SEC cyber rules will have wide impact amid uncertainty

The vast majority of cyber professionals agree the Securities and Exchange Commission's new cybersecurity disclosure rules will affect them significantly, but fewer are confident they can actually comply.

The new rules, approved last year (see previous story), expand what entities are required to report regarding their IT security. In general, entities that experience a cybersecurity incident must now determine whether it will have a material impact on them, and if so, they must then fill out the new Item 1.05 on their Form 8-K within four days. On this form, the entity will need to describe the material aspects of the nature, scope and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations.

The new rules also require entities to describe their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including those from previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant. Registrants are also required to describe the board of directors' oversight of risks from cybersecurity threats, and management's role and expertise in assessing and managing material risks from cybersecurity threats.

A survey of cybersecurity professionals and executives released Thursday by audit solutions provider AuditBoard found the majority of respondents (81%) say the new SEC cybersecurity disclosure rules will substantially impact their business. Only half (54%) of them, however, indicated they're highly confident in their organization's ability to comply with the disclosure ruling. 

This could be due to the slower pace of preparations. The survey found fewer than half (48%) of the respondents' organizations have performed a gap assessment to determine what needs remediation to comply. In addition, 18% of the respondents said they are still trying to understand the rule and its requirements, 16% said they have a plan to comply but have yet to implement it, and 38% have only started implementation. At this point, only 26% of the respondents say they have fully implemented their plan and are prepared to comply, while 2% admit they haven't started at all.

The top reported challenges being faced as organizations work to comply with the SEC cybersecurity ruling are quantifying cybersecurity incidents (57%) and determining incident materiality (49%). Nearly half (47%) of those surveyed report that updating the disclosure process is also a top challenge. 

"Organizations have been planning for the new SEC cybersecurity disclosure rules for some time, but there is still much to be done," said Richard Marcus, head of information security at AuditBoard, in a statement. "Several points from the SEC's guidance suggest the need for an integrated view and collaboration, including: maintaining disclosure controls and procedures, emphasizing the role of boards of directors in overseeing cybersecurity risk management, having a robust incident response program in place, among others."

Organizations are not completely unprepared, however. The survey also found that 54% of the respondents have a high understanding of their cyber risk posture and security program. Further, 75% of the surveyed executives reported that a cybersecurity expert sits on their board.

Despite this expertise, however, just 36% of security professionals and executives surveyed say their organization has included cybersecurity training for their board in an effort to educate them on cybersecurity practices, procedures and risks.