Ticking Clock: Companies Scramble to Meet SEC Cybersecurity Rules, Audit Partners Cautious
With the December 15th deadline for the SEC's new cybersecurity risk disclosure rules rapidly approaching, companies are intensifying their preparations. The Center for Audit Quality’s (CAQ) biannual Audit Partner Pulse Survey provides valuable insights into the corporate response, especially in the context of the complex economic, political, and technological challenges businesses currently face.
Cybersecurity: A Paramount Business Concern
The 2023 fall survey from CAQ reveals a significant elevation in the concern for cybersecurity, ranking it among the top economic risks for companies. A significant backdrop to the elevation in concern is the SEC’s recent complaint filed against SolarWinds. This SEC complaint aligns with the new requirements for detailed disclosures of cybersecurity incidents and strategies, highlighting an urgent need for robust risk management solutions.
Integrated Risk Management: A Strategic Approach
Integrated Risk Management (IRM) offers a comprehensive solution to these emerging challenges. By integrating diverse risk domains such as Operational Risk Management (ORM), Information Technology Risk Management (ITRM), Enterprise Risk Management (ERM), and Governance, Risk, and Compliance (GRC), IRM provides a cohesive approach to risk management. This integration is particularly valuable in addressing the SEC’s demands for a thorough and strategic approach to cybersecurity risk management.
Addressing Key Areas for SEC Compliance Through IRM
In preparation for the SEC’s rules, companies are focusing on two primary areas, as identified by the CAQ survey (see figure below):
Strengthening Cyber-Related Disclosure Controls (65%): IRM plays a pivotal role in enhancing disclosure controls. It provides a framework for identifying, monitoring, and reporting cybersecurity incidents in real-time, thereby ensuring that disclosures are accurate, comprehensive, and timely. This addresses the SEC’s requirement for transparent and prompt reporting of cyber-related issues.
Enhancing the Risk Management Process (62%): IRM’s comprehensive approach is key to strengthening risk management processes. It enables companies to assess and mitigate cybersecurity risks effectively, ensuring a resilient and responsive risk management strategy. By integrating various risk management disciplines, IRM ensures that cybersecurity risks are identified, evaluated, and mitigated in alignment with organizational objectives, thereby meeting the SEC’s expectations for a robust and integrated risk management framework.
Source: Center for Audit Quality, Audit Partner Pulse Survey, Fall 2023
IRM’s Impact on Compliance and Risk Management
By adopting an IRM approach, companies can achieve:
A Unified View of Risk: IRM provides a holistic view of all risk exposures, essential for meeting the SEC's demands for comprehensive risk disclosures.
Streamlined Compliance Procedures: The integration of ORM, ITRM, ERM, and GRC within IRM simplifies and automates risk management processes, ensuring adherence to the SEC’s rigorous standards and determining materiality of cybersecurity incidents.
Aligned Cybersecurity and Business Strategies: IRM aligns cybersecurity strategies with broader business goals, addressing the SEC’s requirement for strategic risk management and governance.
Coordinated Incident Response: IRM facilitates a swift, organized response to cybersecurity incidents, crucial for compliance with SEC disclosure requirements of four business days after identifying a material cybersecurity incident.
Effective Governance: By consolidating various risk management disciplines, IRM ensures that cybersecurity risks are governed at the highest levels, aligning with the SEC’s focus on comprehensive risk management.
As the SEC deadline nears, the adoption of Integrated Risk Management becomes increasingly critical for businesses. The CAQ’s Audit Partner Pulse Survey underscores the need for a holistic and strategic approach to meet the evolving challenges of cybersecurity risk management. With IRM, companies are not only poised to comply with the impending regulations but also positioned to strengthen their overall risk resilience, ensuring long-term sustainability in a complex business environment.
