NEW YORK, Oct. 3, 2023 /PRNewswire/ -- Following the Securities and Exchange Commission's (SEC) adoption of new rules for cybersecurity risk management, strategy, governance, and incident disclosure by public companies, 64.8% of public company executives say their organizations will strengthen their cybersecurity programs, according to a new Deloitte poll. Over half of executives surveyed will also push their third parties to strengthen cyber programs (54.1%) in response to the new SEC rules.

Looking back, 53% of public company executives say that their organizations have been planning for and anticipating the newly issued SEC cyber rules. Within that group, executives' organizations have prepared along various timelines inclusive of up to six months (17%), six to 12 months (19.1%) and more than a year (16.9%).

While one-quarter of those surveyed have yet to begin preparing to comply with SEC cyber rules ahead of their finalization (26.1%), they say their organizations will be compliant by mandatory deadlines.

"Leading public companies have invested considerable time into maturing their cyber, risk management and governance capabilities in anticipation of the now finalized SEC cyber rules," said Naj Adib, a Deloitte Risk & Financial Advisory principal in cyber and strategic risk, Deloitte & Touche LLP. "Those efforts should continue to focus on reaching across silos — both within the organization's relevant business functions and with third parties, as regulator and stakeholder expectations of continuously strengthened cyber programs continue to rise."

In response to the new SEC cyber rules, just 33.9% of polled public company executives' organizations have evaluated communications with third party service providers. An additional 27.4% are in the process of evaluating the same presently.

"Whether organizations are publicly traded or do business with public companies, clear communication from top leadership about cyber risk management expectations can help mitigate security risks within organizations themselves, but also within their broader supply chains and ecosystems," said Daniel Soo, Deloitte Risk & Financial Advisory's strategy and extended enterprise leader and a principal, Deloitte & Touche LLP. "Increasingly, more executives understand cybersecurity is not just a CISO's responsibility, but a multifaceted business risk that demands many groups work together to support. Responses to requirements like new SEC cyber rules should help make cyber risk management improvements that benefit many organizations whether they are publicly traded or not."

More than 1,300 C-suite and other executives from publicly-traded organizations were polled during a webcast, titled "Understanding the SEC's requirements for cybersecurity disclosures," on Aug. 22, 2023. Answer rates differed by question.

