Page 44 - Cyber Defense eMagazine August 2024
P. 44
The hard numbers
Listed enterprises now need to make sure their 10-K filings – comprehensive annual reports of critical
information including financial performance – and 8-K filings – reports announcing major events
shareholders should know about – accurately portray cybersecurity posture. In particular, 8-K filings need
to be made for “material cybersecurity incidents”, and in a timely fashion, i.e. within four days of
determining whether the incident was “material”. The question is, what do these new requirements mean
for the volume of reporting?
Analyzing SEC cyber disclosures from the first half of 2024, and comparing to the same period in 2023,
we found that mentions of NIST (National Institute of Standards and Technology) and variations had
increased by almost 14 times year-on-year: from 221 to 3,025. Given the pattern of filings in 2023, and
that it seems almost every listed company now feels the need to disclose its security posture, we’d expect
this to increase to nearly 20 times by the end of the year.
However, at the other end of the scale, the number of relevant 8-K filings seems surprisingly low. Across
more than 4,000 listed companies in the US, only 17 experienced a potentially material cybersecurity
incident. And of those, none would say that the incident was, in fact, material.
The buck stops here
It might seem unlikely that, in a world where we are constantly bombarded with news of catastrophic
cyberattacks and data breaches, less than half of one percent of listed companies have suffered an
incident they believed could have been “material”. But as the regulatory environment becomes
increasingly complex, these statistics lay bare the increasing pressure being put on CISOs.
First, there is the burden of additional reporting – both from 8-Ks and from the additional detail needed
in 10-Ks. CISOs might not be directly responsible for compiling reports, but they’ll need to work closely
with the ERM team to ensure reports are accurate. This means ensuring factors such as the relevant
expertise of people managing and assessing risk, like CISSP accreditation, and the relative exposure of
critical systems, are accurately represented. This is a challenge for a role that, traditionally, has had to
rely on data from disparate tools with no single, trusted view to build an often-fragmented picture of its
environment. While Business Intelligence and analytics tools have been commonplace in finance, sales,
and leadership for decades, CISOs are still forced to work with one hand tied behind their back, and a
sword of Damocles hanging over their heads.
That sword is the threat of legal action. Providing reports that are inaccurate or misleading – for instance
by giving investors a false sense of confidence in an organization’s exposure to risk – is tantamount to
lying to investors. And as the role held responsible for those reports, CISOs will be directly in the firing
line. We’ve already seen CISOs charged by the SEC for fraud and internal control failures relating to
allegedly known cybersecurity risks and vulnerabilities, and this is only likely to increase. Especially if
those 8-K reports so far turn out to be significantly underplaying the real level of threat organizations –
and their investors – are facing.
Cyber Defense eMagazine – August 2024 Edition 44
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
