How medtech can comply with new SEC cyber disclosure rule

  • Blog
  • November 13, 2023

Sarat Mynampati

Principal, PwC US


Denis Jacob

Managing Director, PwC US


Recent regulations issued on cybersecurity by both the SEC and FDA highlight the opportunities for medtech organizations to help build trust among their stakeholders, safeguard their brands, provide protection for their customers and more importantly, their patients. By proactively mitigating cybersecurity risks, medtech organizations can demonstrate their commitments to safety and trust.

What is the SEC cyber disclosure rule?

The Securities and Exchange Commission (SEC) released its final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure on July 26, 2023 ( and the new disclosure requirements take effect in mid-December.

What does this mean for the medtech industry?

The medtech industry has its own unique challenges that should be addressed so they can meet the SEC cyber requirements:

  • Legacy systems and products: Medtech devices may not have undergone regular software updates and run on legacy software. There are countless legacy devices in the field that may contain software that is several generations behind and is no longer supported.
  • Network segmentation as a key approach to safeguard medical devices: The common historic approach to safeguard medtech devices that are sold to health systems and providers is through either network segmentation or simply not enable the devices’ networking features.
  • Dispersed locations: Many of these devices are also not necessarily located at a traditional data center and are instead located at numerous points of care throughout medical centers and doctors’ offices, leading to increased opportunities for different parties to interact with the devices.
  • Connected devices: Increasing consumerization of healthcare often leads to both increased direct patient/customer involvement and an increase in the number of connected devices.
  • Enterprise governance and operating model: Key functional teams including IT, Information Security and Product Development often operate independently leading to potential for gaps in cyber risk strategy.

M&A activity: The medtech industry has undergone significant consolidation in recent years, which can create the risk of an incoherent product ecosystem.

Considerations to help you comply with the SEC cyber rule

Medtech companies have a responsibility to remain patient-centric while complying with regulations related to their devices. With this call to action, medtech organizations should prioritize cyber efforts and reporting, including assessing readiness across the following areas:

1. Enterprise governance model: Organizations should assess whether their governance and associated procedures are currently up-to-date and effective. A regular cadence for review and revision should be established.

2. Establishing a stronger security posture through:

  • Security risk management (e.g., threat modeling, cybersecurity risk assessments, interoperability, third-party components.)
  • Defense-in-depth security architecture that considers controls across various cyber domains.
  • Secure product development framework
    • Organizations should design their products from the onset to incorporate security alongside safety as a key consideration.
  • Assessment and review: Continuously assess and review effectiveness of risk management program.

3. Continuous logging, monitoring and incident response:

  • Continuous logging and investigation into anomalies
  • Regular cybersecurity testing to assess various threats levels and the organization’s response effectiveness
  • Automate the process for accelerated monitoring and response

4. Traceability: Traceability of both equipment used for internal used and external equipment (e.g., devices they have sold now present in the field).

5. Modernization:

  • Modernize security of devices
  • Establish timeline on sunsetting legacy devices

6. Testing and training: The complexity of both cybersecurity threats and the industry’s products are constantly increasing.

  • Organizations should work with their employees so they can remain up to date on the threats and product ecosystem.

7. Industry collaboration: Engage closely with health systems to help:

  • Secure products
  • Modernize/update security of devices
  • Increase adoption of automatic updates
  • Remove or trade-in legacy devices with software that is no longer supported
  • Real-time detection of vulnerabilities

PwC is here to help

Cyber threats can lead to medtech business and supply chain disruption for end users and jeopardize patient trust, quality and safety. The sector should work to proactively navigate this changing landscape and help protect organizations and patients through effective cybersecurity practices.

Follow us