News built for finance pros
CFO Brew helps finance pros navigate their roles with insights into risk management, compliance, and strategy through our newsletter, virtual events, and digital guides.
The SEC’s new cybersecurity disclosure requirements somehow caught a lot of y’all sleeping.
Can you believe it’s already been a month? Starting back on Dec. 18, companies must now follow the new reporting rule that mandates organizations report material cyber incidents within four days, and also report annually on their cybersecurity risk management, strategy, and governance practices.
But what does “material” even mean? (For more on that, industry experts weighed in on the term “materiality” in our sister publication, IT Brew.) In a new report, Grant Thornton experts suggested that organizations develop a framework to help determine what constitutes a “material” cyber incident.
Good advice, right? Well, a lot of companies have yet to do this, at least among those surveyed by Grant Thornton during a recent webcast. The firm found that just 9% of organizations have gone all the way through identifying what a material cyber incident looks like and putting those characteristics to the test. Meanwhile, more than a quarter (27%) haven’t started working on a framework yet.
Some organizations are at least trying, though. Four in 10 respondents are in the process of developing a framework. Another 24% said they’ve identified features of a material cyber incident within their organizations, but haven’t tested them. Some organizations answered “unsure” to the question, and Grant Thornton omitted this share of respondents in its survey breakdown.
“As a C-level executive or as a board member, you need to make sure your organization has processes and controls in place to surface complete and accurate information,” Forrest Frazier, a partner in Grant Thornton’s strategic assurance and SOC services practice, said in the report.
The new SEC requirement prompted many organizations to modify their cybersecurity programs’ management and governance structures, the Grant Thornton experts wrote. More than a quarter (28%) said they made changes to both their cyber risk management and governance processes, another 22% made changes to just their risk management processes, and 19% changed only their governance processes.
Look, we know folks have been talking to boards for years about cyber practices and controls. But the new reporting requirement isn’t necessarily an extension of that.
As Frazier put it, those internal conversations are “very different from saying you’re ready to disclose it to the public. Just like in the MD&A, there’s an onus on management to make sure what is disclosed is complete and accurate.”