While the vast majority agree that the SEC’s
The new rules, approved last year (
The new rules also require entities to describe their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including those from previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant. Registrants are also required to describe the board of directors’ oversight of risks from cybersecurity threats, and management’s role and expertise in assessing and managing material risks from cybersecurity threats.
A recent survey of cybersecurity professionals and executives from audit solutions provider
This could be due to the slower pace of preparations. The survey found fewer than half (48%) of organizations have performed a gap assessment to determine what needs remediation to comply. In fact, 18% are still trying to understand the rule and its requirements. 16% said they have a plan to comply but have yet to implement, and 38% have only started implementation. At this point, only 26% said they have fully implemented their plan and are prepared to comply. Few, only 2%, said they haven’t even started at all.
The top reported challenges being faced as organizations work to comply with the SEC cybersecurity ruling are quantifying cybersecurity incidents (57%) and determining incident materiality (49%). Nearly half (47%) of those surveyed report that updating the disclosure process is also a top challenge.
“Organizations have been planning for the new SEC cybersecurity disclosure rules for some time, but there is still much to be done,” said Richard Marcus, head of information security at AuditBoard. “Several points from the SEC’s guidance suggest the need for an integrated view and collaboration, including: maintaining disclosure controls and procedures, emphasizing the role of boards of directors in overseeing cybersecurity risk management, having a robust incident response program in place, among others.”
Organizations are not completely unprepared, however. The survey also found that 54% have a high understanding of their cyber risk posture and security program. Further, 75% of executives reported that a cybersecurity expert sits on their board.
Despite this expertise, however, just 36% of security professionals and executives surveyed say that their organization has included training in cybersecurity for their board in an effort to educate them on cybersecurity practices, procedures, and risks.