The SEC cybersecurity ruling mandates that publicly traded companies disclose significant cybersecurity incidents in a timely manner, along with the measures taken to address these threats. This ruling underscores the importance of cybersecurity as a critical aspect of corporate governance and investor protection. It aims to enhance transparency and accountability in cybersecurity practices among publicly traded companies, ultimately safeguarding investors’ interests and promoting market integrity.
Publicly traded companies are not the only ones being impacted. The new ruling also includes high-level disclosures involving third-party vendors of these organizations. Needless to say, the requirements to comply with the new SEC cybersecurity disclosure ruling have created a ripple effect that reaches deep within these organizations and outside of them to the companies that support them.
Key Findings
- If you haven’t already, the time is now to implement compliance efforts. While 98% of security professionals and executives surveyed have started working to comply with the new SEC cybersecurity disclosure ruling, over one-third are still in the early phases of their efforts.
- Performing gap assessments sets you on the right track. Less than half (48%) of organizations have performed a gap assessment to determine what needs remediation to comply. Those who have, however, are significantly more confident in their ability to comply with the new ruling in 2024 than those who have not.
- Materiality may be vague, but using a framework can help provide context. 49% of organizations have already established processes and methodologies to determine materiality, and 98% of those using a materiality framework report a moderate to high understanding of that framework and their ability to provide the right inputs.
- Potential roadblock: Departmental alignment to update the disclosure process. Updating or integrating the disclosure process is a top challenge, and only 39% of organizations have cross-functional/departmental alignment on processes and steps.
- Using the right technology matters. An integrated view of risk management significantly increases confidence in complying with the new SEC cybersecurity ruling in 2024. Further, those using technology to facilitate the disclosure process feel less challenged by stakeholder adoption of these new workflows.
Where are companies on their compliance journey?
Nearly all organizations surveyed have embarked on their journey to compliance with the new SEC cybersecurity disclosure ruling. However, one-third (34%) are still in the early stages of their efforts, with 18% of those surveyed still working to understand the ruling and requirements and another 16% saying they have a plan to comply but have not yet started implementing.
The rest have started implementing their plan to comply (38%) or are currently operating with a fully implemented compliance plan (26%).
However, implementing compliance takes time. Overall, 60% of security professionals and executives had been working on efforts to comply with the new SEC cybersecurity disclosure ruling for over 6 months. However, 82% of those who have fully implemented plans and policies across teams (Phase 4) have been working on this for over 6 months, with 50% reporting that this work has been ongoing for over a year.
AuditBoard’s new eBook, created in partnership with Ascend2, Decode the New Cybersecurity Disclosure Ruling provides all the steps to empower your organization to conduct gap assessments, create a compliance strategy, identify the impact of cybersecurity incidents, demystify and define materiality, integrate disclosure processes, and transform your technology with the right tools.