The Real Impact of the SEC Cyber Rule Won’t Be Incident Disclosures

7–31–2023 (Monday)

Hello and welcome to another edition of The Intentional Brief - your weekly video update on the one big thing in cybersecurity for investors in and management teams of growth stage companies.

I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.

Today is Monday, July 31st, and there was some real competition for the biggest cyber news of the week. While we’ve got a string of zero-day vulnerabilities - namely in the MobileIron Mobile Device Management platform, which we only learned about when Norway’s Government Security & Service Organization disclosed that it was how they recently got hacked. Since then - in a pattern we’ve continued to see - an additional zero day vulnerability allowing remote users to gain administrative privileges was discovered. While a patch has been rapidly made available for both vulnerabilities - and kudos to Ivanti for doing so - this pattern is tough for the blue teams in charge of defending networks and IT & ops teams in charge of keeping up with patching.

But - believe it or not - that wasn’t the biggest cyber news of the week, and certainly isn’t what we should be tracking long term. That honor goes to SEC Chairman Gary Gensler and the passage of the proposed cyber rules into play along a 3-2 party line vote.

Notification Requirements Aren’t The Real Impact of the SEC Cyber Rule

For a bit of background, these rules were initially proposed in March of 2022 - and here we are 16 months later with rules passed. The requirement with the most attention comes in the form of Item 1.05 of Form 8-K, requiring registrants to disclose material cyber incidents four days after they are determined to be material. This Form 8-K disclosure will need “to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.”

This is certainly a big change, and something we’ll all be watching for. A couple of notes - that this disclosure won’t be required for “the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure.”

The rub here is this notion of “material” - which will be a place that lots of attorneys spend time, and I also think the actual disclosures themselves will be pretty underwhelming, given the amount of attention they’ll get from lawyers, PR folks, insurance companies, and others before they go public.

I actually think the bigger impact of this rule is hiding in new Regulation S-K Item 106, “which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant's annual report on Form 10-K.”

These Form 10-K disclosures, which apply to ALL companies, will do a couple of very interesting things:

  1. The first go-round for every company will be their opening salvo at describing their cyber programs in a public, non-technical way. While there will be some maneuvering or posturing to put their best foot forward, the range of 10-K disclosures we’re going to see in the first year will be very interesting.

  2. Because all public companies in the US are now required to file this disclosure, we’re going to see some real emphasis on these functions, and the Board level for cyber.

  3. Comparable disclosure by foreign private issuers are also required on Form 20-F, which will give us additional visibility.

I’m not a lawyer, but I can imagine that if a company files a 10-K describing all of their robust cyber capabilities, then has an incident, and in litigation it turns out that those description weren’t exactly accurate, we’re going to have some interesting outcomes. Insurers and other interested parties (including the threat actors!) will also be tracking these disclosures closely.

For privately held companies, this 10-K disclosure should provide a good model for both how to describe a company’s cybersecurity program, but also for their next transactions - be that an IPO or another private transaction.

This yet again puts the emphasis for executives and leadership teams to demonstrate an understanding of cyber risk, appropriate risk management mechanics, and an ability to communicate in a timely way about these programs and material incidents they may experience.

While I’m sure a few of you enjoy digging through the EDGAR database, with this new rule and these new disclosures, there’s going to be some outright wild stories over the next 18 months. We’re already seeing Form 8-K disclosures around the MOVEit incident with a $15M response cost for just one company, and there’s no doubt we’ll see many more. This is just a tiny fraction of what we’re going to see moving forward - so be sure to watch this space.

Fundraising

Much quieter week for fundraising - I think we got a bit used to those $25B, $30B, $35B weeks.

This week? A mere $5.1B - which still averages out to about $31M/hour of committed capital of the whole week. These big numbers do tend to get a bit silly.

July totals coming in just under $100B - a great start to Q3, and H2. With the IPO market continuing to warm up, I would expect to see transactions at all levels of the market pick up as we head into the Fall and certainly as we close out the year. Next month might be quiet, giving the vacation schedules in both Europe and the US, but after Labor Day, we should see significant uptick.

You can find all the links to the stories we covered in the section below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next Monday for another Intentional Brief.

Links

https://therecord.media/ivanti-urges-customers-to-apply-patch
https://www.bleepingcomputer.com/news/security/norway-says-ivanti-zero-day-was-used-to-hack-govt-it-systems/

https://www.cisa.gov/news-events/alerts/2023/07/28/ivanti-releases-security-updates-epmm-address-cve-2023-35081

https://www.securityweek.com/industry-reactions-to-new-sec-cyber-incident-disclosure-rules-feedback-friday/

https://www.sec.gov/news/press-release/2023-139

https://techcrunch.com/2023/07/27/us-government-contractor-says-moveit-hackers-accessed-health-data-of-at-least-8-million-individuals/

Previous
Previous

CISA Walks the Walk on Cyber Strategy

Next
Next

Microsoft vs. PR/C