SEC Cyber Rule: A Primer for Practitioners by Alex Sharpe

Blog AWS Security Cloud Security

Please check out this guest blog post by Alex Sharpe, a Cyber Security Expert with decades of experience.

The SEC Cybersecurity Rule is designed to provide transparency so investors can make information decisions. The rule effectively imposes two requirements on publicly traded companies. The full rule can be found here.

The SEC has three missions:

  1. Protect investors.
  2. Maintain fair, orderly, and efficient markets.
  3. Facilitate capital formation.

 

What does the rule say? This rule (first of three) clearly maps to the first mission while setting the stage for future rules addressing the remaining two missions.

  1. Publicly traded companies’ must disclose material information regarding their cybersecurity risk management, strategy, and governance practices yearly as part of their 10k filing.
  2. Publicly traded companies must report, via an 8k, material cybersecurity incidents within four business days of determining the incident is material. This timeline may be extended IF federal law enforcement determined the disclosure would harm national security or pending investigations.

 

The SEC has been issuing Cybersecurity guidance since 2011.

Why 10k and 8k? Simple, 10ks and 8ks are the well establish, long standing mechanism to report similar non cybersecurity related matters. Both 10ks and 8ks have been required since 1934. Requiring cyber to use these reporting mechanisms is simply a recognition of cyber as a business imperative.

What is material? Material is a cornerstone of SEC regulations going back to just after the Great Depression. The U.S. Supreme Court held an item is material if there is “a substantial likelihood that the … fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”[i]

Sounds fluffy? Sort of. There is case law and precedent. If you are part of a publicly traded company, you should already have a policy and a procedure to determine and report materiality. The best next step is to find it, identify the owner, and meet with them. This is your opportunity to help them understand cyber, and for you to understand the business.

Harmonization and Consistency. The proposed rule is very consistent with other rules, regulations, standards, and legislation. The main difference is reporting within four business days instead of seventy-two hours seen other place and the use of 8Ks and 10Ks as the reporting mechanism.

How does this alter incident response plans? Work with senior leadership to understand what information they need and when. Remember, ignoring a materiality decision will only get you in trouble. Spend time educating your senior leadership on cyber and collaborate with them to craft criteria and milestone for communication with senior leadership and the board. Existing policies, procedures, and Incident Response (IR) plans will need to be updated.

Reduce likelihood and impact; detect fast, recover quicker. Incidents will continue to happen. You will avoid a lot of problems and your life will be easier by detecting faster, recovering quicker, and limiting the Blast Radius. Looking at the numbers, internal teams only detect about one third of all incidents and it takes almost nine months to identify the typical incidents. The real number is much higher when we remove the incidents where the attacker makes us aware of the incident.

 

Who Detects a Breach?

  • 33% Internal teams and tools
  • 27% Attacker (e.g., Ransomware)
  • 40% Benign third parties and outsiders

 

IBM Cost of Data Breach ReportGlobally, across sectors:

  • 204 days to identify and 73 days to contain a breach.

 

Financial sector:

  • 177 days to identify and 56 days to contain.

 

What’s Next? The recently passed cyber rule applies to publicly traded companies and the SEC’s first mission of protecting investors. A second rule is inflight that applies to ALL market participants – publicly traded and privately held. That proposed rule and submitted comments can be found here. There has been some discussion of a third rule to address the SEC’s third. So far, nothing has been posted for public comment.

 

[i] TSC Industries v. Northway, Inc., 426 U.S. 438, 449 (1976); see Basic, Inc. v. Levinson, 485 U.S. 224 (1988) (as the Supreme Court has noted, determinations of materiality require “delicate assessments of the inferences a ‘reasonable shareholder’ would draw from a given set of facts and the significance of those inferences to him….” TSC Industries, 426 U.S. at 450); see also FASB, Amendments to Statement of Financial Accounting Concepts No. 8—Conceptual Framework for Financial Reporting—Chapter 3, Qualitative Characteristics of Useful Financial Information (Aug. 2018), available at https://fasb.org/jsp/FASB/Document_C/DocumentPage?cid=1176171111614; see also SAB No. 99.

7 Best Practices for a Cloud Detection and Response Framework
Blog

How did the Chinese manage to penetrate the entire communications infrastructure of the United States? How will the privacy of US citizens improve?

We may have recently been exposed to the largest cyber campaign of all times, in which China managed to completely penetrate the communications infrastructure of its great rival, the United States.In doing so, gained access to huge amounts of invaluable

Cloud Breach
Blog

Your Identities are your vulnerability.

The global cloud market continues to grow rapidly, growing 23% year-over-year. This year, Google captured 13%, up from 10% last year. Google complements this impressive growth rate with an emphasis on privacy and security. The commitment to security is clear,

Cloud BreachCloud SecurityCSPM
Blog

Skyhawk Security re:Invent Recap

Re:Invent has come to a close and we had a great week! We kicked off the week with our product announcement. Did you know that most threat actors (70%) are logging into the cloud – they are not “breaking in”.

Cloud BreachCloud SecurityThreat Detection
Blog

Skyhawk Security Interactive Cloud Threat Detection and Response Supports Cloud Native Zero Trust

Skyhawk Security is proud to announce the expansion of its cloud threat detection and response capabilities with Interactive CDR. This new capability expands the team that can verify if an activity is malicious or not, by going to the alleged

AICloud BreachCloud SecurityThreat Detection
Blog

New Enhancements to Skyhawk Security

Skyhawk Security announces the availability of new features and integrations of its Autonomous Purple Team, aimed at extending detection and improving security validation as well as pre-validating threat detection alerts, to effectively manage the security of your cloud. The company

AICloud BreachCloud SecurityThreat Detection
Blog

Why Continuous Monitoring is the Key to Cloud Security

By Asaf Shahar, VP, Product at Skyhawk Security Securing cloud environments presents unique challenges due to their constantly evolving nature. CERT-IL’s alert on public cloud threats (ALERT-CERT-IL-W-1810) underscores common vulnerabilities—exposed credentials, service misconfigurations, and inadequate tenant isolation—frequently exploited by attackers.

AICloud BreachCloud SecurityThreat Detection

Thanks For Reaching Out!

One of our expert will get back to you
promptly at asafshachar@gmail.com

Continue
See the Purple Team
See the breach before it happens
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.