Blog
Is It Material? Staying Compliant With SEC Cyber Disclosure Requirements
Michael Clark
November 19, 2024
The 2020 SolarWinds breach was a wakeup call for many in the cybersecurity space, and the U.S. Federal government was no exception. Not only did the U.S. Securities and Exchange Commission (SEC) level formal charges against SolarWinds and its CISO, it is widely believed that this high profile incident led to the 2023 creation of the SEC’s public company cybersecurity disclosure rules.
What do these regulations require? Read on to learn how your organization may be affected, and how the deep network visibility provided by RevealX can help you meet SEC and other cyber incident reporting requirements.
SEC Incident Disclosure Requirements
In July 2023, the SEC adopted new rules that require registrants to disclose material cybersecurity incidents and to annually disclose material information regarding their cybersecurity risk management, strategy, and governance. Foreign private issuers—non-governmental companies that are incorporated outside the United States, but conduct business within the U.S.—are also required to make comparable disclosures through slightly different means.
SEC registrants that experience a “material” cybersecurity incident must file a Form 8-K within four days of determining materiality. Disclosure may be delayed only if the U.S. Attorney General determines that immediate disclosure would pose a risk to national security or public safety. According to a senior Justice Department official, such delays have been necessary several times since the rules came into effect.
In the 8-K, registrants must describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations. For example, in the 8-K MGM Resorts filed following a 2023 cybersecurity breach, the company described the specifics of the incident, including the date of the incident and types of customer information accessed by threat actors, as well as the estimated $100 million impact to its EBITDAR and the $10 million expenses it incurred related to the incident. The filing further details the company’s belief that the impact of the incident would largely be contained to the third quarter of 2023 and that the incident would not have a material impact on its financial conditions and results of operations for the year.
In May 2024, the SEC clarified that registrants may also voluntarily disclose incidents that may be significant, but which they have not yet determined to be material, through a separate process.
Additionally, the SEC now requires registrants to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats in their annual 10-K reports. Further, registrants must describe whether any risks from cybersecurity threats, including threats resulting from previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant. Organizations must also describe the board of directors’ oversight of risks from cybersecurity threats as well as management’s role and expertise in assessing and managing risks from cybersecurity threats. For instance, MGM Resorts, in the company’s 10-K for fiscal year 2023, acknowledges the September 2023 incident, describes its annual processes for auditing its cybersecurity program, and provides information on the role and expertise of the company’s CISO, among other details.
Foreign private issuers will also be required to make comparable disclosures, albeit through different means. These organizations must furnish information on material cybersecurity incidents that they are required to make public in a foreign jurisdiction to any stock exchange or security leaders via Form 6-K. Similar to the annual disclosure requirements for U.S. companies, foreign private issuers must make periodic disclosures of their cybersecurity practices via Form 20-F.
Companies that violate these requirements will face stiff punishments. In late October 2024, the SEC charged four current and former public companies with making materially misleading disclosures regarding cybersecurity risks and intrusions related to the SolarWinds breach. The four companies agreed to settle the charges by paying civil penalties ranging from $990,000 to $4 million. Additionally, the SEC has issued fines up to $60,000 for untimely filing in cases where the notification of late filing was also deficient. As the SolarWinds breach illustrates, criminal charges may also be filed against companies and their officers for breaches, or for overstating their cybersecurity practices and under-reporting cybersecurity risks and incidents.
How RevealX Can Help You Meet SEC Reporting Requirements
Meeting the rigorous requirements of the SEC’s reporting obligations will require organizations to quickly investigate incidents to determine their materiality by the mandated deadlines. RevealX provides rich information about network traffic flows, devices, the payloads of packets, and more that enable organizations to understand the scope, impact, and potential materiality of an incident at speed.
By combining full packet capture (PCAP) and analysis with SSL and TLS 1.3 decryption capabilities, RevealX provides organizations with the ground truth about what’s happening on their network, what devices are communicating with each other, the data being transmitted, and more. Decryption is critical for defenders because threat actors frequently use encrypted channels to evade detection and they often encrypt data before they exfiltrate it during a ransomware attack. RevealX enables security teams to see if encrypted data or traffic contains personally identifiable information or other sensitive data that could affect the materiality of an incident.
Other network detection and response (NDR) solutions that don’t capture full packets, that only use NetFlow data, or that don’t decrypt traffic can’t provide organizations with the same level and amount of detailed, accurate data that RevealX can. Analysis of packet headers and other metadata from NetFlow sensors can only confirm an attack; it cannot reveal the truth about the attack chain, what was compromised, and whether the breach is material.
RevealX takes advantage of real-time stream processing and cloud-scale machine learning to provide these essential detection and investigation capabilities at unmatched speed and scale. Full PCAP analysis and decryption used to be out of reach for many organizations, but the architecture and technical capabilities underpinning RevealX have made it highly efficient and accessible.
Download our e-book for best practices from experienced CISOs on how to communicate with executives in the aftermath of a breach.
Discover more