Pressure mounts on CISOs as SEC bares teeth with legal action

A Panaseer investigation into organizations’ annual 10-K filings reported to the SEC shows that from January-May 2024, at least 1,327 filings mentioned NIST – a key indicator that cybersecurity posture is present in a filing.

SEC cybersecurity filings

This compares to just 110 during the same period of 2023 – a 12-fold increase – and 128 across the entire year. On current projections, researchers predict up to 2,600 such filings across 2024 – a more than 20 times increase.

The burden of additional cybersecurity reporting

December 2023’s new SEC rulings that incorporated cybersecurity risk into investor reporting mandated the inclusion of cybersecurity posture and processes in annual reports. Although CISOs won’t be directly responsible for compiling reports, they’ll need to work closely with the Enterprise Risk Management (ERM) team to ensure reports are accurate.

Accurate reports demand a deep understanding of cybersecurity posture and risk exposure. Any discrepancies between reports and reality will be tantamount to lying to investors, leaving CISOs potentially facing charges. SolarWinds’s CISO, Timothy G. Brown, has already been charged by the SEC for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.

“The SEC’s regulations will provide greater transparency, which is a positive step towards giving investors the full picture of an organization’s cyber risk posture,” says Nick Lines, Security Evangelist at Panaseer. “However, organizations must remember that the accuracy of these reports is critical. Cyberattacks are a fact of life for listed businesses, but companies have previously reported zero material cybersecurity threats across an entire year, and there have only been 24 filings thus far in the year, which stretches belief. CISOs are in a delicate position: while investors will be put off by a poor cyber risk posture, the SEC will come down hard on inaccurate reports. Either way, CISOs will be in the firing line.”

The new regulation applies to listed enterprises, with two separate SEC reports that apply to cybersecurity:

  • A 10-K filing – a comprehensive annual report of critical information including financial performance. Now, organizations must detail their approach to cyber risk management, including cybersecurity strategy, board oversight, and management’s role in cyber governance.
  • An 8-K filing – a report announcing major events shareholders should know about. This now requires businesses to disclose “material cybersecurity incidents” – likely to impact investors – in a timely fashion. These must be reported within four days after the determination of materiality.

CISOs need a system of record they can trust

These filings need to portray a cybersecurity posture to satisfy the SEC. The new rulings also reflect an ongoing shift in the CISO’s role. While not solely responsible for organizations’ risk posture, CISOs must accurately portray risk posture and security processes to the ERM team and the board. CISOs need to understand and communicate their company’s cybersecurity practices clearly, with a data-driven approach that enables factual filings.

As such, researchers recommend that CISOs direct their focus towards ensuring that there’s oversight and assurance over the security tool they have, verifying that they are working correctly across every asset.

“As the regulatory landscape becomes increasingly complex, CISOs are getting caught in the crossfire. Yet while Business Intelligence and analytics tools have been commonplace in finance, sales, and leadership for decades, CISOs are left to rely on data from disparate tools with no single, trusted view. They’re forced to work with one hand tied behind their back, and the Sword of Damocles dangling over their heads,” says Jonathan Gill, CEO of Panaseer.

“As the stakes keep getting higher, CISOs need a system of record they can trust to ensure they are reporting accurately and in good faith. By having a unified view of every asset throughout a business – where it sits, who owns it, and who is responsible for its security – CISOs can turn the lights on. This contextual data empowers CISOs to quantify risk, plug gaps, and tell a story to the board and ERM team in language they’ll understand. CISOs can then enable a culture of accountability, holding colleagues accountable through a platform that translates security into the language of non-technical and technical stakeholders, each with their own relevant view of the same golden source of truthful data. This will enable CISOs to protect themselves on both sides: showing investors an improved risk posture, while presenting the most accurate picture to the SEC,” concluded Gill.

SEC cybersecurity filings

Fill out the form to get your copy:

Don't miss