Panaseer uncovers 12-fold increase in cybersecurity filings to SEC in Q1 2024

New York, 18 June 2024 – Panaseer, a leader in security posture management powered by Continuous Controls Monitoring (CCM), has released a new blog analyzing the increased focus on cybersecurity posture in reports to the Securities and Exchange Commission (SEC). Panaseer warns this growth in reporting will place CISOs at real risk of legal action if their organizations’ statements do not match reality.

The Panaseer investigation into organizations’ annual 10-K filings reported to the SEC shows that, from January-May 2024, at least 1,327 filings mentioned ‘NIST’ (National Institute of Standards and Technology) – a key indicator that cybersecurity posture is present in a filing. This compares to just 110 during the same period of 2023 – a 12-fold increase – and 128 across the entire year. On current projections, Panaseer predicts up to 2,600 such filings across 2024 – a more than 20 times increase.

Putting pressure on CISOs

This will put pressure on CISOs for two reasons:

1. The burden of additional cybersecurity reporting: December 2023’s new SEC rulings that incorporated cybersecurity risk into investor reporting mandated the inclusion of cybersecurity posture and processes in annual reports. Although CISOs won’t be directly responsible for compiling reports, they’ll need to work closely with the Enterprise Risk Management (ERM) team to ensure reports are accurate.
2. The threat of legal action: Accurate reports demand a deep understanding of cybersecurity posture and risk exposure. Any discrepancies between reports and reality will be tantamount to lying to investors, leaving CISOs potentially facing charges. SolarWinds’s CISO, Timothy G. Brown, has already been charged by the SEC for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.

“The SEC’s regulations will provide greater transparency, which is a positive step towards giving investors the full picture of an organization’s cyber risk posture,” says Nick Lines, Security Evangelist at Panaseer. “However, organizations must remember that the accuracy of these reports is critical. Cyberattacks are a fact of life for listed businesses, but companies have previously reported zero material cybersecurity threats across an entire year and there have only been 24 filings thus far in the year, which stretches belief. CISOs are in a delicate position: while investors will be put off by a poor cyber risk posture, the SEC will come down hard on inaccurate reports. Either way, CISOs will be in the firing line.”

New regulations

The new regulation applies to listed enterprises, with two separate SEC reports that apply to cybersecurity:

• A 10-K filing – a comprehensive annual report of critical information including financial performance. Now, organizations must detail their approach to cyber risk management, including cybersecurity strategy; board oversight; and management’s role in cyber governance.
• An 8-K filing – a report announcing major events shareholders should know about. This now requires businesses to disclose “material cybersecurity incidents” – which are likely to impact investors – in a timely fashion. These must be reported within four days after the determination of materiality.

To satisfy the SEC, these filings need to accurately portray cybersecurity posture. The new rulings also reflect an ongoing shift in the CISO’s role. While not solely responsible for organizations’ risk posture, CISOs need to accurately portray risk posture and security processes to the ERM team and the board. CISOs need to understand and communicate their company’s cybersecurity practices clearly, with a data-driven approach that enables factual filings.

As such, Panaseer recommends that CISOs direct their focus towards ensuring that there's oversight and assurance over the security tool they have, verifying that they are working correctly across every asset.

“As the regulatory landscape becomes increasingly complex, CISOs are getting caught in the crossfire. Yet while Business Intelligence and analytics tools have been commonplace in finance, sales, and leadership for decades, CISOs are left to rely on data from disparate tools with no single, trusted view. They’re forced to work with one hand tied behind their back, and the Sword of Damocles dangling over their heads,” says Jonathan Gill, CEO of Panaseer.

“As the stakes keep getting higher, CISOs need a system of record they can trust to ensure they are reporting accurately and in good faith. By having a unified view of every asset throughout a business – where it sits, who owns it, and who is responsible for its security – CISOs can turn the lights on. This contextual data empowers CISOs to quantify risk, plug gaps, and tell a story to the board and ERM team in language they’ll understand. CISOs can then enable a culture of accountability, holding colleagues accountable through a platform that translates security into the language of non-technical and technical stakeholders, each with their own relevant view of the same golden source of truthful data. This will enable CISOs to protect themselves on both sides: showing investors an improved risk posture, while presenting the most accurate picture to the SEC.”

To find out more about the SEC’s regulations and its impact on CISOs, visit Panaseer’s SEC page here.

About Panaseer

Panaseer is an enterprise cybersecurity company that helps organizations improve their security posture by continuously measuring whether controls are fully deployed and working effectively. It has been recognized by the World Economic Forum as a Technology Pioneer helping to solve the world’s most pressing issues.

Panaseer’s Continuous Controls Monitoring (CCM) platform gives CISOs a true picture of their security posture by measuring performance of their cybersecurity defenses against established frameworks and regulations. This enables them to take targeted action to reduce cyber risk and provide accurate data to stakeholders and regulators. CCM also drives more efficient use of resources through automated processes and improved prioritization.