The U.S. Securities and Exchange Commission recently updated its rules on cyber risk management, governance and incident disclosure. The new rules will take effect in December 2023.

Given that the guidelines have only been out for a month, how are companies responding to its stipulations so far, and what major challenges are they facing on that path?

“When we talk to the chief information security officers out there, they’re like, ‘We’ve got it, we’re used to this stuff,'” said Sean Joyce (pictured), global cybersecurity and privacy leader and U.S. cyber, risk and regulatory leader at PricewaterhouseCoopers LLP. “However, when we talk to the chief legal officer [or] the CFO, they’re the ones that say, ‘Hey, talk to me about this process … this thing called materiality.’ When you look at the SEC rule, I would break it down into cyber risk management … then cyber governance, both at the board level and at the management level, and then incident reporting and materiality.”

Joyce spoke with theCUBE industry analysts Lisa Martin and Rob Strechay at the Google Cloud Next event, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed how enterprise efforts to comply with the new rules are progressing. (* Disclosure below.)

Breaking down the rules themselves

In a nutshell, the SEC’s updated guidelines state that public companies must document their approach to managing cyber risk, establish a board-level committee to oversee the same and report material cybersecurity incidents to the SEC within four days of discovery.

While some companies are bemoaning the compliance burden from these new rules, they’re not as big a change as those complaints convey — especially since there was an earlier update as recent as 2018, according to Joyce. They’re rather accommodating new developments in cloud and artificial intelligence as ransomware threats become more commonplace.

“The mainframe is now the cloud — think of the technology and it just goes in this cycle and moves to the edge, which we’re doing now,” he explained. “When you look at what I see companies struggling with, it’s really about misconfiguration.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the Google Cloud Next event:

(* Disclosure: PricewaterhouseCoopers LLP sponsored this segment of theCUBE. Neither PWC nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE