The clock is ticking: SEC reporting rules hit in December

Security operations · 4 MIN READ · GREG NOTCH AND ANDREW HOYT · NOV 30, 2023 · TAGS: Tech tools

Since the Security and Exchange Commission (SEC) announced its new cyber incident disclosure rules on July 26, 2023, security leaders of public companies everywhere have been counting down the days until December 15, when the new rules are set to go into effect. We talked about the rules when the SEC first released them, which require publicly traded companies to disclose “material cybersecurity incidents” within four business days. Public companies will also have to share details about their “cybersecurity risk management, strategy, and governance” on an annual basis.

Many security leaders, CEOs, boards of directors, and lawyers have more questions than answers, like:

• What incidents do I need to report? What does “material incident” mean?
• Once I identify an incident that needs to be reported, how do my teams and I investigate fast enough to meet the 4 day reporting window
• How do I document all of this information in a way that not only meets the SEC requirement, but is understood by shareholders?
• Who can I work with to get answers to questions the SEC may have for me that my team and I may not be equipped to answer?

And the recent news of the SEC’s charges against SolarWinds and its Chief Information Security Officer (CISO) Timothy Brown bring the SEC’s rules into even sharper focus. Brown allegedly misled investors about SolarWinds’ cybersecurity practices and risks. No matter your feelings about these charges, it certainly puts added importance on the SEC rules.

Adding another wrinkle is the fact that threat actors aren’t making things easier. The ALPHV/BlackCat ransomware group recently filed an SEC complaint against one of its victims, MeridianLink. This is an extremely bold move by ALPHV/BlackCat, which we plan to explore in an upcoming blog post. This presents an escalation in pressure for the victim beyond the ransom itself, potentially exposing the company to losses in valuation via its stock price and exposure to action by the SEC (even though the new disclosure rules haven’t gone into effect yet).

These recent incidents show public companies what a complicated morass this whole situation is.

How can Expel help?

These SEC requirements and their impact are new and evolving. As with everything we do at Expel, transparency is key. Even though we don’t have all the answers, Expel can still help public companies put themselves in a good position to do the necessary reporting if they’re breached. And of course, if an incident does occur that needs to be reported, we’ll be right there with you to help you gather the information you need to report.

One of the most pressing concerns for many leaders of public companies is how their security teams can gather all the information they need to report in the event of a material cyber incident. Doing this effectively requires a balance of speed, accuracy, and explainability.

Let’s look at how Expel can help:

Speed is a key part of the SEC requirement. Four days isn’t a ton of time, and usually if there’s a significant security incident, it may take more than four days to investigate, understand what’s happening, and provide details to the SEC. Expel helps by constantly monitoring your environment through our managed detection and response (MDR) and threat hunting offerings, which span across attack vectors, including cloud, on-prem, SaaS apps, and Kubernetes. Our security operations platform, Expel Workbench™, ultimately helps our analysts provide root-cause analysis quickly.

Depth of detail is also a key requirement for the SEC. Just saying an incident happened isn’t good enough. You need to understand—and report—the scope and impact. Here’s what you need to report in an 8-k:

• A brief description of the nature and scope of the incident;
• Whether any data were stolen, altered, accessed, or used for any other unauthorized purpose;
• The effect of the incident on the registrant’s operations; and
• Whether the registrant has remediated or is currently remediating the incident.

That’s our bread-and-butter here. When investigating incidents, we perform root-cause analysis by investigating the who, what, where, when, and how. This allows us to understand what happened and what customers can do to improve versus just confirming the alert and moving on.

Even though the reports need to be detailed, you have to remember that they’re being written for shareholders, and these people aren’t usually well-versed in deep cybersecurity topics. Communicating this information simply is a tough task, but our own reporting has always been clear, transparent, and easy to understand even for non-technical folks. We know that operators often need to communicate security information to company leadership and boards—people who often don’t have technical or infosec backgrounds. Our reporting was designed to be shared with anyone in your org, making it well-suited for these new requirements.

What sort of incidents do you report? The SEC requires that organizations report all “material incidents.” That’s pretty broad. We already have built-in severities to help customers understand what may need to be reported to the SEC and what likely doesn’t.

This certainly isn’t everything the new SEC rules will require. Adhering to that will likely require some legwork on your side between security leadership, your CEO, your CFO, your legal team, and more. But we’re experts with global visibility across hundreds of customers and industries. This visibility and expertise allows us to answer questions and provide context you need to work through your engagement with the SEC.

We think that this information can be a big step forward in getting you off on the right foot, especially during an active incident when time is short, stress levels are high, and your team members are doing everything they can to contain the threat.

If you’re interested in learning more about how Expel can help you be prepared for the new SEC rules, drop us a line.