Dive Brief:
- Almost two-thirds of executives at publicly traded companies will strengthen their cybersecurity programs following the new Securities and Exchange Commission rule that requires companies to report material incidents within four business days, according to a Deloitte poll released Oct. 3.
- More than half (54%) of the executives said they will also push their third-party vendors to strengthen their cybersecurity programs, as links to outside companies have increasingly been identified as a potential security threat.
- A majority of executives said their companies have been planning to make changes in anticipation of the new rules, which were passed in late July and went into effect Sept. 5. The SEC disclosures, which mandate filings for incidents and annual filings on cyber risk strategies and governance, will be required starting in mid-December.
Dive Insight:
The SEC disclosure rules are part of a wider effort by federal authorities to promote greater transparency and accountability regarding cyber risk among companies that operate in the U.S.
A series of major ransomware and supply chain attacks hit the U.S. in recent years, including the 2020 Sunburst attack against SolarWinds and other companies as well as the 2021 ransomware attack against Colonial Pipeline.
While investigating those attacks, officials determined about 70% of companies were not disclosing ransomware attacks to any government agency. The companies, fearful of reputational harm and additional extortion, often paid off criminal hacking groups and failed to make any disclosures about the attacks to investors, customers or the government.
The SEC began cracking down in recent years on companies that provided misleading information or otherwise covered up significant issues with cybersecurity risk. The SEC in June notified the CFO and CISO at SolarWinds of possible enforcement in a civil investigation into statements made about cyber risk prior to the Sunburst attacks.
Companies are now working to mature their cyber risk programs to enable faster incident response and closer interaction between the CISO, the C-suite and corporate directors.
“Some organizations are evolving cyber incident response capabilities by defining a process for assessing materiality,” Naj Adib, a principal of cyber and strategic risk at Deloitte, said via email. “Others are strengthening existing governance practices through board education or enhancing cyber risk assessment capabilities.”
MGM Resorts, Caesars Entertainment and Johnson Controls have disclosed major attacks since the rule took effect. Clorox made an additional disclosure related to an August attack when it said the incident would lead to significant product shortages.
Deloitte polled about 1,300 C-suite and other executives through an online poll conducted Aug. 22