The SEC regulates the securities markets in the US, the biggest and most powerful economy on Earth. Surely, therefore, the SEC is one of the world's most important regulators, with a near unparalleled capacity to make a critical difference to cybersecurity. In that context, let's take a look at how the SEC deals with the reporting by issuers of their cybersecurity postures and cybersecurity incidents to its office.
As you tour through this area, you will come across some key forms that provide standardised methods of making reports. They are the 10-Q, 10-K and 8-K, which apply to US issuers. There are similar forms for foreigner issuers, including the 6-K and the 20-F.
10-Q forms are used for quarterly reporting to the SEC. 10-K forms are used for annual reporting. You can find copies of completed forms on the SEC EDGAR database, which is a great tool for security journalists, security researchers and, most of all, investors. If you take a look at some submitted forms you may find some really illuminating information under the "controls and procedures", "legal proceedings" and "risk factors" sections. This guidance for investors explains how to interpret a 10-K form.
In July 2023, the SEC adopted new rules for the reporting of material cybersecurity incidents, which needs to be done on the 8-K form (or 6-K, for foreign issuers), and for annual reporting of cyber posture (i.e., cybersecurity risk management, governance and strategy), which needs to be done on the 10-K (or 20-F, for foreign issuers). A SEC primer is here.
Material cybersecurity incidents need to be reported within four business days of the determination of materiality. This means that the timetable may not necessarily commence at the moment of incident detection, because the issuer might not be in possession of the information that it needs to assess materiality. There is an exemption from the 4 day rule for incidents that pose a substantial risk to national security or public safety, if the US Attorney General determines that and informs the SEC.
Regarding the timetable from here, the new rules are effective 30 days after publication of the "adopting release" in the Federal Register, after which there is a staggered implementation timetable. The adopting release was published on 4th August 2023.
The annual disclosures on 10-K and 20-F will be due for the fiscal year ending on or after 15th December 2023. The incident reporting rule using the 8-K or 6-K forms comes into effect 90 days after publication (which is 1st November), but for smaller companies it is 180 days.
However, the rules are being challenged in Congress, as reported here. Judging by this report, the challengers consider that the rules constitute regulatory overreach by the SEC, that they are not necessary, due to other legislation being in place, and they will add an unnecessary and unhelpful burden on entities. Taking the report at face value, there seems to be a cohort of industry actors that support the challenge.
An interesting angle is that a threat actor has reported it's victim to the SEC. This adds yet another variant to the levels of extortion that we are seeing to encourage ransom payments. Originally, there were single extortions, where the threat actor used ransomware to encrypt data, to encourage payment. This developed into data exfiltration alongside the use of ransomware, a double extortion that applies the threat of data sale or publication to ramp up pressure for a payment. Then it evolved into contacting third parties, a triple extortion based on an additional name and shame strategy, so that the victim would be further pressurised to pay a ransom to protect its reputation. The reporting of the victim to the regulator is just another step in the evolving nature of cybercrime.