly applies to publicly listed companies, if you’re using third-party software or vendors, a cyberattack anywhere in your tech stack or supply chain could impact you, so it’s good to be aware of this ruling’s fairly significant implications for data protection, risk management, and transparency.

The lowdown on the SEC ruling

Back in March 2022, the SEC observed that cybersecurity incidents pose an ongoing (and escalating) risk to public companies, investors, and their customers and clients.

Just think of all the changes to the digital landscape that have happened over the last handful of years:

  • digitalization of operations
  • growth of remote work
  • ability of criminals to monetize cybersecurity incidents
  • use of digital payments
  • increasing reliance on third-party service providers for IT and cloud services

Along with these risk factors, the costs of addressing cybersecurity incidents have increased, too. In 2023, the average cost of a data breach (in the US) totaled $9.48MM. [source]

Concerned about these trends and in an effort to protect American’s data, this new SEC ruling sets out to improve a) the assessment of security risks and b) the disclosure of incidents.

Key aspects of the SEC ruling (TL;DR)

Cybersecurity Risk Assessment

Public companies are now expected to conduct regular cybersecurity risk assessments and describe their processes for assessing, identifying, and managing material risks from cybersecurity threats. They’re also required to demonstrate their board of directors’ proficiency in cybersecurity.

Disclosure of Cybersecurity Incidents

The SEC requires companies to disclose cybersecurity incidents promptly – generally speaking, within four business days. This includes breaches, data theft, ransomware attacks, or any event that impacts the organization’s operations or its investors. They’ll also be required to disclose the material impact or “reasonably likely material impact” of the incident.

Naturally, there’s a form in case of an event. (Item 1.05 Form 8-K, for all you form freaks.)

Why does it matter?

The ruling protects three key areas:

Investor Protection

Enhancing cybersecurity disclosures helps protect investors by providing a clearer picture of the risks and incidents that may affect a company’s financial health. If an investor has invested in a company that loses a chunk of money due to a cybersecurity issue, they deserve to know.

Market Confidence

Transparent cybersecurity practices contribute to market confidence. You know what doesn’t contribute to market confidence? Check any of the websites below to see just how many companies have exposed your data:

Risk Management

It compels companies to adopt a proactive approach to managing cybersecurity risks, ultimately reducing the likelihood of costly breaches which could (worst case) put a business under, expose sensitive information, and lose customers.

Where to begin?

We’ve got you. Check out our 15-step framework for building your digital fortress. But if we were to distill it down to a three-item checklist:

  1. Understand your compliance responsibility with the SEC ruling
  2. Create a cybersecurity plan and share it with your team
  3. Have a disclosure playbook in the event of a cybersecurity incident

In these digitally-oriented days, no one can afford to play roulette with the chances of a cybersecurity incident – start your compliance efforts ASAP so you can start building a track record in case you ever need to show one.

Wrapping it up:

The SEC’s ruling on cybersecurity for websites underscores the critical role cybersecurity should play in your digital strategy. No business, website, or customer is immune from a cyberattack – but everyone can prepare for them. At this point, we might as well consider digital disruptions a persistent foe that’s always lurking under the drawbridge.

We’re NOT a cybersecurity agency… but we are a senior-level, in-house team of senior-level technologists who stay current on what it takes to reduce our clients’ risk. So don’t lose sleep over cybersecurity – we’re here to help. We’ve completed cybersecurity compliance for Chipotle, ecommerce, and venture capital clients, and security is baked in to everything we do. Have questions? Reach out to aaron.copeland@voltage.com.

Disclaimer: None of the information contained in this post should be considered legal advice.

Go deeper:


VOLTAGE is a digital agency specializing in eCommerce, digital brand experiences, and web apps. Get emails and insights from our team:

Like What You Read?

Share it. Your followers will thank you.

Read More The Current

  • Cybersecurity graphic displaying a skull formed out of code and the text "system hacked"

    Cybersecurity 101: The Unofficial Guide to Building Your Digital Fortress

    In the ever-evolving landscape of digital business, establishing a robust cybersecurity practice can often feel like trying to solve a Rubik’s Cube blindfolded. We get it. The journey is challenging, and the road is often riddled with unexpected twists and turns. It’s a daunting task for businesses, big and small, to navigate the complex web of threats and defenses, all while trying to keep their doors open and lights on. However, trust me when I say, you’re not alone in this journey. In this article, my goal is to deepen your grasp of cybersecurity and empower you to take those critical first steps toward fortifying your business’s cybersecurity posture.

  • VOLTAGE Launches into eSpace

    VOLTAGE Advertising and design has completed the identity and website for The Center for Space Entrepreneurship – a unique collaboration of industry and academia accelerating the creation and development of “eSpace” companies, the commercialization of the technologies they create, and the workforce to fuel their growth.