On December 15, 2023, the U.S. Securities and Exchange Commission (SEC) will be enacting new rules mandating corporations to disclose specific information related to their cybersecurity. These rules require companies subject to SEC regulation—essentially, any company that trades their shares on a U.S. stock exchange—to disclose details following a material security incident. It also requires companies to provide annual reporting on their cyber resilience and board/executive oversight processes, regardless of whether they have experienced a material incident in the prior year or not.
While most security and business leaders are generally aware of the new requirements, it’s important to understand exactly what the changes entail and what tools are available to help with compliance. Below, we’ll break down the new requirements and highlight how breach and attack simulation (BAS) can support an organization’s ability to comply by enabling a proactive approach that accurately assesses and lowers cyber risk, while also providing the visibility necessary to ensure key stakeholders—like the board of directors and executive leadership team—can provide effective oversight.
What is Changing?
The first rule pertains to public disclosure following a “material” cybersecurity incident. Under the new rule, the affected company must file a Form 8-K detailing “the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.”
The 8-K must be filed within four business days of when the affected company determines the incident was material. While there is no hard deadline for determining materiality of an incident, the SEC directs that companies “should develop such information without unreasonable delay.”
The rule also recognizes that not all relevant information about an incident may be known within four days of determining it is material. Affected companies are therefore directed to file amended Form 8-Ks when new information is discovered.
The second rule requires companies to add two elements to their annual 10-K filing:
- A description of their processes for “assessing, identifying, and managing material risks from cybersecurity threats.”
- A description of “the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.”
What is Material?
The term “material” features prominently in these requirements, and the SEC leaves it to each company to determine whether information is material or not; so it’s worth understanding what this means. The SEC defines “material” as any information where “there is a substantial likelihood that a reasonable investor would attach importance in determining whether to purchase the security registered.”
To put this in context, if specific company information regarding a cybersecurity incident or cybersecurity practices might influence the average person’s decision to invest in that company, that information is material and must be disclosed under the SEC’s new rules.
Cybersecurity is a Business Issue
Based on the SEC’s new requirements for cybersecurity disclosure, it’s clear they view cybersecurity as a business issue, and one shareholders have a right to be informed on. Whether it’s a ransomware attack that locks employees out of their systems or results in the release of confidential information that shakes the market’s confidence in the company, or an attack on the company’s operational technology (OT) that brings production processes to a halt, cyberattacks have the capacity to directly affect a company’s business operations, and thereby their financial performance.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
How SafeBreach’s BAS Platform Can Help
BAS solutions, like that provided by the SafeBreach platform, can serve as a powerful tool for enterprise organizations as they attempt to navigate and implement the new SEC rules.
First, by continuously simulating real-world attacks against an organization’s security ecosystem, the SafeBreach platform provides organizations with a clear understanding of how their security controls detect, prevent, or mitigate attacks across the entire cyber kill chain. Simulations can leverage attacks from the SafeBreach Hacker’s Playbook—the largest, most complete library of real-world tactics, techniques, and procedures (TTPs) of any BAS solution—or customized attacks that are relevant to an organization’s unique environment, industry, or threat intelligence feed. Not only does this level of visibility play a key role in reducing an organization’s risk, but it also serves as a foundational element in their ability to show the tools and processes in place for “assessing, identifying, and managing material risks from cybersecurity threats” as required by the SEC.
The SafeBreach platform also provides a number of features designed specifically to help organizations track risk and resilience in a consistent way and effectively communicate it with key stakeholders, like the board of directors and executive leadership teams. This includes a broad selection of reports, as well as out-of-the-box and customizable dashboards, to help stakeholders quickly understand existing gaps, evaluate and prioritize risks, and recognize security drift before it becomes a problem. The SafeBreach security posture optimizer also provides a single security posture score that allows organizations to accurately measure their baseline, track improvement over time, and align security program reporting, KPIs, and investments with business goals.
Finally, if a material attack does occur, SafeBreach can be transformative in identifying weaknesses that may have contributed, providing remediation advice, and retesting the resilience of the environment to ensure the gaps are closed.
Cyberattacks have the capacity to negatively impact stock performance, both directly and indirectly. An attack can cripple business operations to the extent that the company misses their revenue forecast. And there are plenty of examples of damage to brand reputation and a drop in share price in the wake of a large or well-publicized cyberattack.
But in the absence of an attack, could a negative perception of a company’s security posture result in loss of customer and shareholder confidence? It’s not such a stretch. An underlying implication of the SEC’s new rules on disclosure is that greater transparency on cybersecurity practices may very well create greater expectations that the companies we choose to do business with, or invest in, are proactively focused on cyber resilience from the boardroom down to the operations layer.
The SafeBreach platform can play a critical role in an organization’s ability to both implement this type of proactive approach to cybersecurity and clearly communicate it to key stakeholders—like their board, customers, and shareholders—to see. To learn more about how SafeBreach can help improve cyber resilience by validating security controls and monitoring your risk, schedule a discussion with an expert.