What the SEC cybersecurity disclosure mandate means for application security

On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) adopted rules that require all public organizations to disclose any material cybersecurity incidents that they experience. The mandate also requires that organizations disclose overall cybersecurity risk management, strategy, and governance. The SEC cybersecurity mandate will go into effect on December 15, 2023, and cybersecurity organizations are still figuring out how to properly prepare themselves. This blog provides an explanation of the SEC disclosure and what it means for application security, best practices, and how your organization can prepare for the new requirements.

What is the new SEC cybersecurity mandate about and what are the requirements?

The SEC cybersecurity mandate states that starting December 15^th, all public organizations are required to annually describe their processes for assessing, identifying, and managing material risks from any cybersecurity threats on a Form 10-K. They must also detail their board of directors’ oversight of risks from cybersecurity threats in addition to management’s role and expertise in assessing and managing material risks from cybersecurity threats.

The mandate also declares that all public organizations are required to disclose any material cybersecurity incident on a Form 8-K within four days of determining that the incident is material. The organizations must describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact, including financial and operational. Notably, the mandate does not require disclosure “regarding the incident’s remediation status, whether it is ongoing, and whether data were compromised.”

What constitutes a “material event” for application security?

The mandate provides some room for interpretation on what should be considered a “material” cybersecurity event. The SEC explicitly mentions evaluating whether the risk that the event would have any of the following impacts:

• Harm to a company’s reputation
• Harm to customer or vendor relationships
• Reduction in competitiveness
• Possibility of litigation
• Regulatory investigations or actions by government authorities

Establishing standards for materiality within your organization is the crucial first step in determining how to report any cybersecurity incidents, including those on applications. Every organization’s CISO, CEO, and Board of Directors has the responsibility to determine what constitutes a “material” cybersecurity event for their organization.

Do material incidents on “third-party systems” require disclosure?

Acknowledging the high dependence of enterprises on applications hosted on/by cloud service providers, disclosure requirements also extend to security incidents involving these services. The mandate explains why this is the case: “A reasonable investor would [not] view a significant breach of a registrant’s data as immaterial merely because the data were housed on a third-party system …. materiality turns on how a reasonable investor would consider the incident’s impact on the registrant.”

Preventing “material events” is now more critical than ever

While the discovery of a critical vulnerability (e.g., an exploitable instance of Log4Shell) may not have immediate business impact, not remediating it promptly can easily lead to a material event. Given the high volume of vulnerability detection alerts and the level of effort required to analyze and remediate them, prioritization is more important than ever.

Regulatory risks are also increasing. For instance, the FTC has been increasingly active in pursuing penalties for data security and privacy practices. During the widespread Log4Shell incident in December 2021, the FTC issued the following statement in a press release: “The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”

What application security best practices should your cybersecurity risk management process consider?

As digital transformation continues to accelerate, the cloud applications underpinning today’s digital experiences become more complex and distributed. Not only that, but the growing reliance on a complex software supply chain that includes homegrown, third-party, and open-source software makes it more difficult to manage risk throughout the software development lifecycle. To address these risks, consider adopting the following application security best practices:

1. Adopt a “zero-trust” mindset for application vulnerabilities. Don’t assume that applications are free of vulnerabilities because your organization has tooling — such as application security testing — and processes in place. Teams must continuously monitor runtime environments for leaked vulnerabilities and assess their scope and potential impact on their organization. It’s critical to identify vulnerabilities and weaknesses in applications as soon as possible before they get a chance to evolve into a cybersecurity threat that must be reported to the SEC.
2. Conduct threat hunts for critical zero-day vulnerabilities. When zero-day vulnerabilities are discovered, they have many times been lurking for months or even years. Their covert nature makes it important to verify if there were material events during that time. A threat hunt for zero-day vulnerabilities refers to the proactive search or investigation aimed at identifying exploit attempts. With the insights from the threat hunt, teams can confirm if a material incident occurred and take appropriate action.
3. Continuously improve by monitoring application security feedback loops. Address the root cause of cybersecurity incidents by fixing vulnerabilities and security process gaps that allowed the incident to occur in the first place. This will enable your organization to revise its security policies and procedures to develop a plan of action and to prevent similar incidents from occurring in future.

How should C-level executives and boards of directors prepare for the SEC cybersecurity mandate?

Executives and boards of directors must establish a solid foundation for their organization in preparation for the SEC cybersecurity mandate. Some ways to prepare include the following:

• Educate your organization’s leaders. Many boards of directors and executives lack cybersecurity expertise. This makes it difficult to explain the threat of cyber risks and build effective cybersecurity risk management approach. To avoid this, ensure all C-suite members understand general cybersecurity topics and the SEC cybersecurity mandate. Additionally, ensure they are aware of each of their roles and responsibility during the process.
• Assess the SEC cybersecurity mandate implications and pinpoint the definition of “materiality” for your organization. You may also have to define any timelines, deadlines, or critical components that can lead to a “material” impact on your organization.
• Steer clear of a static approach to cybersecurity. Instead, emphasize a more dynamic approach that includes continuous monitoring and improvement of your cybersecurity risk management approach. Be sure to incorporate cybersecurity into every one of your organization’s strategies to ensure full coverage.
• Foster effective and continuous cross-functional communication about the SEC cybersecurity mandate and process. Incorporate planned exercises and workshops to examine and enhance your organization’s readiness through feedback loops. This will help to eliminate as many snags as possible by the time the SEC cybersecurity mandate goes into effect.

How should security operations teams prepare? 

Security operations center (SOC) teams play a crucial role in an organization’s cybersecurity risk management approach. The SOC teams are typically responsible for monitoring, detecting, responding to, and mitigating security threats and cybersecurity incidents. They can do the following to prepare for the disclosure mandate:

• Continuously monitor their organization’s network, systems, and applications to identify any abnormal or suspicious activity. SOC teams can use various application security tools to collect and analyze data for signs of potential security breaches.
• Create training and awareness programs for employees to educate them about cybersecurity risks and how to recognize and report them properly.
• Generate accurate and detailed documentation of all potential cybersecurity incidents, investigations, and responses. These are essential for compliance, post-incident analysis, and reporting.
• Work to improve their organization’s security posture by analyzing incidents and applying lessons learned to enhance cybersecurity policies, procedures, and tools. 

How can observability and security help organizations prepare for the SEC cybersecurity mandate?

The SEC cybersecurity mandate compels organizations to work towards a more strategic approach to blocking cyber-attacks. It aims to help organizations consider their innate cybersecurity risk, governance framework, evaluation procedures, and remediation measures.

To prepare for the SEC cybersecurity mandate, organizations should embrace a platform that decreases risk, streamlines procedures, and delivers superior results. Next-generation AI-powered observability and security solutions are effective in continuously detecting and prioritizing vulnerabilities, providing insights for speedy remediation, blocking cyber-attacks in real-time, and fostering DevSecOps collaboration.

The Dynatrace platform leverages observability turbocharged by causal AI. This combination enables teams to distinguish real vulnerabilities from potential risks and prioritize remediation based on severity. Automated real-time analysis of the extent and severity of the exposure will help teams quickly determine potential materiality. With observability-powered application protection capabilities, material events can be averted as exploit attempts can be automatically blocked.

Finally, teams can leverage observability insights to document all reasonable measures taken to prevent business and customer disruption. In the event of a successful exploit, this audit trail could help prevent loss of reputation and regulatory action.