Since the SEC’s updated Cybersecurity Disclosure rulings came into force in December, unsuspecting CISOs have seen a sudden shift in the pressures they are under. Not only are they under the burden of additional cybersecurity reporting, but sharing reports that turn out to be misleading, or even inaccurate, could result in legal action.
We need to remember that cybersecurity – and so the CISO’s role itself – is a relatively young vocation. Travel back 20 years and for most cybersecurity was part of the wider IT function, focused purely on perimeter defenses and technical controls. Wind back to the present and we’ve seen a constant, and ongoing shift as CISOs have become a central component of business governance and risks. This means not only understanding cybersecurity practices and posture accurately, but then accurately and effectively communicating that to the board and Enterprise Risk Management (ERM) team. Understanding the SEC’s new rules will be essential to enabling this factual, data-driven approach.
Between a rock and a hard place?
At their heart, the changes seem straightforward. Listed companies’ 8-K filings – reports announcing major events shareholders should know about – and 10-K filings – comprehensive annual reports of critical information including financial performance – need to portray cybersecurity posture accurately. However, the definition of what demands an 8-K filing has also expanded. Now “material cybersecurity incidents” need to be reported in a timely fashion, in this case within four days of determining whether an incident was “material”.
There is a clear value to these regulations. They increase transparency, and by covering cybersecurity posture allow investors to better understand the risk level of their investments. But they also represent the growing regulatory burden on enterprises: alongside the European GDPR, California Consumer Privacy Act, and a wealth of privacy laws facing organizations looking to do business in Australia, Brazil, China, or the EU.
This in turn puts organizations in a crossfire. The SEC will punish inaccurate, or worse misleading, reporting, while investors may balk at a report that, while accurate, presents what they see as increased risk. CISOs need to help legal counsel and others who have to make disclosure decisions, make sure they don’t become a target.
Twin dilemmas
Specifically, CISOs need to deal with two additional burdens. First is the threat of legal action. If a CISO’s reports are seen to mislead investors about their susceptibility to risk, they will be in the SEC’s sights. A failure to accurately report allegedly known cybersecurity risks and vulnerabilities has already seen CISOs facing fraud charges.
Second, the reporting burden from 8-K and 10-K reports will inevitably increase. Working closely with the ERM team will be crucial to making sure reports are accurate. The good news is that regulators recognize that, in cybersecurity, nothing is fail-proof. If CISOs can prove they have the right controls in place, and critically that these controls are continually monitored to ensure that they have been implemented correctly and are working as they should, they can insulate themselves from risk. The bad news is that this may be easier said than done – especially as the volume of reports soars.
Looking at the numbers
To measure whether the reporting burden on CISOs had increased, and whether enterprises were putting themselves at risk, we analyzed SEC cyber disclosures from the first half of 2023, and compared to those from the first six months of the new regime.
There is no doubt that cybersecurity is a major element of 10-K filings. With listed companies now feeling obliged to include their posture in filings, mentions of NIST (National Institute of Standards and Technology) increased from 221 in 2023 to 3,025 in 2024. This represents an increase of nearly 14 times year-on-year, and the number of disclosures passing 4,000 by December wouldn’t be a surprise.
Conversely, 8-K filings told a different story. The number of reported cyberattacks is consistently growing, and most enterprises might be expected to be hyper-alert of any potential breach, and report it as such. Yet we only found 17 potentially material cybersecurity incidents, across 4,000+ listed US companies.
Only a fraction of a percent of all companies reporting a “material” incident seems unlikely. Even more so when you consider that none of these 17 would confirm that the incident was severe enough to be counted as “material”. The most worrying conclusion is that there is a mass of material incidents waiting to be discovered.
Defusing the time bomb
This growing burden shouldn’t be an issue for CISOs if they can understand and communicate their posture. The challenge is that, while Business Intelligence and analytics tools have been commonplace in finance, sales, and leadership for decades, CISOs have been left to scrounge data from disparate tools with no single, trusted view. Without a clear view of risk, it’s near impossible to turn that picture into clear action and strategy, translate risk into business vernacular, and influence the necessary people.
Security teams need to validate the data they are working from using multiple sources to reach a single source of truth. By shining a light on coverage gaps, and giving context to threats, businesses can improve governance and risk reporting and mitigate cyber harms. Ultimately, whether reporting to the ERM team, investors, or the SEC, the CISO can use a language their audience will understand and ensure that everyone is held accountable.
This won’t only reduce the reporting burden, and give investors greater confidence. It will also ensure that breaches cannot become a time bomb under the organization, waiting to be detonated by one incorrect 8-K or 10-K report.
