SEC Cybersecurity Rules Will Substantially Impact Business

SEC’s new cybersecurity rules mandate that publicly traded companies disclose significant cybersecurity incidents in a timely manner, along with the measures taken to address these threats.

In a survey of more than 300 North American executives and security professionals, the majority of respondents (81%) say the new U.S. Securities and Exchange Commission (SEC) cybersecurity disclosure ruling will substantially impact their business. Only half (54%) of those, however, report being highly confident in their organization’s ability to comply with the disclosure ruling, according to an in-depth study of the impact on businesses of the SEC Cybersecurity Disclosure Rules by AuditBoard.

The SEC’s new cybersecurity rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure went into effect on December 15, 2023. The new rules mandate that publicly traded companies disclose significant cybersecurity incidents in a timely manner, along with the measures taken to address these threats. Since the final rules were announced in July 2023, companies have been preparing to meet the new requirements.

Mixed State of Organizational Readiness To Meet

Overall, more than two-thirds of respondents (68%) say the new SEC cybersecurity disclosure overwhelms them. Today, only 2% of survey respondents have yet to start the process to comply with the new ruling. However, fully one-third of respondents are still in the early stages of this process.

The top reported challenges being faced as organizations work to comply with the SEC cybersecurity ruling are quantifying cybersecurity incidents (57%) and determining incident materiality (49%). Nearly half (47%) of those surveyed report that updating the disclosure process is also a top challenge.

Other key findings of the report include:

In what may seem surprising, the majority of those surveyed have some sort of understanding of their company’s cyber risk posture and risk management program, with 54% reporting a high understanding and another 39% reporting some understanding. Executives say they understand their risk posture and management program most, with 71% reporting a high understanding.
75 percent of executives reported that a cybersecurity expert sits on their board. Despite this expertise, however, just 36% of security professionals and executives surveyed say that their organization has included training in cybersecurity for their board in an effort to educate them on cybersecurity practices, procedures, and risks.
Those using a materiality framework are far more confident (68%) that they can comply with the SEC mandate. Just under half (49%) of those surveyed have already established processes and methodologies to fit that criteria today.
The top reported challenge in the survey was determining which actions need to be taken to comply with the SEC ruling (57%), highlighting the difficulty of discerning the precise actions required for evolving cybersecurity threats, and the complex decision-making processes required for compliance.

“Organizations have been planning for the new SEC cybersecurity disclosure rules for some time, but there is still much to be done,” said Richard Marcus, Head of Information Security at AuditBoard. “Several points from the SEC’s guidance suggest the need for an integrated view and collaboration, including: maintaining disclosure controls and procedures, emphasizing the role of boards of directors in overseeing cybersecurity risk management, having a robust incident response program in place, among others.”

Visit AuditBoard.com to read the full report.