In response to the Securities and Exchange Commission's (SEC) recent implementation of new cybersecurity regulations for public companies, a Deloitte poll reveals that nearly two-thirds of public company executives, or 64.8%, are planning to bolster their cybersecurity initiatives. These new rules encompass various aspects of cybersecurity risk management, strategy, governance, and incident disclosure. Moreover, more than half of the surveyed executives, accounting for 54.1%, intend to encourage their third-party partners to enhance their own cybersecurity programs in light of the updated SEC regulations.
The survey also delved into how companies have prepared for these regulations in advance. It found that 53% of public company executives had been anticipating and planning for the SEC's cybersecurity rules. This group of executives had diverse timelines for their preparations, with some starting up to six months before the rules were finalized, others between six to twelve months in advance, and the rest taking more than a year.
However, not all organizations were equally proactive. Approximately one-quarter of those polled, around 26.1%, admitted to not having started their preparations yet. Nevertheless, they expressed confidence in achieving compliance by the mandatory deadlines.
Naj Adib, a Deloitte Risk & Financial Advisory principal specializing in cyber and strategic risk, emphasized the importance of companies extending their cybersecurity efforts beyond their internal operations to include third-party relationships, as stakeholder expectations for robust cybersecurity programs continue to rise.
"Those efforts should continue to focus on reaching across silos — both within the organization's relevant business functions and with third parties, as regulator and stakeholder expectations of continuously strengthened cyber programs continue to rise."
In response to the SEC's new regulations, only 33.9% of the surveyed public company executives had evaluated their communication practices with third-party service providers. Another 27.4% were in the process of evaluating such communications.
Daniel Soo, Deloitte Risk & Financial Advisory's strategy and extended enterprise leader, highlighted the need for clear communication from top leadership regarding cyber risk management expectations, not only within organizations but also throughout their supply chains and ecosystems. He emphasized that cybersecurity is no longer solely the responsibility of Chief Information Security Officers (CISOs) but is now recognized as a multifaceted business risk requiring collaboration across various groups. "Increasingly, more executives understand cybersecurity is not just a CISO's responsibility, but a multifaceted business risk that demands many groups work together to support. Responses to requirements like new SEC cyber rules should help make cyber risk management improvements that benefit many organizations whether they are publicly traded or not," said Soo. ###