A recent study conducted by AuditBoard revealed that while 98% of security professionals and executives have already taken steps to comply with the new U.S. Securities and Exchange Commission (SEC) cybersecurity disclosure ruling, more than one-third are still in the early stages of their efforts. This finding underscores the significant impact that the new SEC regulations are having on businesses across various industries.
The SEC’s new cybersecurity rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure went into effect on December 15, 2023. These rules require publicly traded companies to disclose significant cybersecurity incidents promptly and outline the measures they have implemented to address these threats. Since the announcement of the final rules in July 2023, companies have been working diligently to ensure compliance with the new regulations.
According to the study, 81% of respondents anticipate that the new SEC cybersecurity disclosure ruling will have a substantial impact on their business operations. Despite this, 54% of those surveyed expressed high confidence in their organization’s ability to meet the requirements set forth by the SEC.
One of the most commonly reported challenges in complying with the SEC cybersecurity disclosure ruling is quantifying the impact of cybersecurity incidents, as cited by 57% of survey participants. Additionally, 47% of respondents highlighted the challenge of updating their disclosure processes to align with the new regulations.
Interestingly, the study also revealed that a majority of respondents have a good understanding of their company’s cyber risk posture and risk management program. Specifically, 54% reported a high level of understanding, while 39% indicated some understanding. Notably, executives demonstrated the highest level of comprehension, with 71% reporting a high understanding of their organization’s risk posture and management program.
Furthermore, the impact of the new SEC cybersecurity disclosure ruling extends beyond publicly traded companies to include disclosures related to third-party vendors. This broader scope underscores the far-reaching implications of the new regulations and the need for comprehensive compliance efforts throughout the business ecosystem.
Despite the expertise of cybersecurity professionals sitting on company boards (reported by 75% of executives), only 36% of respondents stated that their organization had provided cybersecurity training for their board members. This discrepancy highlights the importance of educating board members on cybersecurity best practices, procedures, and risks to enhance overall security posture.
The study also found that organizations using a materiality framework are more confident in their ability to comply with the SEC mandate, with 68% expressing confidence. Additionally, 49% of respondents have already established processes and methodologies aligned with the criteria outlined in the materiality framework.
In conclusion, Richard Marcus, Head of Information Security at AuditBoard, emphasized the ongoing work needed to ensure compliance with the new SEC cybersecurity disclosure rules. He underscored the importance of an integrated view and collaboration within organizations, pointing to key guidance from the SEC related to disclosure controls, board oversight of cybersecurity risk management, and the implementation of robust incident response programs. The journey towards full compliance with the SEC regulations is ongoing, with many organizations still working to meet the evolving cybersecurity challenges and regulatory requirements.