SEC Cybersecurity Disclosure Rules – Are CISOs Ready to Go Beyond the Tip of the Iceberg?


It’s been more than six months since the SEC’s updated Cybersecurity Disclosure rules came into force. These rules represent a sea change for CISOs; both in terms of the burden of additional cybersecurity reporting, and the threat of legal action for providing reports that turn out to be inaccurate or misleading.

The CISO’s role is in the middle of a generational shift. While not solely responsible for organizations’ risk posture, CISOs need to work with disclosure teams and accurately portray risk posture and security processes to the Enterprise Risk Management (ERM) team and the board. CISOs need to understand and communicate their company’s cybersecurity practices clearly, with a data-driven approach that enables factual filings. Understanding the SEC’s new rules, and what they mean for reporting, will be a critical part of this.

The hard numbers

Listed enterprises now need to make sure their 10-K filings – comprehensive annual reports of critical information including financial performance – and 8-K filings – reports announcing major events shareholders should know about – accurately portray cybersecurity posture. In particular, 8-K filings need to be made for “material cybersecurity incidents”, and in a timely fashion, i.e. within four days of determining whether the incident was “material”. The question is, what do these new requirements mean for the volume of reporting?

Analyzing SEC cyber disclosures from the first half of 2024, and comparing to the same period in 2023, we found that mentions of NIST (National Institute of Standards and Technology) and variations had increased by almost 14 times year-on-year: from 221 to 3,025. Given the pattern of filings in 2023, and that it seems almost every listed company now feels the need to disclose its security posture, we’d expect this to increase to nearly 20 times by the end of the year.

However, at the other end of the scale, the number of relevant 8-K filings seems surprisingly low. Across more than 4,000 listed companies in the US, only 17 experienced a potentially material cybersecurity incident. And of those, none would say that the incident was, in fact, material.

The buck stops here

It might seem unlikely that, in a world where we are constantly bombarded with news of catastrophic cyberattacks and data breaches, less than half of one percent of listed companies have suffered an incident they believed could have been “material”. But as the regulatory environment becomes increasingly complex, these statistics lay bare the increasing pressure being put on CISOs.

First, there is the burden of additional reporting – both from 8-Ks and from the additional detail needed in 10-Ks. CISOs might not be directly responsible for compiling reports, but they’ll need to work closely with the ERM team to ensure reports are accurate. This means ensuring factors such as the relevant expertise of people managing and assessing risk, like CISSP accreditation, and the relative exposure of critical systems, are accurately represented. This is a challenge for a role that, traditionally, has had to rely on data from disparate tools with no single, trusted view to build an often-fragmented picture of its environment. While Business Intelligence and analytics tools have been commonplace in finance, sales, and leadership for decades, CISOs are still forced to work with one hand tied behind their back, and a sword of Damocles hanging over their heads.

That sword is the threat of legal action. Providing reports that are inaccurate or misleading – for instance by giving investors a false sense of confidence in an organization’s exposure to risk – is tantamount to lying to investors. And as the role held responsible for those reports, CISOs will be directly in the firing line. We’ve already seen CISOs charged by the SEC for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities, and this is only likely to increase. Especially if those 8-K reports so far turn out to be significantly underplaying the real level of threat organizations – and their investors – are facing.

Finding the golden source of truth

Ultimately the SEC’s regulations provide greater transparency, and give investors a fuller picture of an organization’s cyber risk posture and what they are actually investing in. But this will put some CISOs in a delicate position. While investors will be put off by what they see as a poor posture, the SEC will come down hard on inaccurate reports. Yet this doesn’t mean those CISOs are in an unwinnable Catch-22.

Instead, as the stakes keep getting higher, CISOs need a system of record they can trust to ensure they are reporting accurately and in good faith. A unified view of every asset throughout the business – where it sits, who owns it, and who is responsible for its security – will let CISOs turn the lights on. They can sue this contextual data to quantify risk, plug gaps, and tell a story to the board and ERM team in a language they’ll understand.

The upshot of this should be a culture of accountability, where CISOs can hold colleagues responsible by translating security into the language of technical and non-technical stakeholders alike. Each will have their own relevant view of the same golden source of truthful data, and CISOs can use this to guide their actions.

CISOs can then protect themselves on all sides: showing they have taken every step to improve risk posture, demonstrating this improved posture to investors, and presenting the most accurate picture to the SEC.

EDITOR’S NOTE: Prior to publication of this issue of Cyber Defense Magazine, a major portion of the SEC action was rejected by the Federal District Court. https://www.msn.com/en-us/money/companies/solarwinds-defeats-part-of-sec-s-fraud-case-over-hack/ar-BB1qedHX

“The SEC’s claim that SolarWinds didn’t reveal to shareholders the full scope of the attack was based on “hindsight and speculation,” U.S. District Judge Paul Engelmayer wrote. However, the judge let the agency’s lawsuit proceed based on other claims SolarWinds made before the attack about its cybersecurity defenses and risks.”

About the Author

As the Chief Customer Officer at Panaseer, a leading cybersecurity analytics platform, Brian Levin leads the go-to-market (GTM) strategy and execution for marketing, sales, and customer success. He has over 15 years of experience in scaling early-stage B2B SaaS companies, achieving growth rates of 30-200% annually at scales from $4M-$150M ARR. Brian can be reached online at LinkedIn and at our company website https://panaseer.com/.



Source link