Keeping SEC-ure: Using Threat Intelligence to Stay Ahead of the New SEC Regulations
Recently there have been millions of attacks demonstrating that public companies of all sizes and operating in all industries are susceptible to cybersecurity incidents. These incidents can cause business interruptions, impose direct costs via remediation or ransomware payments, lost revenues due to exfiltration of intellectual property and interruptions, litigation and regulatory risk, and damage to reputation.
In response, on Sept. 5, the SEC’s latest Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure rule went into effect which fundamentally altered the way US public companies communicate with the market about cybersecurity incidents and governance.
The SEC sought to “enhance and standardize disclosures … to better inform investors” about cybersecurity related matters. Given the ever increasing importance of availability, integrity and confidentiality of information and infrastructure as digital transformation has accelerated, it is unsurprising that the SEC has stepped in to ensure that public markets have sufficient transparency related to these issues.
Fortunately, public companies do not need to face these challenges alone. Commercial threat intelligence providers, and Recorded Future especially, can help regulated entities tackle these new regulatory obligations while mitigating their cybersecurity risk.
One of the key statistics highlighted by the SEC in the proposal of this new rule is that 63% of breaches are linked to a third party. The SEC also clarified that updates to Item 106(b) of Regulation S-K “will require disclosure concerning a registrant’s selection and oversight of third-party entities.”
Recorded Future’s Third-Party Intelligence Module is geared to specifically address this concern. Recorded Future Third-Party Intelligence empowers security teams and business leaders to make fast, informed decisions about the companies in their organization’s supply chain and reduce the overall risk of data breaches and reputational damage. Third-Party Intelligence provides deep visibility into suspicious activity related to vendor ecosystems, and provides organizations an opportunity to conduct meaningful oversight of third-party entities.
One of the biggest differentiators of commercial threat intelligence providers, is that cybersecurity governance shifts from relying on a vendor’s answers to a security questionnaire that may be inaccurate and/or stale to externally sourced intelligence. This can give investors confidence that organizations are using independently collected data to have visibility into their supply chains.
Recorded Future’s Third Party Intelligence Module gives real-time alerts on security incidents, breaches, and a wide variety of risky security practices allowing registrants to stay a step ahead. Plus, Recorded Future provides access to exclusive sources including high-tier dark web forums, ransomware extortion sites, and a massive leaked credential and data library to better protect organizations from emerging risk. Third Party Intelligence also provides quantitative Risk Scores for third parties better enabling cybersecurity risk assessment as required under Item 106(b).
Cybersecurity Incident Reporting
Under the updated rule, the SEC has amended Form 8-K to require current disclosure of material cybersecurity incidents. Given that organizations will be mandated to disclose these incidents, it is imperative that registrants have as much context and intelligence about incidents as possible.
Recorded Future’s Intelligence Cloud is perfectly positioned to provide that insight. This extends from information about threat actors via the Threat Intelligence Module, to granular exposure insights. Examples include compromised credentials via Identity Intelligence Modules and compromised card data via the Fraud Intelligence Module to provide visibility into the exact extent of a specific breach.
One can imagine the materially different way the market may react to a disclosure with an unknown threat actor, unknown scope, and unknown intent, versus being able to provide guidance of the probable intent of the threat actor, past history of the threat actor, and the precise scale of impact. For example, the public exposure related to an incident connected with Chinese state-sponsored advanced persistent threat will be dramatically different compared to an attack associated with ransomware-as-a-service actors which are more often associated with reputational risks.
Accessible intelligence will better enable organizations to address Item 1.05 in Form 8-K to assess “whether any data was stolen, altered, accessed, or used for any other unauthorized purpose.” Only comprehensive threat intelligence will allow companies to confidently determine motivations of threat actors, their typical TTPs, and insights into the criminal underground where data is monetized.
Further, given that the SEC will require disclosure by organizations within four business days, it is imperative to have a threat intelligence provider, like Recorded Future, that operates in real time. It is also important to note that the ticking clock only starts upon determination of materiality - yet another analysis where threat intelligence can help in better understanding the scope and impact of the incident. The SEC itself states that the analysis should “[take] into consideration all relevant facts and circumstances surrounding the cybersecurity incident” and threat intelligence can provide such context.
Policies and Procedures to Identify and Manage Cybersecurity Risk
One of the elements of the SEC rule is that Item 106 will be added to Regulation S-K which will require registrants to “describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats.”
Last year, Recorded Future launched Threat Maps which automates the analysis of threat actors targeting a client’s enterprise, and organizes the intent and opportunity of those groups to harm an organization. An organization’s customized Threat Map shows the most dangerous threats that have an opportunity to harm an organization, and changes over time allows security teams to better prioritize countermeasures. Use of Threat Maps allow organizations to carefully calibrate response and granularly identify specific threats - it is the difference between merely gesturing at Nation-State Threats writ large, and actually being able to point to specific threats such as Lazarus Group. This level of granularity allows organizations to have actionable insights to both be more authoritative with the market, and more efficiently deploy risk mitigation strategies.
Threat Maps join Recorded Future’s expansive offerings, such as SecOps Intelligence, which collects data from a comprehensive range of sources, contextualizes it, and feeds meaningful insights directly into existing security tools and workflows to improve alert triage, threat detection, and threat blocking - providing a more comprehensive process in line with SEC requirements.
The SEC has ushered in a new era of cybersecurity transparency for public companies. Public companies should begin preparing immediately for the enforcement of these updates. Preparations should be focused on the collaboration between internal stakeholders and access to the relevant information from both external and internal sources to be able to comply with the new requirements.
To tackle these challenges, it is now imperative that registrants have the most comprehensive and timely intelligence available - Recorded Future is the most comprehensive and independent threat intelligence cloud platform. It enables organizations to identify and mitigate threats across cyber, supply-chain, physical, and fraud domains, and can be a powerful tool in complying with the new regulations.
Hear me talk to Christopher Hart (Partner at Foley Hoag LLP) and Lavonne Burke (VP Legal - Global Security & Resilience and Digital (IT) at Dell Technologies) about these regulations and how organizations can stay ahead at PREDICT 2023 in Washington D.C. on Oct. 11 at 10:05 a.m. ET.