SEC cyber rules will have wide impact but many uncertain they can comply

While the vast majority agree that the SEC’s new cybersecurity disclosure rules will affect them significantly, fewer are confident they can actually comply with them.

The new rules, approved last year (see previous story), expand what entities are required to report regarding their IT security. In general, entities that experience a cybersecurity incident must now determine whether it will have a material impact on them, and if so, they must then fill out the new Item 1.05 on their Form 8-K within four days. On this form, the entity will need to describe the material aspects of the nature, scope and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations.

The new rules also require entities to describe their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including those from previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant. Registrants are also required to describe the board of directors’ oversight of risks from cybersecurity threats, and management’s role and expertise in assessing and managing material risks from cybersecurity threats.

A recent survey of cybersecurity professionals and executives from audit solutions provider AuditBoard reported that the majority of respondents (81%) say the new U.S. Securities and Exchange Commission (SEC) cybersecurity disclosure ruling will substantially impact their business. Only half (54%) of those, however, report being highly confident in their organization’s ability to comply with the disclosure ruling. 

This could be due to the slower pace of preparations. The survey found fewer than half (48%) of organizations have performed a gap assessment to determine what needs remediation to comply. In fact, 18% are still trying to understand the rule and its requirements. 16% said they have a plan to comply but have yet to implement, and 38% have only started implementation. At this point, only 26% said they have fully implemented their plan and are prepared to comply. Few, only 2%, said they haven’t even started at all.

The top reported challenges being faced as organizations work to comply with the SEC cybersecurity ruling are quantifying cybersecurity incidents (57%) and determining incident materiality (49%). Nearly half (47%) of those surveyed report that updating the disclosure process is also a top challenge. 

“Organizations have been planning for the new SEC cybersecurity disclosure rules for some time, but there is still much to be done,” said Richard Marcus, head of information security at AuditBoard. “Several points from the SEC’s guidance suggest the need for an integrated view and collaboration, including: maintaining disclosure controls and procedures, emphasizing the role of boards of directors in overseeing cybersecurity risk management, having a robust incident response program in place, among others.”

Organizations are not completely unprepared, however. The survey also found that 54% have a high understanding of their cyber risk posture and security program. Further, 75% of executives reported that a cybersecurity expert sits on their board.

Despite this expertise, however, just 36% of security professionals and executives surveyed say that their organization has included training in cybersecurity for their board in an effort to educate them on cybersecurity practices, procedures, and risks.