Cloud-based platform for audit, risk, compliance, and ESG management, AuditBoard, has released the findings of a comprehensive analysis of how the SEC Cybersecurity Disclosure Rules affect companies. The majority of respondents (81%) to the research, which is based on a poll of over 300 executives and security experts in North America, believe their firm would be significantly impacted by the recent cybersecurity disclosure rule issued by the Securities and Exchange Commission (SEC).
Just half of respondents (54%) say they have a high level of confidence in their organization’s capacity to follow the disclosure regulation.
A number of the SEC’s guidance points would highlight the need for an integrated approach and cooperation, such as upholding disclosure controls and procedures, highlighting the directors’ role in supervising cybersecurity risk management, and putting in place a strong incident response program, among other things.
December 15, 2023, saw the implementation of the SEC’s new cybersecurity regulations on cybersecurity risk management, strategy, governance, and incident disclosure. These new regulations require publicly listed organizations to promptly report significant cybersecurity events and the steps they have taken to mitigate the risks. Ever since the final guidelines were revealed in July 2023, businesses have been getting ready to comply with the new specifications.
The recent SEC cybersecurity rules disclosure has reportedly overwhelmed a significant proportion of respondents, at 68%. A mere 2% of those polled have yet to begin the process of compliance with the new law. Yet, a whole third of these participants are still in the early stages of this process.
The challenges that firms encounter while trying to comply with the SEC cybersecurity regulation are reported to be quantifying cybersecurity events (57%) and ascertaining the seriousness of an incident (49%). Almost half of the respondents (47%) consider revising the disclosure procedure as one of the most difficult challenges.
A few noteworthy conclusions from the survey are as follows:
Richard Marcus, the Head of Information Security at AuditBoard, indicated that there is yet plenty of work to be done even though organisations have been making preparations for the new SEC cybersecurity disclosure rules. Some of the key recommendations from the SEC that he highlighted include the maintenance of disclosure controls and procedures, emphasising the role of directors in managing cybersecurity risk, and establishing a robust incident response programme among others.
For the Decode the New SEC Cybersecurity Disclosure Rules study, Ascend2 Research conducted an online poll in January 2024, from which 314 respondents provided information to AuditBoard. The respondents, security specialists working for mostly North American-based companies, represented a wide range of business sizes and industries.