How Prepared Are You to Meet the SEC Cybersecurity Rules?

How are your colleagues positioned to meet the SEC cybersecurity rules? At the Compliance Week webinar Almost Everybody is Unprepared for SEC Cybersecurity Disclosures. But You Can Get Through This, attendees provided insight into their status. Take a look how executives, directors, and C-Suite, and fellow security and risk professionals answered these survey questions.

HOW PREPARED ARE YOU FOR DISCLOSING YOUR CYBERSECURITY PROGRAM?

31% of respondents indicated they need to improve their cybersecurity program for disclosure or have note yet started their disclosure process for the SEC rules.

We may be disclosing a cybersecurity program that needs improvement. 19%
We have started working on this and it looks like we’ll be okay. 33%
We have not started working on this yet. 12%
We are ready to disclose a program that will appropriately inform investors. 17%
We are not subject to the new SEC rules. 19%

HOW WOULD YOU DESCRIBE EXECUTIVE ENGAGEMENT IN CYBERSECURITY RISK MANAGEMENT, GOVERNANCE, AND STRATEGY?

22% of respondents answered that their executives are not engaged in the risk management process or could not definitively say the teams were on the same page or have the proper resources in place.

Other 15%
Executives have delegated cybersecurity responsibilities to people who regularly demonstrate their challenges and successes. 44%
Executives are not engaged in cybersecurity risk management, governance, or strategy. 7%
Executives and cybersecurity personnel speak the same business language to set goals and decide on resources and priorities. 34%

HOW ARE YOU CONDUCTING CYBERSECURITY RISK ASSESSMENTS?

Over 65% are measuring risk using methods that may not meet the ‘reasonableness’ regulatory requirement or they have not assessed risk at all in their process.

We use Duty of Care Risk Analysis (DoCRA) or CIS RAM. 6%
We use “High” “Medium” “Low” (or similar) estimates. 38%
We do something else. 16%
We are using maturity assessments or gap assessments. 24%
We are not assessing risks. 4%
We analyze likelihoods and impacts using financial estimates. 12%

View the Webinar Recording or Access the Presentation Materials.

We may be disclosing a cybersecurity program that needs improvement.	19%
We have started working on this and it looks like we’ll be okay.	33%
We have not started working on this yet.	12%
We are ready to disclose a program that will appropriately inform investors.	17%
We are not subject to the new SEC rules.	19%

Other	15%
Executives have delegated cybersecurity responsibilities to people who regularly demonstrate their challenges and successes.	44%
Executives are not engaged in cybersecurity risk management, governance, or strategy.	7%
Executives and cybersecurity personnel speak the same business language to set goals and decide on resources and priorities.	34%

We use Duty of Care Risk Analysis (DoCRA) or CIS RAM.	6%
We use “High” “Medium” “Low” (or similar) estimates.	38%
We do something else.	16%
We are using maturity assessments or gap assessments.	24%
We are not assessing risks.	4%
We analyze likelihoods and impacts using financial estimates.	12%