81 Percent of Security Leaders Say SEC Cybersecurity Rules Will Substantially Impact Their Business

LOS ANGELES, CA — Feb. 22, 2024 — AuditBoard, the leading cloud-based platform transforming audit, risk, compliance, and ESG management, today announced the results of an in-depth study of the impact on businesses of the SEC Cybersecurity Disclosure Rules. The report, based on a survey of over 300 executives and security professionals across North America, finds the majority of respondents (81%) say the new U.S. Securities and Exchange Commission (SEC) cybersecurity disclosure ruling will substantially impact their business. Only half (54%) of those, however, report being highly confident in their organization’s ability to comply with the disclosure ruling. 

The SEC’s new cybersecurity rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure went into effect on Dec.15, 2023. These new rules mandate that publicly traded companies disclose significant cybersecurity incidents in a timely manner, along with the measures taken to address these threats. Since the final rules were announced in July 2023, companies have been preparing to meet the new requirements.

Mixed State of Organizational Readiness to Meet SEC Requirements

Overall, more than two-thirds of respondents (68%) say the new SEC cybersecurity disclosure overwhelms them. Today, only 2% of survey respondents have yet to start the process to comply with the new ruling. However, fully one-third of respondents are still in the early stages of this process. 

The top reported challenges being faced as organizations work to comply with the SEC cybersecurity ruling are quantifying cybersecurity incidents (57%) and determining incident materiality (49%). Nearly half (47%) of those surveyed report that updating the disclosure process is also a top challenge. 

Other key findings of the report include:

• In what may seem surprising, the majority of those surveyed have some sort of understanding of their company’s cyber risk posture and risk management program, with 54% reporting a high understanding and another 39% reporting some understanding. Executives say they understand their risk posture and management program most, with 71% reporting a high understanding.
• 75 percent of executives reported that a cybersecurity expert sits on their board. Despite this expertise, however, just 36% of security professionals and executives surveyed say that their organization has included training in cybersecurity for their board in an effort to educate them on cybersecurity practices, procedures, and risks. 
• Those using a materiality framework are far more confident (68%) that they can comply with the SEC mandate. Just under half (49%) of those surveyed have already established processes and methodologies to fit that criteria today. 
• The top reported challenge in the survey was determining which actions need to be taken to comply with the SEC ruling (57%), highlighting the difficulty of discerning the precise actions required for evolving cybersecurity threats, and the complex decision-making processes required for compliance. 

“Organizations have been planning for the new SEC cybersecurity disclosure rules for some time, but there is still much to be done,” said Richard Marcus, Head of Information Security at AuditBoard. “Several points from the SEC’s guidance suggest the need for an integrated view and collaboration, including: maintaining disclosure controls and procedures, emphasizing the role of boards of directors in overseeing cybersecurity risk management, having a robust incident response program in place, among others.”

Report Methodology

To produce the Decode the New SEC Cybersecurity Disclosure Rules report, AuditBoard collected data from 314 respondents to an online survey conducted in January 2024 by Ascend2 Research. Respondents were security professionals in organizations based primarily in North America, representing a diverse group of industries and company sizes.