New SEC Cyber Rules to Push Publics and Their Third Parties to Strengthen Programs

NEW YORK, Oct. 3, 2023 — Following the Securities and Exchange Commission's (SEC) adoption of new rules for cybersecurity risk management, strategy, governance, and incident disclosure by public companies, 64.8% of public company executives say their organizations will strengthen their cybersecurity programs, according to a new Deloitte poll. Over half of executives surveyed will also push their third parties to strengthen cyber programs (54.1%) in response to the new SEC rules.

Looking back, 53% of public company executives say that their organizations have been planning for and anticipating the newly issued SEC cyber rules. Within that group, executives’ organizations have prepared along various timelines inclusive of up to six months (17%), six to 12 months (19.1%) and more than a year (16.9%).

While one-quarter of those surveyed have yet to begin preparing to comply with SEC cyber rules ahead of their finalization (26.1%), they say their organizations will be compliant by mandatory deadlines.

“Leading public companies have invested considerable time into maturing their cyber, risk management and governance capabilities in anticipation of the now finalized SEC cyber rules,” said Naj Adib, a Deloitte Risk & Financial Advisory principal in cyber and strategic risk, Deloitte & Touche LLP. “Those efforts should continue to focus on reaching across silos — both within the organization’s relevant business functions and with third parties, as regulator and stakeholder expectations of continuously strengthened cyber programs continue to rise.”

In response to the new SEC cyber rules, just 33.9% of polled public company executives’ organizations have evaluated communications with third party service providers. An additional 27.4% are in the process of evaluating the same presently.

"Whether organizations are publicly traded or do business with public companies, clear communication from top leadership about cyber risk management expectations can help mitigate security risks within organizations themselves, but also within their broader supply chains and ecosystems,” said Daniel Soo, Deloitte Risk & Financial Advisory’s strategy and extended enterprise leader and a principal, Deloitte & Touche LLP. “Increasingly, more executives understand cybersecurity is not just a CISO’s responsibility, but a multifaceted business risk that demands many groups work together to support. Responses to requirements like new SEC cyber rules should help make cyber risk management improvements that benefit many organizations whether they are publicly traded or not.”

About the online poll
More than 1,300 C-suite and other executives from publicly-traded organizations were polled during a webcast, titled “Understanding the SEC’s requirements for cybersecurity disclosures,” on Aug. 22, 2023. Answer rates differed by question.

About Deloitte
Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world’s most admired brands, including nearly 90% of the Fortune 500^® and more than 8,500 U.S.-based private companies. At Deloitte, we strive to live our purpose of making an impact that matters by creating trust and confidence in a more equitable society. We leverage our unique blend of business acumen, command of technology, and strategic technology alliances to advise our clients across industries as they build their future. Deloitte is proud to be part of the largest global professional services network serving our clients in the markets that are most important to them. Bringing more than 175 years of service, our network of member firms spans more than 150 countries and territories. Learn how Deloitte’s approximately 457,000 people worldwide connect for impact at www.deloitte.com.