More than one-fourth (27%) of public company executives responding to a recent Grant Thornton poll said their organizations had not yet started developing a framework for complying with new Securities and Exchange Commission cybersecurity rules.
Among other provisions, the rules require a public company to disclose a “material” cybersecurity incident to the SEC within four days of determining that it is a material breach. The agency began enforcing the reporting rules in December. Since the guidelines were adopted last summer, companies have scrambled to ensure they have the appropriate policies and procedures in place for compliance.
“The Grant Thornton webcast survey shows that many companies have taken steps toward fulfilling these reporting requirements, but some still have work to do,” the global advisory firm said in a Monday report highlighting the results.
Cybersecurity has escalated as a C-suite level priority in recent years, amid a rise in sophisticated and costly cyberattacks as well as growing regulatory pressures.
The SEC, which has long maintained through guidance that material breaches should be disclosed to investors, has been increasingly raising the stakes for companies and their executives. Last year, even before its new rules kicked in, the agency began ramping up its cybersecurity enforcement efforts.
In October, the SEC sued Austin, Texas-based software provider SolarWinds and its chief information security officer, Timothy Brown, for allegedly defrauding investors by mischaracterizing cybersecurity practices that were in place at the company leading up to a major breach discovered in December 2020. The company has denied the charges.
“I think we’ve already seen the SEC kind of turning up the heat on this issue, and the stakes are even higher with a formal rule now in place,” Cara Peterman, a partner in Alston & Bird’s Securities Litigation Group, previously told CFO Dive.
As of Dec. 18, all covered entities other than smaller reporting businesses were required to comply with the new breach disclosure mandates. Smaller reporting companies will be subject to them as of June 5.
Companies must also annually describe on form 10-K their board of directors’ oversight of cybersecurity risks. All companies must comply with these requirements beginning with annual reports for fiscal years ending on or after Dec. 15.
In the past, some companies tried to disclose as little as possible about cybersecurity to avoid potential liability and legal issues, according to Grant Thornton.
“That practice of minimum disclosure has been upended by the SEC’s requirements and demands a new way of communicating that should be considered carefully by management and the board,” the firm said in its report.