Last month the US Securities and Exchange Commission released several new and updated rules, including Title 17 Chapter II Part 229 Subpart 229.100 § 229.106, generally known as “Reg S-K Item 106”. From June 15, 2024, at the latest, earlier for larger firms, Item 106 requires all SEC-registered companies to disclose their cybersecurity risks and cyber risk management processes and tools, IT governance structure, how they assess the cyber security of their third-party providers like Google and Microsoft, and detail any cyber incidents they have experienced.

While Item 106 is optional for our Exempt Reporting Advisor clients (and for most private companies) Hybridge recommends that all clients consider working with us to complete an Item 106 audit and disclosure for internal governance and review purposes.

An Item 106 audit and disclosure process discusses and answers questions including:

  • What data and applications do we really care about?
  • What are our biggest cyber risks?
  • Do we have appropriate policies, processes, and tools to mitigate these risks?
  • Do our third-party providers have appropriate security in place to protect our data?
  • Do we have the right technical protections in place and active (e.g., encryption, backups, training, 2-factor, need-to-know permission, MDM)
  • How do we ensure our company leadership understands our risks and agrees we are doing enough to mitigate the risks that they care about?

Hybridge has created a template and work process for an Item 106 Cybersecurity Audit and Disclosure, we are currently using this with our Registered Investment Advisor clients, and we encourage all clients to consider contacting us to go through this internal assessment with us. The cost is generally a few hours of consulting time, which is a small fraction of what a cyber breach could cost you. We protect you from a technical perspective, but only you know what data and applications are critical for your business and your customers.

Share this blog: