Corporate finance chiefs appear less engaged in key aspects of complying with new SEC cybersecurity rules compared to their IT counterparts, as per a recent survey by AuditBoard. The study indicates that only 45% of CFOs are actively involved in the SEC’s cybersecurity breach disclosure process, in contrast to 75% of Chief Information Security Officers (CISOs). Given the SEC’s mandate to disclose material cybersecurity incidents promptly, the study suggests the importance of CFOs’ perspectives in assessing the financial impact of these incidents.
According to Richard Marcus, Head of Information Security at AuditBoard, the involvement of CFOs is crucial in determining the materiality of an incident. The rules stipulate that a public company must disclose a material cybersecurity incident to the SEC within four days of determining its material breach. Marcus emphasizes that CISOs may focus on the risk perspective, but the financial impact assessment requires the expertise of the CFO’s office to provide a balanced call.
The research by AuditBoard also highlights ongoing challenges for public companies in complying with the SEC rules. One-third of the companies are still in the early stages of implementing the rules, indicating the complexity of bridging various areas within an organization. Many organizations are navigating a sea change, requiring collaboration between cybersecurity and financial reporting personnel to ensure compliance with the SEC’s cybersecurity rules.
