Skip to main content

Accounting

SEC Addresses Some of IIA’s Recommendations in Cybersecurity Risk Management Rule

The final rule, “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure,” requires greater transparency when organizations experience cyberattacks.

The Institute of Internal Auditors, which promotes internal audit standards, certifications, education, research, and technical guidance worldwide, has commented on the U.S. Securities and Exchange Commission (SEC)’s issuance of their final rule on cybersecurity risk management, noting the positives associated with greater transparency and accountability, while pledging to continue to work with the SEC to address additional concerns.  

Following publication of the SEC’s draft rule, proposed in early 2022, The IIA submitted a comment letter requesting greater clarity in certain sections. The IIA’s comment letter is cited multiple times in the explanatory document accompanying the rule, though not all of its requests were addressed. 

The final rule, “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure,” requires greater transparency when organizations experience cyberattacks. It also adds accountability into public companies’ efforts to mitigate cybersecurity risks by, among other things, requiring that they disclose: 

  • Any material cybersecurity incident and describe the incident’s nature, scope, and timing, as well as any material impact on the company. 
  • The disclosure is required within four business days but may be delayed if the U.S. Attorney General determines the incident poses a national security risk. 
  • “Processes” for assessing, identifying, and managing material risks from cybersecurity threats. 
  • A description of the board of directors’ oversight of cybersecurity risks and management’s role in evaluating and managing material risks from cybersecurity threats. 

“Internal auditors have played a leading role in identifying and helping mitigate cybersecurity threats for as long as cyber issues have been top of mind to boards, audit committees and senior management. It’s an issue the profession knows incredibly well,” said IIA President and CEO Anthony Pugliese, CIA, CPA, CGMA, CITP. “While we’re pleased that several of the issues that we raised in our comment letter were addressed in the final rule, we intend to continue to work with the SEC to develop implementation guidance that addresses other concerns.” 

Among The IIA’s remaining concerns are the need for guidance on determining the materiality of a cyber incident, as well as further defining the term “cybersecurity.” Rather, The IIA articulated a greater benefit to investors is a properly positioned internal audit function providing independent assurance to the board over cybersecurity risk management. 

The IIA’s 2023 Pulse Survey found that cybersecurity issues topped the list of threats facing publicly traded companies, with 98% identifying it as a risk and 74% stating that there was a high/very high risk level. 

The new SEC rule dictates that boards of directors are now expected to exercise oversight of cybersecurity risk management processes. In addition, that oversight must be disclosed in the company’s annual reports moving forward. 

“The SEC’s rule underscores the importance of boards and management working in concert with their internal audit function to ensure that they have effective governance and controls in place to mitigate risk stemming from cybersecurity threats,” Pugliese added.