Following the SEC’s adoption of a slate of new rules for cybersecurity risk management, strategy, governance and incident disclosure by public companies, 65% of executives say their organizations will strengthen cybersecurity programs, according to a Deloitte survey of executives. And more than half of those surveyed will also push third-party suppliers to strengthen their cyber programs (54%) in response to the new rules.
A slight majority (53%) of executives said their organizations had already begun preparing for the new rules before they were formally announced, but just over one-quarter had not yet begun preparing to comply with the rules, though this group of leaders was confident their organizations will be ready by applicable compliance deadlines.
“Leading public companies have invested considerable time into maturing their cyber, risk management and governance capabilities in anticipation of the now finalized SEC cyber rules,” said Naj Adib, a Deloitte adviser in cyber and strategic risk. “Those efforts should continue to focus on reaching across silos — both within the organization’s relevant business functions and with third parties, as regulator and stakeholder expectations of continuously strengthened cyber programs continue to rise.”
Following the release of much-anticipated cybersecurity reporting guidelines for public companies, questions may persist about specifics of the new rules. Attorney David M. Lynn of Morrison & Foerster dives into all the details.Read more
Among those whose companies started prepping for the new rules before the agency finalized them in July, timelines have varied, including six months or less (17%), six to 12 months (19%) and more than a year (17%).
Additionally, about 34% of polled public company executives’ organizations have evaluated communications with third-party service providers, and another 27% are in the process now.
More than 1,300 C-suite and other executives from publicly traded organizations were polled during a Deloitte webcast, “Understanding the SEC’s requirements for cybersecurity disclosures,” on Aug. 22, 2023. Answer rates differed by question.