The US Securities and Exchange Commission (SEC) is the primary regulator of the securities industry in the US, tasked with protecting investors. In line with this mission, the SEC issued a final ruling in 2023.
This ruling mandates public companies to report their cybersecurity risk management, strategy, governance, and incidents. Public companies must report a "material" cybersecurity incident within four business days after determining its materiality through a Form 8-K filing.
They must also outline their processes for assessing, identifying, and managing material risks from cybersecurity threats. This includes detailing their overall governance of cybersecurity risks, particularly the roles and expertise of management and the board’s oversight. Companies report this information to the SEC via S-K Item 106.
While public companies in the US are already required to report data breaches through various US state, federal, and international laws, these differ from the SEC regulations.
The SEC's focus on "materiality" offers a unique lens through which risks and incident reporting are evaluated.
Materiality, as defined by the US Supreme Court, means "the substantial likelihood that a reasonable investor would consider it important."
From a CISO’s perspective, the new regulations impose several challenges. These are:
Understanding and publicly communicating the company’s risk and incident management processes.
Responding effectively alongside other company teams during an incident in a way that meets disclosure requirements.
Having a cybersecurity team that is trained and skilled in timely assessment, analysis, and reporting of material breaches.
The key difference between the SEC regulations and other laws is the principle of materiality to investors and the financial markets as a whole.
US state and federal regulations, on the other hand, are principally concerned with the breach of personal information and information that could pose a threat to national security or the security of critical infrastructure.
This new scope means that reportable incidents are now broader than before. The question of establishing materiality is also more complicated than simply assessing if the information stolen or impacted was personal or confidential.
In response, CISOs must ensure that their risk governance process incorporates an understanding of materiality.
A CISO will need to make sure that the risk governance process incorporates an understanding of materiality. This decision will need to be made with other members of the C-Suite and the company’s board in establishing thresholds.
Because materiality is from the perspective of the shareholder and not necessarily the company, the thresholds will likely lower the levels of acceptable risk that the board may have set previously.
The entire risk assessment process will need to be re-calibrated to this new measure.
As the test of materiality is as seen from the shareholder’s perspective, it will be assessed on a largely financial impact basis. This is probably the strongest argument for a quantitative approach to risk assessment.
In quantitative risk assessment, the financial impact of a cyber incident is calculated. This data can help decide if an incident is material and subsequently, communicate the impact of the incident to the SEC.
Quantitative risk assessment standards such as FAIR already have recommendations for materiality assessment.
The SEC regulations hope to standardize the response of public companies to cybersecurity incidents. Whereas a company in the past may have been tempted to “control” the release of information regarding a breach to the public for fear of its impact on its business, this decision has now been made for organizations by the SEC.
It hopefully means that companies take the process of cybersecurity risk seriously and that all staff, from the board down, are committed to the implementation of its management.
Staff will need to be trained on the risks of material cybersecurity incidents. The new controls for managing the material risks may involve changes in the way the company operates, and staff may require retraining or re-skilling.
CISOs, along with senior staff from other areas—such as legal, accounting, business, operations, and PR—will need to establish a work process to ensure a company can determine the materiality of an incident.
This will require CISOs/security leaders to:
Define a materiality policy for the company.
Determine what changes are required to metadata for all assets that could be involved in an incident.
Ensure that metadata necessary for materiality determination can be collected and reported in the event of an incident.
Establish a team of people who can take the information provided from an incident and determine materiality within the time constraints required by the SEC.
Create clear reporting lines and expected forms of communication in the event of an incident for all relevant parties to be kept informed.
Ensure that communication with the SEC and other external parties is part of the overall strategy.
The CISO will be responsible for managing changes to incident response to be able to meet the requirements of the SEC regulations.
The SEC regulations require that the company report an incident within four (4) days of a determination of a material breach. This places more importance on a company’s ability to detect and respond to cybersecurity incidents.
A company should have an incident response plan in place, and these will need to be modified to include an assessment of whether an incident is material or not.
This will require assessments from staff from other sections of the company who can assess the affected systems and information for level of impact.
This in turn will require effective communication, monitoring of responses and then an overall assessment for potentially a material incident response group established for this purpose.
This group is sometimes referred to as a “Materiality Assessment Team”. Incident responders should collect appropriate metadata from the incident and be able to pass it to this team. A threshold should be set for materiality based on an estimate of the balance of probabilities that a material incident has occurred.
Again, these changes should only be additional responsibilities on a process that already exists to manage any cybersecurity incident.
Roles will need to be assigned to an individual or group responsible for completing the required K-8 form.
Since incident response is often an ongoing process, there may be obligations to update the SEC with changing circumstances. Companies are allowed to file an 8-K Form without a materiality determination but simply to say that it is in process.
Even though an individual incident may not reach a materiality threshold, it may be that collected incidents over some time do reach the limit. Each incident needs to be reviewed in the context of other incidents that occurred previously.
This may also be the case for related third-party cybersecurity incidents that could potentially have an impact on the company.
Regular audits, reviews, and effective TTXs are an essential part of a risk management cycle. The main purpose of these exercises is to:
Determine whether the risks and controls are still relevant and effective given the changing needs and business environment.
Test that the risk management strategy is functioning as expected.
Audits and reviews should be conducted by both internal teams on a regular basis. Internal teams should have different reporting lines to the CISO to avoid conflicts of interest, although this may not be possible if there are not sufficiently qualified staff in other areas capable of carrying out the reviews.
The outcomes of audits and reviews should be fed back into the cycle and adjustments made to incorporate the findings into the risk assessment, treatment, or other parts of the overall cybersecurity risk management process.
Part of the ability to review a risk management implementation in a company is the ability to measure its effectiveness, comparing these measures to performance indicators established by the committee responsible for oversight.
For the SEC regulations, this should include the:
Time to detect an incident
Time to determine materiality
Time of being able to report to the SEC in the event of a material incident.
Reviews would also determine if the correct metadata was collected during an incident and whether this metadata was adequate for a correct determination of materiality.
The SEC’s overall aim with their cybersecurity incident reporting regulations was to standardize how, and when, companies report a cybersecurity incident to their shareholders and the markets as a whole.
There is a hope that with these regulations, companies will regard cybersecurity as an essential component of their business and not simply a “nice-to-have” burden on their bottom line.
For well-run companies that do have a cybersecurity-first approach, adding the SEC requirements to existing risk management processes should not be too difficult.
For companies that have not focussed efforts and budgets on cybersecurity, the regulations provide an opportunity to put in place a first-class risk management process that accommodates the SEC requirements and more general requirements for digital security.
CISOs, if not already, should be at the center of a cybersecurity risk management strategy for the company and should have well-established relationships with other internal partners. This includes the board and appropriate committees, the rest of the C-Suite, internal audit, investor relations, and the legal teams of the company.
The CISO should also ensure that their entire team can put into practice the principles of risk management and understand their role in that strategy. This means they need to be properly skilled for not only their specific work but also for the more general needs of the company.
Author bio: David Glance (CyberMnemosyne), Senior Research Fellow, University of Western Australia
Dr. David Glance is a cybersecurity consultant and Adjunct Senior Research Fellow at the University of Western Australia. He has taught and carried out research in the areas of cybersecurity, privacy, and electronic health.
Dr. Glance has also worked in the finance and software industries for several years and has consulted in the areas of eHealth, cybersecurity and privacy for the OECD and WHO.
He is the author of articles and books on cybersecurity. Feel free to connect with him on LinkedIn.
Author bio: Dan Magnotta (Mags22), HTB Federal Business Development & Capture Manager, Hack The Box
Dan Magnotta is an accomplished professional in cybersecurity and intelligence operations with more than a decade of experience in the military and private sectors.
His career began with dedicated service to the U.S Department of Defense, where he played critical roles in the U.S. European Command and U.S. Special Operations Command Europe, contributing significantly to cutting-edge cyber strategies.
In addition to his civilian role, he serves as an LCDR in the U.S. Navy Reserve, showcasing his leadership and dedication as an Executive Officer for a Navy Reserve Unit. His expertise in cybersecurity, operational analysis, and strategic planning is extensive.
At Hack The Box, he tailors solutions to meet the unique requirements of government agencies and organizations worldwide, leveraging his deep understanding of both military and civilian cybersecurity needs.