What is new in 2023 to SEC cybersecurity rules?
Form 8-K Item 1.05: Requiring the timely disclosure of material cybersecurity incidents.
Regulation S-K item 106: requiring registrants’ annual reports on Form 10-K to address cybersecurity risk management, strategy, and governance processes.
Comparable disclosures are required for reporting foreign private issuers on Forms 6-K and 20-F respectively.
What is Form 8-K Item 1.05 SEC cybersecurity rules?
Form 8-K Item 1.05 requires the following to be reported within four business days from when an incident is determined to be “material” (1), unless extensions are granted by the SEC under certain qualifying conditions:
“If the registrant experiences a cybersecurity incident that is determined by the registrant to be material, describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” (2, 3)
How does the SEC define cybersecurity incident?
Cybersecurity incident defined by the SEC means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein. (4)
How can Darktrace assist in the process of disclosing incidents to the SEC?
Accelerate reporting
Darktrace’s Cyber AI Analyst generates automated reports that synthesize discrete data points potentially indicative of cybersecurity threats, forming reports that provide an overview of the evolution and impact of a threat.
Thus, when a potential threat is identified by Darktrace, AI Analyst can quickly compile information that organizations might include in their disclosure of an occurrence they determined to be material, including the following: incident timelines, incident events, incident summary, related model breaches, investigation process (i.e., how Darktrace’s AI conducted the investigation), linked incident events, and incident details. The figure below illustrates how Darktrace compiles and presents incident information and insights in the UI.
It should be noted that Instruction 4 to the new Form 8-K Item 1.05 specifies the “registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident” (5).
As such, the incident report generated by Darktrace may provide more information, including technical details, than is needed for the 8-K disclosure. In general, users should take appropriate measures to ensure that the information they provide in SEC reports meets the requirements outlined by the relevant regulations. Darktrace cannot recommend that an incident should be reported, nor report an incident itself.
Determine if a cybersecurity incident is material
Item 1.05 requires registrants to determine for themselves whether cybersecurity incidents qualify as ‘material’. This involves considerations such as ‘the nature scope and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.’
While it is up to the registrant to determine, consistent with existing legal standards, the materiality of an incident, Darktrace’s solution can provide relevant information which might aid in this evaluation. Darktrace’s Threat Visualizer user interface provides a 3-D visualization of an organization’s digital environment, allowing users to assess the likely degree to which an attack may have spread throughout their digital environment. Darktrace Cyber AI Analyst identifies connections among discrete occurrences of threatening activity, which can help registrants quickly assess the ‘scope and timing of an incident'.
Furthermore, in order to establish materiality it would be useful to understand how an attack might extend across recipients and environments. In the image below, Darktrace/Email identifies how a user was impacted across different platforms. In this example, Darktrace/Email identified an attacker that deployed a dual channel social engineering attack via both email and a SaaS platform in an effort to acquire login credentials. In this case, the attacker useding a legitimate SharePoint link that only reveals itself to be malicious upon click. Once the attacker gained the credentials, it proceeded to change email rules to obfuscate its activity.
Darktrace/Email presents this information in one location, making such investigations easier for the end user.
What is regulation S-K item 106 of the SEC cybersecurity rules?
The new rules add Item 106 to Regulation S-K requiring registrants to disclose certain information regarding their risk management, strategy, and governance relating to cybersecurity in their annual reports on Form 10-K. The new rules add Item 16K to Form 20-F to require comparable disclosure by [foreign private issuers] in their annual reports on Form 20-F. (6)
SEC cybersecurity rules: Risk management
Specifically, with respect to risk management, Item 106(b) and Item 16K(b) require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect them. The new rules include a non-exclusive list of disclosure items registrants should provide based on their facts and circumstances. (6)
SEC cybersecurity rules: Governance
With respect to governance, Item 106 and Item 16K require registrants to describe the board of directors’ oversight of risks from cybersecurity threats (including identifying any board committee or subcommittee responsible for such oversight) and management’s role in assessing and managing material risks from cybersecurity threats. (6)
How can Darktrace solutions aid in disclosing their risk management, strategy, and governance related to cybersecurity?
Impact scores
Darktrace End-to-End (E2E) leverages AI to understand the complex relationships across users and devices to model possible attack paths, giving security teams a contextual understanding of risk across their digital environments beyond isolated CVEs or CVSS scores. Additionally, teams can prioritize risk management actions to increase their cyber resilience through the E2E Advisory dashboard.
Attack paths consider:
- Potential damages: Both the potential consequences if a given device was compromised and its immediate implications on other devices.
- Exposure: Devices' level of interactivity and accessibility. For example, how many emails does a user get via mailing lists and from what kind of sources?
- Impact: Where a user or asset sits in terms of the IT or business hierarchy and how they communicate with each other. Darktrace can simulate a range of possible outcomes for an uncertain event.
- Weakness: A device’s patch latency and difficulty, a composite metric that looks at attacker MITRE methods and our own scores to determine how hard each stage of compromise is to achieve.
Because the SEC cybersecurity rules require “oversight of risks from cybersecurity threats” and “management’s role in assessing and managing material risks from cybersecurity threats” (6), the scores generated by Darktrace E2E can aid end-user’s ability to identify risks facing their organization and assign responsibilities to address those risks.
E2E attack paths leverage a deep understanding of a customer’ digital environment and highlight potential attack routes that an attacker could leverage to reach critical assets or entities. Difficulty scores (see Figure 5) allow security teams to measure potential damage, exposure, and impact of an attack on a specific asset or entity.
Automatic executive threat reports
Darktrace’s solution automatically produces Executive Threat Reports that present a simple visual overview of model breaches (i.e., indicators of unusual and threatening behaviors) and activity in the network environment. Reports can be customized to include extra details or restricted to high level information.
These reports can be generated on a weekly, quarterly, and yearly basis, and can be documented by registrants in relation to Item 106(b) to document parts of their efforts toward assessing, identifying, and managing material risks from cybersecurity threats.
Moreover, Cyber AI Analyst incident reports (described above) can be leveraged to document key details concerning significant previous incidents identified by the Darktrace solution that the registrant determined to be ‘material’.
While the disclosures required by Item 106(c) relate to the governance processes by which the board of directors, the management, and other responsible bodies within an organization oversee risks resulting from cybersecurity threats, the information provided by Darktrace’s Executive Threat Reports and Cyber AI Analyst incident reports can also help relevant stakeholders communicate more effectively regarding the threat landscape and previous incidents.
DISCLAIMER
The material above is provided for informational purposes only. This summary does not constitute legal or compliance advice, recommendations, or guidance. Darktrace encourages you to verify the contents of this summary with your own advisors.
References
- Note that the rule does not set forth any specific timeline between the incident and the materiality determination, but the materiality determination should be made without unreasonable delay.
- https://www.sec.gov/files/form8-k.pdf
- https://www.sec.gov/news/press-release/2023-139
- https://www.ecfr.gov/current/title-17/chapter-II/part-229
- https://www.sec.gov/files/form8-k.pdf
- https://www.sec.gov/corpfin/secg-cybersecurity