Businesses foresee major impact from new SEC cybersecurity disclosure rules
While 98% of security professionals and executives have started working to comply with the new U.S. Securities and Exchange Commission (SEC) cybersecurity disclosure ruling, over one-third are still in the early phases of their efforts, according to AuditBoard.
81% of respondents say the new SEC cybersecurity disclosure ruling will substantially impact their business. 54% of those, however, report being highly confident in their organization’s ability to comply with the disclosure ruling.
Companies prepare for SEC cybersecurity rules implementation
The SEC’s new cybersecurity rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure took effect on Dec. 15, 2023. These new rules mandate that publicly traded companies disclose significant cybersecurity incidents in a timely manner, along with the measures taken to address these threats. Since the final rules were announced in July 2023, companies have prepared to meet the new requirements.
Overall, 68% say the new SEC cybersecurity disclosure overwhelms them. Today, only 2% of survey respondents have yet to start the process to comply with the new ruling. However, one-third of respondents are still in the early stages of this process.
Quantifying the impact of cybersecurity incidents is the most commonly reported challenge of complying with the SEC cybersecurity disclosure ruling, as reported by 57% of those surveyed. 47% of surveyed report that updating the disclosure process is also a top challenge.
In what may seem surprising, the majority of those surveyed have some sort of understanding of their company’s cyber risk posture and risk management program, with 54% reporting a high understanding and another 39% reporting some understanding. Executives say they understand their risk posture and management program most, with 71% reporting a high understanding.
Publicly traded companies are not the only ones being impacted. The new ruling also includes high-level disclosures involving third-party vendors of these organizations. Needless to say, the requirements to comply with the new SEC cybersecurity disclosure ruling have created a ripple effect that reaches deep within these organizations and outside of them to the companies that support them.
Materiality framework boosts confidence in SEC compliance
75% of executives reported that a cybersecurity expert sits on their board. Despite this expertise, however, just 36% of security professionals and executives surveyed say that their organization has included training in cybersecurity for their board in an effort to educate them on cybersecurity practices, procedures, and risks.
Those using a materiality framework are far more confident (68%) that they can comply with the SEC mandate. 49% of those surveyed have already established processes and methodologies to fit that criteria today.
The top reported challenge in the survey was determining which actions need to be taken to comply with the SEC ruling (57%), highlighting the difficulty of discerning the precise actions required for evolving cybersecurity threats, and the complex decision-making processes required for compliance.
“Organizations have been planning for the new SEC cybersecurity disclosure rules for some time, but there is still much to be done,” said Richard Marcus, Head of Information Security at AuditBoard.
“Several points from the SEC’s guidance suggest the need for an integrated view and collaboration, including: maintaining disclosure controls and procedures, emphasizing the role of boards of directors in overseeing cybersecurity risk management, having a robust incident response program in place, among others.”
Download: Complete guide to the new SEC cybersecurity rules