In 2023, the SEC Cybersecurity Disclosure Rules were announced, influencing the way organizations must operate in terms of cybersecurity management and disclosure. A recent report by AuditBoard suggests mixed levels of preparedness among security leader to abide by these new terms.
The ruling, which went into effect on December 15th, 2023, established that publicly traded businesses must disclose cybersecurity events as well as defense and recovery measures taken in a timely manner. 81% of security leaders report that the new rules will impact their businesses. Among that group, 54% convey their confidence in the organization’s capability to effectively comply.
At the time of this report, 2% of security leaders have started the process of adhering to the new rules. Around 33% report being in the early stages of this process while 68% say they are overwhelmed by the new disclosure requirements.
The report included insights into the top challenges security leaders are facing with this new ruling.
- 57% say the quantification of cybersecurity events is their biggest challenge.
- 49% cite determination of cybersecurity incident materiality as an issue.
- 47% report that improving their process for disclosure is difficult.
Security leaders who employ a materiality framework report a higher confidence (68%) in their ability to comply.