SEC cyber disclosure: three new rules, six months on
The rules on SEC cyber disclosure have been in place for six months now. Are they having the desired impact to better inform investors on cyber risk associated with an organization? In this blog, we’ll explore the three rules and see if they're achieving the intended goals.
What are the SEC rules and what do they mean for the cybersecurity industry?
As a reminder there are three rules.
- 8-K 105: Cyber incidents. Disclosures of material incidents must be made within four days of discovery.
- 10-K 106(b): Risk management. Explain your cyber risk management processes.
- 10-K 106(c): Governance. Share details of oversight from the board and management.
As for any other material incident, read more detail in our whitepaper.
Are the SEC cyber rules having the desired impact?
In some ways yes, in some ways no. Annual disclosures make for interesting reading in their variety. The volume of incident disclosures so far is, I suspect, going to cause some debate. I’ve looked through the SEC cyber disclosures from the last six months and sourced a range of useful statistics. This article will look at mentions of specific keywords and phrases used in disclosures, comparing the difference between the first half of 2023 and the first half of 2024. We can use these to interpret how organizations are responding to the new SEC cyber rules in practice.
70×
That’s the year-on-year increase in mentions of CISSP (The Certified Information System Security Professional accreditation, which is seen as a good indicator of expertise) in 10-Ks. It’s gone from 5 mentions to 350, which is a huge increase. It’s not surprising when you consider part 2 of rule 106(c) demands disclosing “the relevant expertise of such persons or members” managing and assessing cyber risk. The verdict: Yes, this is a good thing and not unexpected.
22×
The year-on-year increase in mentions of NIST CSF (and variations) in 10-Ks, with 51 in the first half of 2023 versus 1141 in the first half of 2024. Again, given the requirements to disclose processes as per 106(b) part 1, this is no surprise and is welcomed. The verdict: Yes, and no surprise given the prevalence of NIST CSF.
13×
The year-on-year increase in NIST (and variations) in 10-Ks across the same timespan (3025 vs 221). The verdict: Yes, people were mentioning NIST before. It’s no surprise the CSF gets more attention than this year-on-year.
13×
Year-on-year increase in mentions of “Center for Internet Security” in 10-Ks. There is no consensus on what good looks like yet for annual filings. There are examples in our SEC cyber disclosure whitepaper that might prove eyebrow-raising to the point of spraining a facial muscle. The frequency of security audit, assurance and oversight also varies when disclosed in 10-Ks, ranging from continuous to annual. It does seem clear, however, that recognised security frameworks are being used in annual disclosure to give reassurance to investors that they take cybersecurity seriously. Some businesses see this as a way to flex their maturity, detailing integration with existing Enterprise Risk Management processes and specific approaches for unique cyber risk. There is a general avoidance of disclosure of specific vendors or partnerships, and most are avoiding any details of technologies in use. As governance must be disclosed, there are also varied levels of detail in the oversight and assurance applied to cyber. This seems an obvious area for benchmarking. From an investor’s perspective, I’d like to read that people are auditing their security controls more than once a year. I believe as time goes on, this particular SEC disclosure will help mature the overall approach to cyber risk and we will see an increase in disclosures. With the increase in cyber maturity, we should also see an uptake in solutions such as Continuous Controls Monitoring. With Continuous Controls Monitoring, there is scope to provide continuous compliance, audit, assurance and oversight of control performance. This can be useful to inform investors that regulations are being followed. The verdict: Yes. Disclosure is good, it is helping investors understand an institution’s approach to cyber risk.
8-Ks
These are filed when something’s gone wrong. Eyebrows, brace yourselves again. Across the whole of publicly traded companies in the US, there have been 27 8-K Item 1.05 filings in just over six months since disclosure was required, across 17 organizations. That’s right. Only 17 companies experienced a potentially material cybersecurity incident in the first half of 2024. Allegedly. And, of those 17:
- Nine believe incidents will not be material, and eight have not yet determined materiality.
- 11 involved data breaches of one form or another, two disrupted operations and four merely found unauthorised access.
- Two were initially material but will not have an overall impact on results of processing, operations or financial status.
The mode and median averages for time from discovery to first SEC filing were both six days. The mean average is just over ten days. Microsoft are the outlier here. Filing a report in January for incidents first discovered in November. Whereas UnitedHealth Group filed the day after the discovery of a data breach. It's hard to believe that, given everything happening, only 17 companies have experienced a cybersecurity incident they considered worth disclosing to the SEC. None have been determined as having a material impact, with eight as yet unresolved as to their materiality. And it seems the SEC is encouraging firms to not use Item 1.05 filings if the event wasn’t material, instead recommending item 8.01 – used for “other events”. Take into account the recent massive data loss at Ticketmaster, for which they filed an 8-K other rule report, not an Item 1.05 report, and didn’t mention cyber security in the filing at all. This is following the SEC’s latest guidelines, and I do not understand how this would help investors determine an organization’s exposure to cyber risk one bit. The verdict: No. The numbers are so low, and rulings so lacking in detail. It appears many businesses are not taking this rule seriously.
A final thought
For me, the SEC cyber rules are right now a dichotomy. On one hand, having annual SEC cyber disclosure is shining a bright light onto an organization’s security practices, management and governance. This will continue to force everyone to improve their approach to cyber risk. This is a very good thing, and it will be interesting to track whether more mature approaches disclosed in 10-K filings have an impact on stock prices. Watch this space! On the other hand, I find it very strange that only 17 companies have filed an 8-K Item 1.05. In the whole of the USA, there is not one cybersecurity incident that will have a material impact. Given the SEC is currently suing an organization for misrepresenting its security posture, I cannot help but wonder what will happen when a serious cyber incident is discovered that was not disclosed. Do you believe cyber security across the approximately 6000 publicly traded companies are able to deliver such an astonishing result? I don’t. Panaseer can help you mature your approach to cyber risk and performance, assurance, oversight and governance. By adopting Continuous Controls Monitoring, you turn your NIST CSF assessments into a continuous, provable process that would serve to reassure investors. We also help you understand the business context and environment of every asset, even the ones not in your CMDB. This helps you make quick, informed decisions around materiality, and support your disclosure teams. If you want to hear about our Continuous Controls Monitoring platform, get in touch or book a demo.