The SEC's new cybersecurity disclosure rules, effective September 5, 2023, mark a historic shift in IT risk management. Public companies must now disclose their cybersecurity governance and risk strategies in annual reports and report material incidents within four business days.
This mandate compels executive leadership and boards to prioritize cybersecurity risk assessment, with private companies also facing potential liability as third-party vendors. A recent AuditBoard poll of 4,000 IT risk professionals found that 52% are already engaged in risk quantification, highlighting the growing emphasis on measurable cybersecurity risk management.
