By Issak Davidovich, CTO
SEC Announces New Cyber Incident Disclosure Rules
The Securities and Exchange Commission (SEC) unveiled new regulations on Wednesday that will compel publicly traded companies to promptly disclose cyberattacks and data breaches. In a bid to enhance transparency and accountability, publicly-traded companies must now report significant cybersecurity incidents on Form 8-K within four business days of confirming an attack has taken place.
For the automotive industry, these new disclosure requirements may shed more light on cybersecurity practices as vehicles become increasingly connected. With reports of data breaches, CAN injections, EV charging stations being compromised, and more, investors and consumers alike will gain more visibility into how automakers address potential vulnerabilities in their products, systems, sub-systems, and components.
Transparency and Accountability in Incident Reporting
Under the new regulations, companies must furnish comprehensive information regarding the nature, scope, and timing of the attack, along with any affected data or business operations. Additionally, ongoing efforts to rectify the situation must be disclosed. However, it is important to note that companies are not obliged to disclose specific details that might jeopardize their security or response capabilities.
Here’s the detailed information that must be disclosed on Form 8-K (if available at the time):
1. The date of discovery and status of the incident (ongoing or resolved).
2. A concise description of the incident’s nature and extent.
3. Any data that may have been compromised, altered, accessed, or used without authorization.
4. The impact of the incident on the company’s operations.
5. Information about ongoing or completed remediation efforts by the company.
Smaller companies (companies with less than $100 million in annual revenues) have been given a generous 180-day extension before they are required to comply with the new 8-K disclosures. However, it is important to note that these rules have a clear objective: to enhance transparency regarding cyber risks and empower investors to make well-informed decisions.
SEC Chair Gary Gensler suggests that companies and investors would greatly benefit from disclosing information in a consistent, comparable, and decision-useful manner.
Improvements in Cybersecurity Risk and Defense
While challenging for some, the new disclosure requirements are a step toward better informing investors and holding companies accountable for cybersecurity risk management. As Lesley Ritter of Moody’s Investors Service noted, increased transparency should ultimately “spur improvements in cyber defenses.”
The rules come more than a year after the SEC first proposed mandated cyber incident reporting in March 2022. Their adoption follows rising concerns over cyberattacks aimed at critical infrastructure and growing data breach threats impacting organizations of all types and sizes.
Frequently Asked Questions
1. In the automotive industry, we tend to separate IT incidents and the OEM’s “Products” (vehicles) incidents – are the new rules relevant for Vehicle Cyber Incidents?
Cyber incidents on connected vehicles have a major impact on the company. For example, during the TARA work, EVSec Platform guides the assessor to focus not only on the impact on the ‘road users’ but also on the brand and the business. So it’s our understanding that vehicle incidents are included.
2. As a car maker, how am I expected to understand the impact of a vehicle’s cyber incident in 4 days? This process alone usually takes weeks.
This very good question reveals the gaps between IT security, incident response and Vehicle incident response. Leveraging a CSMS (Cyber Security Management System) platform with SBOM, HBOM, and vulnerability management built-in, including advanced risk assessment capabilities and automation, can improve response times from weeks to days.
3. What incidents require reporting, and what information must companies disclose?
Companies need to report cyber attacks and data breaches considered “material” – incidents shareholders consider important for investment decisions. Companies must disclose information regarding cybersecurity incidents, including the nature, scope, and timing of the attacks and any affected data or business operations. They also need to report on their ongoing or planned remediation efforts.
4. Can cybersecurity incident disclosures be delayed?
Yes. The SEC may allow delays if the Attorney General determines immediate disclosure would pose a national security or public safety risk.
5. Is anyone exempt from the new rule?
Smaller companies have been given a 180-day compliance extension before needing to adhere to the new 8-K disclosure requirements.
6. When will the new rules go into effect?
The final rules, adopted at a Commission open meeting on July 26, 2023, will become effective 30 days following the publication of the adopting release in the Federal Register. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023.