The Securities and Exchange Commission (SEC)’s recently approved cybersecurity rules are already affecting corporate disclosures, Accounting Today reported.
The rules, approved in July, require entities to disclose material cybersecurity incidents. In particular, they expand what entities are required to report regarding their information technology (IT) security and require then to disclose the incident within four days.
The rules also require entities to describe their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including those from previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant.
There is a clear trend toward more detailed disclosures of cybersecurity risk oversight, ISS Corporate Solutions reported after reviewing disclosures from companies in the S&P 500 and Russell 3000, in response to the rules. The company is a cybersecurity and corporate governance solutions provider. Its report found that nearly all companies in the Russell 3000 provide disclosures that include at least a general approach to information security risk mitigation, and that more than 80 percent of S&P 500 companies include detailed disclosure of both risks and strategies to mitigate them.
Disclosures about cybersecurity insurance have grown as well. The proportion of Russell 3000 companies disclosing their cybersecurity insurance increased from 38 percent in 2021 to 58 percent this year, and S&P 500 companies’ proportion grew from 50 percent to 68 percent in the same time period.
The proportion of entities disclosing whether they experienced an information security breach in the last three years went from 6 to 19 percent for Russell 3000 companies and from 10 to 31 percent for S&P 500 companies, the report found. They are also more likely to disclose the cost and damages.
"The SEC's new cyber disclosure rules are a forcing function for management teams and boards," said Doug Clare, managing director and head of cyber strategy at ISS Corporate Solutions, Accounting Today reported "As companies will now need to make more robust disclosures about their cyber risk management practices, the rules will undoubtedly compel many firms to adopt more robust processes worthy of the disclosure."