Cloud-based platform for audit, risk, compliance, and ESG management, AuditBoard, has released the findings of a comprehensive analysis of how the SEC Cybersecurity Disclosure Rules affect companies. The majority of respondents (81%) to the research, which is based on a poll of over 300 executives and security experts in North America, believe their firm would be significantly impacted by the recent cybersecurity disclosure rule issued by the Securities and Exchange Commission (SEC).
Just half of respondents (54%) say they have a high level of confidence in their organization’s capacity to follow the disclosure regulation.
A number of the SEC's guidance points would highlight the need for an integrated approach and cooperation, such as upholding disclosure controls and procedures, highlighting the directors' role in supervising cybersecurity risk management, and putting in place a strong incident response program, among other things.
December 15, 2023, saw the implementation of the SEC's new cybersecurity regulations on cybersecurity risk management, strategy, governance, and incident disclosure. These new regulations require publicly listed organizations to promptly report significant cybersecurity events and the steps they have taken to mitigate the risks. Ever since the final guidelines were revealed in July 2023, businesses have been getting ready to comply with the new specifications.
Mixed State of Organizational Readiness to Meet SEC Requirements
The majority of responders (68%) claim to be overwhelmed by the recent SEC cybersecurity rules disclosure. As of right now, only 2% of poll participants had not yet begun the process of adhering to the new law. Nevertheless, a full third of those surveyed are only just getting started with this procedure.
Quantifying cybersecurity events (57%) and assessing incident materiality (49%) are the two most often mentioned difficulties that firms are encountering while attempting to comply with the SEC cybersecurity regulation. One of the biggest challenges, according to almost half of those polled (47%) is upgrading the disclosure procedure.
Some noteworthy conclusions from the analysis are as follows:
- Surprisingly, most respondents understood their company's cyber risk posture and risk management program in some capacity, with 54% claiming a strong comprehension and another 39% having some knowledge. According to 71% of executives, they have a strong grasp of their risk posture and management program.
- Of the CEOs surveyed, 75% said that their board included a cybersecurity specialist. Despite this knowledge, just 36% of security experts and executives questioned indicate their company has provided cybersecurity training to their board to inform them of the dangers, practices, and guidelines related to cybersecurity.
- Sixty-eight percent of those that use a materiality framework are far more certain that they can meet the SEC rule. Of those asked, little less than half (49%) had already set up procedures and techniques that meet those requirements as of right now.
- Finding the right course of action to follow the SEC rule was the most often cited obstacle in the study (57%), underscoring the complexity of identifying the specific steps needed to address changing cybersecurity risks and the intricate decision-making processes involved in compliance.
Richard Marcus, Head of Information Security at AuditBoard, said, “Organizations have been planning for the new SEC cybersecurity disclosure rules for some time, but there is still much to be done. A number of the SEC's guidance points highlight the need for an integrated approach and cooperation, such as upholding disclosure controls and procedures, highlighting the directors' role in supervising cybersecurity risk management, and putting in place a strong incident response program, among other things.”
Report Methodology
For the Decode the New SEC Cybersecurity Disclosure Rules study, Ascend2 Research conducted an online poll in January 2024, from which 314 respondents provided information to AuditBoard. The respondents, security specialists working for mostly North American-based companies, represented a wide range of business sizes and industries.
