New SEC Cyber Risk Disclosure Rules: Not Just for Public Orgs
Incident response and reporting can be challenging at the best of times. Organizations struggle to understand the origination point of a security incident, and forensic analysis of the attack pathway can be difficult to untangle. When a company must report the impact to the market, it’s difficult for interested parties to understand the real impact in a timely manner. When you consider that companies report breaches differently, that can also be a major challenge.
The Securities and Exchange Commission (SEC) has recognized the need to put more transparency around cybersecurity incidents. In July 2023, they announced new SEC cyber risk disclosure rules around the disclosure of material cybersecurity incidents. What is and isn’t material is up to the company to decide, as with other SEC cyber disclosure rules, but a high number of cybersecurity incidents likely fall into this category.
Organizations with major Internet of Things (IoT) security concerns will likely find that their existing incident response and disclosure capabilities will not be sufficient to meet the new rule requirements, especially with the explicit time constraints in the rules. Incident response for networks with numerous IoT devices is already a major challenge, and the reporting rules will only make it more so. This article will cover some suggestions for how to ensure streamlined reporting on incidents to comply with the new rules.
What are the New SEC Cyber Rules?
In July 2023, the Securities and Exchange Commission (SEC) adopted new cybersecurity rules requiring public companies to disclose cybersecurity incidents on Form 8-K in new item 1.05. However, as will be discussed below, this rule can affect private companies as well. This is in addition to rules requiring the disclosure of material information related to cybersecurity risk management, strategy, and governance on their annual Form 10-K filing. Foreign corporations who trade securities in the United States aren’t exempt from these rules; they need to file the same information on Form 6-K and Form 20-F respectively.
The incident reporting requirements come into force on Monday, December 18, 2023. According to the SEC’s statement on the release from July, smaller reporting companies will have an additional 180 days before they need to begin providing Form 8-K disclosures.
The main crux of the SEC cyber rules is that companies need to report any material incident four business days after they become aware of it. They also need to report to the SEC when a series of previously undisclosed incidents become material in the aggregate because of a common factor across the series such as a source of attack or specific attack mechanism.
The two forms referenced in the new SEC cyber rule should be familiar to public companies. Form 8-K is the standard disclosure form for any event shareholders need to know about, such as stock splits and financial condition changes. Form 10-K is the standard annual report. The new rule means that cybersecurity incidents are included in the “material event” definition for the first time.
As to what qualifies as a material event, the SEC said in their news release that “The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.”
These new rules are part of a push for greater transparency in cybersecurity incidents. The current administration at the SEC means to standardize the disclosure of breaches across the industry, noting that current processes around disclosing cyber incidents were inconsistent and haphazard. Ultimately, the new cyber disclosure rules should result in consistent practices and language across multiple industries.
It’s worth noting that this isn’t solely for public companies either. They’ll bear the brunt of the disclosure responsibilities, of course, but many such companies rely on smaller nonpublic organizations in their supply chain. For example: a recent lawsuit involving the private law firm Covington & Burling resulted in the SEC demanding the names of clients impacted by a 2020 cyberattack on the firm. Six of the seven clients were ultimately named as part of the resolution of the lawsuit.
That’s not the only example of the SEC going after private companies either. They charged clean-energy company Monolith with violating whistleblower protection rules in their separation agreements. That the SEC went after private companies in these cases should be indicative of their willingness to enforce their rules no matter who violates them, making it necessary for anyone who does business with large public companies to understand these new cybersecurity rules.
What Do the New SEC Cyber Rules Mean for Businesses?
The new SEC cyber rules could require substantial changes for reporting companies. The new requirement to report material incidents after four business days means that cybersecurity teams need to improve their data collection around security incidents and their response to attacks. CISOs shouldn’t seek to make the materiality determination themselves, however.
Rather, CISOs and the security teams who report to them need to provide as much contextualized data as possible to the compliance and financial teams who do make the materiality decisions. The teams who regularly file reports with the SEC are the ones best suited to determine whether or not a cybersecurity incident fulfills the definition of a material event.
CISOs and security teams should instead emphasize operational changes that allow them to better support their compliance teams. These include:
- Shifting incident response governance processes. The new SEC cyber rules require tight collaboration between cybersecurity, legal, investor relations, and communications leaders. Incident response teams need to include employees empowered to speak with the SEC and the market at large, which means legal counsel and communications leaders need to be actively involved in incident reporting.
- Determine any changes to data collection. Security teams might need to alter their incident response data collection processes to ensure their organization can report to the SEC within the four-day timeframe. It could be necessary to look for a new data aggregation solution and even an improved method of data collection to ensure reporting can be conducted in time.
- Speeding reporting processes. The short disclosure timeframe means that cybersecurity teams need to report early and often when an incident occurs. Ongoing reporting is a key component of the rules change, which makes iterative reporting a necessity for continuing disclosure. Incident reporting procedures may need to be updated to support this change.
- Offering updates on risk management. Given the changes in 10-K reporting requirements, CISOs and security teams need to provide high-level information on cybersecurity risk management processes. These should show the existence of a functioning risk assessment program with enough detail to assuage investor concerns about the risk profile of the organization.
This shift in the SEC cyber disclosure requirements can bring new people into the incident response workstream. Ensuring incident reporting is clear and concise, while also allowing legal teams to make their determination about materiality, will be vital going forward.
How Asimily Supports SEC Cyber Rule Compliance
The Asimily platform features native incident response and forensic capabilities that enable customers to readily comply with the SEC’s reporting requirements. Detecting a cybersecurity incident and collecting the data in a timely manner is cited as a key barrier to compliance with the SEC’s new rules.
While Asimily does not provide incident responders, the platform has the capabilities to accelerate and streamline the incident response process. Most importantly, it includes an anomaly detection engine that automatically detects all traffic to and from IoT devices to detect suspicious activity. This can include indicators of compromise and attempted compromise, as well as risky activity that could precipitate a breach. Asimily also features a policy management functionality to detect incidents and track them back to their source.
Asimily also streamlines forensic analysis through its:
- Topology report that shows which devices and systems the IoT device in question was communicating with. This data can be used to determine any possible lateral movement through the organization through an accurate map of device relationships in the organization.
- Flow analysis to determine which protocols a device is talking on and to what systems. Using this information, security teams can track any data that the device might be sending to other systems.
- Packet capture for any monitored device that captures the traffic flowing to or from connected devices in a secure, local file. This data can be used for incident response and forensic analysis to reveal tactics, techniques, and procedures that attackers use.
- Device Timelines that give a complete history of all changes made by people or software to a device, including when vulnerabilities were discovered or mitigated.
With powerful incident response and forensics capabilities, Asimily helps organizations collect data quickly and efficiently to comply with the SEC cyber new reporting requirements. There will only be an increasing push for transparency regarding cybersecurity incidents in the future, especially as they become more damaging and far-reaching. Asimily can help organizations move faster to report and remain in compliance.
Schedule a consultation with an Asimily expert to see how you can efficiently prioritize and remediate vulnerabilities with the leading lIoT risk management platform.
Reduce Vulnerabilities 10x Faster with Half the Resources
Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.