Investors with significant stock in public companies expect a high level of disclosure on information concerning new market competitors, shifts in product demand, and operational disruptions stemming from either natural disasters or cybersecurity. In catering to this need for transparency, the United States Securities and Exchange Commission (SEC) has recognized that cybersecurity incidents also warrant equal attention.
As an IT professional, you know that cyber breaches can exert a substantial financial toll on a company, from the theft of digital assets to the costs associated with response measures, legal actions, compensatory payments, and potential regulatory penalties. Beyond immediate financial losses, security breaches also interrupt business operations and inflict lasting reputational damage, undermining a company’s brand in the long term, all of which affects the stock price of a company.
Recently Announced SEC Requirements
In July 2023, the SEC adopted new rules concerning cybersecurity risk management, strategy, governance, and incident disclosure by public companies. Of note, there is a critical disclosure dictating that companies must report any “Material Cybersecurity Incident” within four business days of the date the incident was determined material. To be clear, the clock does not start ticking when the incident occurs or is detected, but when it is determined to be “material”. The SEC defines “material” as:
“An incident that reflects a substantial likelihood that a reasonable shareholder would consider to be important in making an investment decision, or if it would have significantly altered the total mix of information available.”
“Currently, many public companies provide cybersecurity disclosure to investors,” said SEC Chair Gary Gensler. “I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
When determining the materiality of an incident, a company should consider quantifiable and non-quantifiable elements, including impacts on reputation, market competitiveness, and customer relations. The possibility of consequential litigation, inquiries, or regulatory proceedings that could substantially influence the company's standing must also be considered. According to SEC guidance, the determination of material status must be made “without unreasonable delay” upon first detecting the incident. The aim of the four-day disclosure timeline is to give investors ample and timely opportunity to reevaluate investment decisions based on the risks presented by a disclosed cybersecurity incident.
The disclosure should be submitted under new item 1.05 of Form 8-K, wherein the company is required to furnish a detailed account of the incident, including its nature, timing, and the extent of impact on the company’s operations. A deferral of the four-day notification mandate is permissible if the U.S. Attorney General advises that prompt disclosure could significantly jeopardize national security or public safety.
For effective dates, the material incident disclosure requirements would be effective by December 18, 2023. All disclosures for risk management, strategy and governance are effective for all registrants for fiscal years ending by December 15, 2023.
The SEC Is Taking Cybersecurity Awareness Seriously
Beyond the mandates for reporting cybersecurity incidents, the SEC has introduced additional regulations focused on risk management and cybersecurity governance for relevant organizations. These will not be detailed here, but it’s worth noting that one key requirement is for companies to disclose the cybersecurity expertise present on their board of directors. This requirement reflects the SEC's emphasis on the role of cybersecurity knowledge in competent risk management.
It’s essential to understand that even companies not traditionally compelled to prioritize cybersecurity due to other regulatory frameworks must adhere to the SEC’s stipulations, irrespective of their U.S. location. Moreover, U.S. entities with international branches located in regions requiring less stringent cyber regulations are still obligated to report incidents that could materially affect the company, whether these occur domestically or abroad.
Time Is Of The Essence
Navigating the new SEC regulations can be challenging, particularly when it comes to the 96-hour directive. Although the exact timeline for determining the materiality of an incident isn't strictly defined, the SEC's position on delays is unequivocal—undue postponement is unacceptable. Failure to adhere to this disclosure deadline can result in serious consequences as recent SEC enforcement actions suggest:
- SEC v. SolarWinds Corp. and Brown
- SEC v. Woodbury and Holverson
- Linus Financial, Inc.
- Impact Theory LLC
SOC analysts are well-versed in the measuring sticks of Mean Time To Detection (MTTD) and Mean Time To Recovery (MTTR), but these averages now take on significant meaning to those outside an enterprise’s cybersecurity practice.
WEI Can Help You Be Better Prepared
For cybersecurity teams and executive leaders, the pressing question is clear: Are you equipped to meet the new 96-hour disclosure mandate? The four-day timeframe is tight for traditional architectures and limited teams, particularly amidst the high-pressure aftermath of a cybersecurity incident. Tabletop exercises can be invaluable, shedding light on whether an organization possesses the necessary processes, strategies, tools, and know-how to act swiftly. While these simulated exercises offer a semblance of a real crisis, they cannot completely replicate the intense, unpredictable nature of a real-time breach.
For many cyber leaders managing a traditional security architecture that lacks next-gen components, this new mandate is concerning. Organizations struggling with reducing their MTTD and MTTR often are experiencing operational complexities. This includes too many products with a lack of coordination, lengthy manual processes, and a cybersecurity skill shortage that doesn't appear to be improving.
Enter Security Orchestration, Automation, and Response (SOAR), a next-gen solution that combines comprehensive data gathering, standardization, workflow analysis and analytics to provide organizations the ability to easily implement sophisticated in-depth capabilities based on internal and external data sources. It also automates time-consuming tasks, which is essential when turnaround time for generating a comprehensive incident report is short. With automation, your organization will:
- Scale and standardize incident response processes.
- Speed up resolution times, boosting SOC efficiency.
- Improve analyst productivity and enhance team learning.
- Gain immediate ROI from existing threat intelligence investments.
With SOAR, WEI can effectively guide your organization toward a solution that transforms the stringent four-day window into a more manageable timeframe. Remember, SOAR was created under the realization that security teams lack the people and scalable processes to keep pace with an overwhelming volume of alerts and endless security tasks…those same alerts and security tasks that will help you determine whether an incident is material enough to be disclosed under the new SEC requirements. If your company falls under the jurisdiction of the SEC, the clock is ticking.
WEI has guided forward thinking organizations to implement comprehensive SOC automation strategies that fully automate Tier 1 activities and investigations. In many cases, much of the Tier 2 workload has been automated as well. This modern approach frees up the SOC and IR teams to focus on what is important – preventing critical incidents, hunting for threats proactively, generate comprehensive incident reports, and improving overall security posture.
WEI has been ahead of the curve of such mandates. We can dive into your current security stack and monitoring environment to provide an accurate assessment of your architecture’s strengths and weaknesses. Contact our team today if you are interested in a holistic, next-gen cybersecurity architecture.