Skip to main content
close search
site logo
Dive Brief

Firms still scrambling over SEC cyber rules: poll

Grant Thornton found that many companies have taken steps to comply with the new rules, “but some still have work to do.”

Published Jan. 9, 2024
Alexei Alexis's headshot
Reporter
Street view of the Securities and Exchange Commission, SEC, Building in Washington DC.
Securities and Exchange Commission building in Washington, DC. qingwa via Getty Images

Dive Brief:

  • More than one-fourth (27%) of public company executives responding to a recent Grant Thornton poll said their organizations had not yet started developing a framework for complying with new Securities and Exchange Commission cybersecurity rules.

  • Among other provisions, the rules require a public company to disclose a “material” cybersecurity incident to the SEC within four days of determining that it is a material breach. The agency began enforcing the reporting rules in December. Since the guidelines were adopted last summer, companies have scrambled to ensure they have the appropriate policies and procedures in place for compliance.

  • “The Grant Thornton webcast survey shows that many companies have taken steps toward fulfilling these reporting requirements, but some still have work to do,” the global advisory firm said in a Monday report highlighting the results.

Dive Insight:

Cybersecurity has escalated as a C-suite level priority in recent years, amid a rise in sophisticated and costly cyberattacks as well as growing regulatory pressures.

The SEC, which has long maintained through guidance that material breaches should be disclosed to investors, has been increasingly raising the stakes for companies and their executives. Last year, even before its new rules kicked in, the agency began ramping up its cybersecurity enforcement efforts.

In October, the SEC sued Austin, Texas-based software provider SolarWinds and its chief information security officer, Timothy Brown, for allegedly defrauding investors by mischaracterizing cybersecurity practices that were in place at the company leading up to a major breach discovered in December 2020. The company has denied the charges.

“I think we’ve already seen the SEC kind of turning up the heat on this issue, and the stakes are even higher with a formal rule now in place,” Cara Peterman, a partner in Alston & Bird’s Securities Litigation Group, previously told CFO Dive.

As of Dec. 18, all covered entities other than smaller reporting businesses were required to comply with the new breach disclosure mandates. Smaller reporting companies will be subject to them as of June 5.

Companies must also annually describe on form 10-K their board of directors’ oversight of cybersecurity risks. Enforcement of these mandates kicked in beginning with annual reports for fiscal years ending on or after Dec. 15.

In the past, some companies tried to disclose as little as possible about cybersecurity to avoid potential liability and legal issues, according to Grant Thornton.

“That practice of minimum disclosure has been upended by the SEC’s requirements and demands a new way of communicating that should be considered carefully by management and the board,” the firm said in its report.

Editors' picks

Company Announcements

View all | Post a press release
Cybrid Responds to Market Demand for Stable, Efficient Cross-Border Payments with Enhanced Sta…
From Cybrid
November 20, 2024
Legion Technologies Partners with Vail Resorts to Expand Workforce Management Across 37 Resort…
From Legion Technologies
November 19, 2024

Want to share a company announcement with your peers?

Get started

Editors' picks
Latest in Compliance
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell