New SEC rules demand full disclosure of material cybersecurity incidents 4 days after they happen – are your OT security tools able to help stop “material” breaches?
The risk of a major cyberattack disrupting operations and wiping out shareholder value should already be front-of-mind for C-level executives and boards of directors.
If not, they’re in for a shock due to regulations coming into force next week demanding public companies fully disclose “material” cybersecurity incidents to investors. New rules mean senior executives take direct responsibility for their company’s cybersecurity risk management, strategy, and governance.
And they’re on the hook if cybersecurity breaches deemed “material” to investors are not correctly reported within just four days.
The four-day countdown
The U.S. Securities and Exchange Commission (SEC) has resisted corporate lobbying to water down the regulations, so the new rules will come into effect on 18 December as planned. As well as requiring the reporting of material cyberattacks within four working days via a Form 8-K filing, companies will also be forced to provide details of such incidents in annual reports. The SEC said the rules will ensure such disclosures are made in “a more consistent, comparable, and investor decision-useful way” than they have been to date.
The rules also demand that boards have oversight of cybersecurity risk management processes and are actively mitigating against potential risks. This means that even those at the very top of organizations must prepare for increased investor and regulatory scrutiny of their cybersecurity strategies. It is therefore essential that cybersecurity plans are agreed and signed off at the very highest level.
Companies need to have the right tools in place to inform them of breaches when they are attempted and instantly determine whether they need to be reported or not. Fail to detect and report a significant breach in time and a company will find itself in regulatory trouble; fail to accurately determine the severity of an attack and they may find themselves reporting cybersecurity incidents at a rapid rate, sounding alarm bells for investors.
Making assumptions on what is “material” and what isn’t will no longer be sufficient. The SEC states that “materiality turns on how a reasonable investor would consider the incident’s impact on the registrant”. To put it another way, “material” is in the eyes of an investor and their decision making to buy or sell shares. The ramification is that – without better cybersecurity protections in place – any breach related to operational technology (OT) will likely result in an 8K filing.
Entering a new era of cyber transparency
Companies are already changing their approach to disclosures ahead of 18 December. The cleaning products giant Clorox filed a form 8k in August revealing that a cybersecurity incident had forced it to take certain systems offline. In a later filing it admitted “widescale disruption” of its operations, which had a knock-on impact on inventory and revenue across two financial quarters. The company would go on to report a 28 per cent decrease in net sales for the quarter ended 30 September as a result, and the company’s CISO resigned soon after.
Even the cybercriminals themselves are aware of the rules and are incorporating them into their extortion strategies. Last month, it was reported that the BlackCat cyber gang threatened to report digital lending platform MeridianLink to the SEC if it did not meet its malware demands within 24 hours – and claimed to have then filed a complaint with the regulator.
OT under the spotlight
As seen with the attack on Clorox’s manufacturing facilities, the SEC's new reporting rules will have significant implications for the security of OT within organizations. Critical infrastructure sectors (such as energy, manufacturing, utilities, and healthcare) rely heavily on OT systems. Any cybersecurity incident affecting OT production applications can have a substantial operational and financial impact. Navigating these new disclosure rules require a strong cybersecurity posture and a proactive approach to risk management, which must address several areas:
- Threat detection and prevention. Organizations must identify and mitigate cybersecurity threats before they escalate into “material” incidents that have to be reported. This includes being able to prevent zero-day attacks, on day zero, not when a patch is available or an update can be provided by a security vendor.
- Supply chain risk. OT often relies on specialized equipment and software from third-party vendors. Software updates from the vendors and/or their supply chain is a proven source of devasting intrusion attacks. The SEC's rules require companies to disclose supply chain-related risks, including those related to cybersecurity.
- Incident response and recovery. Organizations must understand the scope and severity of any incident in order to ensure a swift and efficient response. This includes being prepared to disclose (in the event of an SEC inquiry) if the actions taken were effective in mitigating the impact of the breach to ensure it was a non-material event.
- Board-level reporting. Organizations must effectively communicate cybersecurity risks and incidents to their boards of directors, ensuring that cybersecurity issues related to OT are addressed at the highest level. Plans must be filed annually that detail that such risks are properly protected against.
- Cyber insurance considerations. Companies take specialized insurance to mitigate the financial impact of cybersecurity incidents. The SEC's rules will influence the terms and costs, payouts, and the ability to renew cyber insurance policies, especially if the disclosure of risks related to OT systems is frequent or significant.
- Regulatory alignment. Many industries with critical infrastructure are subject to sector-specific cybersecurity regulations. The SEC's rules may drive greater alignment between these sector-specific regulations and general disclosure requirements.
Prevention better than waiting for a cure
Passive network-based detection solutions or those that try and reduce the attack surface are not able to stop sophisticated attackers. Crowdstrike and Palo Alto agreed in the Senate post-mortem hearing on the SolarWinds attack that these passive firewall technologies only served as a speed bump against sophisticated attacks. Worse still, they confirmed that their own device protections were actually turned off by the attackers during the attack.
Today’s state-of-the-art cloud-based next-generation antivirus (NGAV) solutions, which are problematic to deploy and run on OT endpoints, must now provide identifiable behavioral indictors of compromise (IOCs) to identify the attack and an active means to block it in just few days. This forces them to work at an order of magnitude quicker if they are going to be effective in helping their customers comply with the new rules – even for the attacks they can stop. But problems remain:
- These approaches were not typically able to stop supply chain attacks, as seen with the SolarWinds attack
- Other threats required patches as their only solution, as was seen in the log4J vulnerability exploit
- They cannot stop sophisticated nation-state attacks that don’t have set behavioral patterns to create a single set of IOCs
These tools only stop “already known” identified threats where a method to block them has already been developed and deployed. They are powerless to guard against unforeseen threats that exploit unknown application vulnerabilities, nor do they prevent never-seen-before (zero day) malware attacks on day zero. The emergence of AI-driven methods is further accelerating the frequency and severity of attacks, forcing security teams to be responsive rather than proactive.
At the same time, enterprises running OT networks face a range of challenges when addressing their security posture. They lack the human resources and specialist skills, the ability to keep up to date with emerging threats, and the tools to protect legacy systems that are often decades-old.
We developed the ARIA Zero Trust PROTECT (AZT PROTECT™) solution to address the unique challenges of OT cybersecurity. AZT PROTECT is a comprehensive AI-driven defense system that protects all your OT endpoints from ALL cybersecurity attacks – both known and unknown. It protects your entire OT device infrastructure and critical IT applications no matter their location.
As companies prepare to meet the SEC's disclosure rules, AZT PROTECT offers a comprehensive and customizable solution to safeguard revenue, reputation, and operations.
To arrange a consult with one of our cybersecurity experts, please contact us at info@ariacybersecurity.com. To learn more about how we stop sophisticated attacks that others miss – check out our blog on the recent Sunburst attack.