The new U.S. Securities and Exchange Commission (SEC) rules set to come into play in the spring of 2023 will force listed companies to report their cyberattacks to core stakeholders, such as investors, customers, and regulators. The 2011 interpretive guidance released by the Division of Corporation Finance was reinforced and expanded on by the SEC in 2018.
Although disclosures and governance surrounding cybersecurity have improved since then, disclosure practices have been deemed inconsistent and another revamp of the regulation has been called for. This follows the fallout of the war in Ukraine, which has radically spurred on the expanding cyberthreat landscape and has resulted in an increase of nation-state cyberattacks, with average weekly attacks per organization worldwide reaching over 1,130.
This new SEC proposal would require regular reporting on material cybersecurity incidents on Form 8-K. It would also demand periodic disclosures regarding, among other things, a registrant’s policies and procedures to identify and manage cybersecurity risks as well as a summary of the management’s role in implementing cybersecurity policies and procedures. The board of directors would also be expected to detail their cybersecurity expertise, if any, and their oversight of cybersecurity risk. Regular updates about previously reported material cybersecurity incidents would become standard practice, with these cybersecurity disclosures ultimately being presented in Inline eXtensible Business Reporting Language (Inline XBRL).
The Introduction of Stricter Cyber Legislation
The proposed amendments are designed to better inform investors about an organization’s cyber defensive capabilities and provide prompt reporting of material cybersecurity incidents. An increase in cyber laws and legislation would therefore intensify pressure on organizations to enhance their communication with customers and investors regarding the safety of their data and the measures they are taking to defend themselves from an inevitable cyberattack. The SEC’s introduction of mandatory disclosures will force companies to disclose exactly how they are safeguarding information and therefore investments; knowledge which the SEC believe customers and investors are entitled to.
The proposed legislation would require organizations to disclose a cyber incident within four business days of a breach, as well as more general periodic reporting, providing updates about previous cybersecurity incidents as well as information about the company’s preparedness. The aim: to hold businesses accountable for the preparedness of their security program and their security against adversary attacks.
The legislation has, however, resulted in outcry and demands for withdrawal from Fortune 100 companies, as they fear the regulation will incur adverse consequences on shareholder price and stakeholder demand. When breaches leak highly sensitive information like credit card or Social Security numbers, share prices drop by an average of 22%. The SolarWinds campaign, classified as an espionage operation, was significantly harmful to corporate stock price, causing it to fall by over 60% at the time. Although continuous, comprehensive, and effective cybersecurity practice is crucial from a customer and financial perspective, many businesses are still unaware of the measures they can implement to mitigate risk and protect their critical infrastructure.
A Rapidly Growing Threat Landscape
On Feb. 24, 2022, the Viasat satellite network was the marquee cyber hack of the war. It was undertaken by Russian military intelligence with the aim of ultimately degrading communications and disrupting connectivity in several European countries. A new report by Microsoft also observed that in the cyber-threat landscape between July 2021 and June 2022, the proportion of cyberattacks perpetrated by nation states targeting critical infrastructure jumped from 20% to 40%, largely due to Russia’s heavy attacks on Ukraine’s critical infrastructure.
Although this may seem like a problem distant from the shores of the commercial sector, cyberattacks are the biggest risk facing businesses in 2023. With the evolution of technology such as artificial intelligence and quantum computing, the risk of cyberattacks on the commercial sector rises every day. Ransomware gangs have already reacted by shifting their focus to Europe. In the first half of 2022, there were 63% more attacks on European organizations than in the previous six months. In the U.S., the losses from hacking incidents were up 64% year-over-year.
What Does Excellent Cybersecurity Disclosure Look Like?
Cybersecurity best practice and disclosure is now a necessity within every business or organization which conducts its operations online. The increase in cyber regulation will ensure that companies are implementing effective strategies across the whole of their systems to protect against hacking. These proposed changes would force companies to provide evidence that they are making constant improvements to ensure the protection of their networks and servers. Having disclosed a previous cyber breach, companies would then be expected to provide an update on how they are tackling the problem to ensure customer data safety and decrease the risk of an attack in the future. As this information must be divulged within 96 hours after the event, organizations need to have answers quickly.
By investing in advanced military specification cyber defense strategies like cyber ranges, companies can test their defenses to failure and mitigate risk. Now more than ever, governments, nation states, and enterprises are under pressure to deliver battle-ready cybersecurity in the wake of the Ukraine war. Cyber ranges have become instrumental in protecting vulnerable systems, particularly critical infrastructure. Inside NATO’s Cyber Range, armies are preparing to defend against nation-state attacks, launching the same tactics, techniques, and procedures implemented in high-profile attacks within a high-fidelity replication of their systems.
Similarly, businesses in 2023 need to be able to test and safeguard their data to avoid large-scale attacks. By investing in cyber range technologies, businesses can upgrade their capacity to test, evaluate, and report on the effectiveness of their defensive tools, including their people and processes. The ability for organizations to protect their systems against an attack prior to the event means they will be well poised when their resources are put to the test. If businesses test their cybersecurity within a safe and simulated environment, they can better understand how effective their current defensive tools are and where their cyber capabilities end.
Businesses Must Take Action Now
As cybersecurity risks increase, broader regulations are necessary to combat the growing threat landscape. At present, 85% of cyberattacks are hidden by companies and cybercrime costs are expected to grow by 15% over the next five years, reaching $10.5 trillion annually by 2025.
As organizations are increasingly falling victim to these malicious cyberattacks, regulatory bodies have now awoken to the importance of cybersecurity requirements for companies. The goal: to ensure businesses are doing everything in their power to assess, monitor, and stop these attacks in their tracks.
With the new SEC rules fast approaching, companies should be taking the initiative to detect, identify, and secure their infrastructure, mitigating the risk of data leaks and cybercrime that could prove crushing to their bottom line. Organizations are facing the same threats as their nation state counterparts, targeted by nation state-backed entities attempting to exfiltrate sensitive data and advance a cyberwar that is already transcending geographical boundaries.
These proposed SEC regulations would enable governments to get a better handle on the magnitude of the current threat landscape. Incident disclosure can also help companies and governmental organizations identify malicious activity on their networks. However, businesses must utilize this opportunity to convince investors and customers that they are doing everything within their power to avoid, protect, and defend against attacks.
Cyber ranges can provide empirical evidence to customers that organizations are regularly testing and advancing their systems to combat the latest threats. Examining the efficiency of your people, processes, and technology through cyber ranges is essential for organizations to thwart attackers and support businesses in managing their cyber risks. The use of an effective cyber range would also ensure that businesses are adhering to regulatory standards, whilst simultaneously reassuring customers, shareholders, and investors.
William Hutchison is CEO of SimSpace, a cybersecurity solution provider for enterprises, governments, and critical infrastructure.