SEC cyber security filings on the rise as new reporting rules bite
There’s been a 12-fold increase in cyber security filings to the US Securities and Exchange Commission (SEC) in the first quarter of this year, following the introduction of new rules on data breach disclosures last December.
Analysis by security firm Panaseer found there were at least 1,327 annual 10-K filings mentioning the National Institute of Standards and Technology (NIST) – a key indicator that cyber security posture is present in a filing – between January and May this year.
This compares to just 110 during the same period in 2023 – a 12-fold increase – and 128 across the entire year. On current projections, Panaseer predicts there could be up to 2,600 such filings across 2024 – a more than 20 times increase.
The new regulation applies to listed enterprises, with two separate SEC reports that apply to cyber security.
The first is a 10-K filing, a comprehensive annual report of critical information including financial performance. Now, organizations must describe in detail their approach to cyber risk management, including cyber security strategy, board oversight, and management’s role in cyber governance.
The second is an 8-K filing, which is a report announcing major events that shareholders should know about. This now requires businesses to disclose ‘material cyber security incidents’ which are likely to impact investors within four days.
“The SEC’s regulations will provide greater transparency, which is a positive step towards giving investors the full picture of an organization’s cyber risk posture,” said Nick Lines, security evangelist at Panaseer.
“However, organizations must remember that the accuracy of these reports is critical. Cyber attacks are a fact of life for listed businesses, but companies have previously reported zero material cyber security threats across an entire year and there have only been 24 filings thus far in the year, which stretches belief.”
To satisfy the SEC, these filings need to accurately portray cyber security posture and any discrepancies between reports and reality could leave CISOs potentially facing charges. SolarWinds CISO, Timothy Brown, for example, has already faced charges for fraud and internal control failures relating to allegedly known cyber security risks and vulnerabilities.
“CISOs are in a delicate position: while investors will be put off by a poor cyber risk posture, the SEC will come down hard on inaccurate reports. Either way, CISOs will be in the firing line,” Lines said.
Other aspects of 10-K filings are rather more encouraging, however. There’s been a 70-fold increase in mentions of the Certified Information System Security Professional (CISSP) accreditation, which could be a sign that expertise is increasing.
Meanwhile, there were 13 times as many mentions of ‘Center for Internet Security’, indicating that recognized security frameworks are being used in annual disclosure.
“On one hand, having annual SEC cyber disclosure is shining a bright light onto an organization’s security practices, management and governance. This will continue to force everyone to improve their approach to cyber risk,” Lines commented.
“On the other hand, I find it very strange that only 17 companies have filed an 8-K Item 1.05. In the whole of the USA, there is not one cybersecurity incident that will have a material impact. Given the SEC is currently suing an organization for misrepresenting its security posture, I cannot help but wonder what will happen when a serious cyber incident is discovered that was not disclosed.”