The SEC’s Challenge to Improve Disclosures
Think back almost 25 years to February of 2000. The dot-com bubble wouldn’t officially burst for another month and many investors were still high on the prospects of companies like Pets.com, Webvan and Kozmo.com. The Internet looked far different than it does today. However, February 2000 represents an important milestone in the modern Internet’s history — it’s the month that cybersecurity entered the public vernacular thanks to a 15-year-old named Michael Calce.
Calce, known online by the name MafiaBoy, orchestrated a series of denial-of-service attacks that took down the websites of major companies like Dell, Yahoo! and eBay, sounding the alarm for businesses to begin taking their cybersecurity more seriously. However, as the cyber industry got to work developing more advanced security systems, their work was matched and then surpassed at every step by a relentless and determined global hacking community that seemed to always stay one step ahead.
Fast forward 20 years to December 8, 2020, to what became known as the SolarWinds cyberattack, perhaps the best example of how sophisticated hackers became in a relatively short period. That day saw FireEye, itself a leading provider of cybersecurity services, announce that it had been “attacked by a highly sophisticated cyber threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack.” Five days later, FireEye detailed some of the findings of its investigation in its corporate blog, noting the global nature of the attack. It reiterated those findings in its December 14, 2020 8-K filing:
On December 8, 2020, FireEye, Inc. (“FireEye”, “we”, “our” or “us”) filed a Current Report on Form 8-K and issued a blog post announcing a security incident. On December 13, 2020, we provided the following update on our investigation on our corporate blog at fireeye.com/blog.
We have identified a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain. This compromise is delivered through updates to a widely-used IT infrastructure management software – the Orion network monitoring product from SolarWinds. The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors.
The Cybersecurity and Infrastructure Security Agency noted that “[t]he U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR).” While not the first instance of a cyberattack by a foreign government, the SolarWinds incident is certainly one of the most sophisticated — one that demonstrates the power of cyberwarfare to disrupt economies and infrastructures.
Will the high stakes “cat-and-mouse” game between the global business community and the global hacker community ever end? We can’t answer that question with any certainty, other than to say that there appears to be no end in sight. What has changed though is corporate and regulator awareness of the threats.
Cybersecurity Risk Disclosures
As the vulnerability of corporate and government entities’ cybersecurity systems to cyberattacks becomes increasingly evident, investors are demanding more comprehensive and detailed disclosures about related risks.
Data from the Intelligize platform highlights a notable trend following the SolarWinds attack: a significant uptick in cybersecurity risk disclosures in filings with the U.S. Securities and Exchange Commission (SEC). According to an analysis conducted with our Intelligize offering, the number of cybersecurity-related risk factor sections in SEC registrants’ 10-K filings during the first quarter of 2021 rose by more than 30% compared to the same period in 2020.
Can this surge in disclosures be attributed directly to the SolarWinds attack? While we cannot say so with absolute certainty, the timing strongly suggests that the attack prompted companies to reassess and strengthen their cybersecurity risk reporting in response to heightened concerns.
SEC Cybersecurity Rules
As part of its new focus on cybersecurity risk management, the SEC announced two proposed cybersecurity risk rules: the Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies (proposed in February 2022) and the Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents (proposed in March 2023).
Were these proposals a direct response to the SolarWinds cyberattack? Likely not. It is plausible these rules would have been introduced regardless. However, the ongoing surge in sophisticated and damaging cyberattacks—including SolarWinds—created the necessary urgency and momentum for the SEC to act. SolarWinds undoubtedly played a significant role in shaping this heightened focus.
In July 2023, following the two proposed rules mentioned, the SEC adopted a highly anticipated final rule regarding Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, setting forth a set of new cybersecurity risk rules. The final rule’s requirements include “current disclosure about material cybersecurity incidents,” as well as “periodic disclosures about a registrant’s processes to assess, identify, and manage material cybersecurity risks, management’s role in assessing and managing material cybersecurity risks, and the board of directors’ oversight of cybersecurity risks.”
This landmark rule underscores the SEC’s commitment to ensuring transparency and accountability in cybersecurity risk management across the corporate landscape.
SEC Staff Guidance on Material Cybersecurity Incidents
Following the final rule’s adoption, the SEC issued related staff guidance, releasing new Compliance and Disclosure Interpretations regarding Form 8-K Item 1.05 disclosures of material cybersecurity incidents.
SEC Enforcement Actions Regarding the SolarWinds Cyber Incident
The SEC, predictably and appropriately, responded to the SolarWinds cyberattack by focusing on registrants’ cybersecurity disclosures. On Oct. 22, 2024, the SEC announced the settlement of enforcement actions that charged “Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited – with making materially misleading disclosures regarding cybersecurity risks and intrusions. The SEC also charged Unisys with disclosure controls and procedures violations.” The charges were related to “an investigation involving public companies potentially impacted by the compromise of SolarWinds’ Orion software and by other related activity.”
All the companies involved agreed to settle the charges and pay civil penalties, with Unisys facing the largest fine at $4 million. These actions underscore the SEC’s growing emphasis on holding companies accountable for clear, accurate, and meaningful cybersecurity disclosures.
Emerging AI-Related Cyber Threats
Let’s return for a moment to one of our key cybersecurity takeaways from the last 25 years: that the “cat-and-mouse” game between hackers and cyber defense systems will continue into the foreseeable future. That’s not just because cybercriminals keep figuring out new ways to exploit weaknesses in corporate cyber defenses. It’s also because the pace of technology development creates entirely new platforms to be exploited. The latest technology to emerge and cause sleepless nights for those in charge of cyber defense systems is artificial intelligence (AI).
As a rapidly evolving technology with boundless potential, the adoption of AI among companies surged simultaneously with the escalation of hackers’ attempts to exploit vulnerabilities. In January 2024, the National Institute of Standards and Technology (NIST) announced a new publication discussing different types of cyber threats designed to compromise AI systems by manipulating their behavior. Apostol Vassilev, an NIST computer scientist and one of the publication’s authors, noted that “[d]espite the significant progress AI and machine learning have made, these technologies are vulnerable to attacks that can cause spectacular failures with dire consequences.”
Yet not only can AI systems be the target of cyberattacks, AI itself can be used as a tool in launching a cyberattack on other systems. Cybersecurity company CrowdStrike explains how “AI-powered cyberattacks” operate:
AI-powered cyberattacks leverage AI or machine learning (ML) algorithms and techniques to automate, accelerate, or enhance various phases of a cyberattack. This includes identifying vulnerabilities, deploying campaigns along identified attack vectors, advancing attack paths, establishing backdoors within systems, exfiltrating or tampering with data, and interfering with system operations.
Like all AI algorithms, the ones used by AI-powered cyberattacks can learn and evolve over time. This means that AI-enabled cyberattacks can adapt to avoid detection or create a pattern of attack that a security system can’t detect.
Cybersecurity Trends
The “cat-and-mouse” game between threat actors and cybersecurity professionals includes another highly interested party with considerable skin in the game. The SEC is well-aware of the significance of cyber threats and the damage they can cause on entire segments of the U.S. economy. Its rulemaking activity and recent enforcement actions related to disclosures of cybersecurity risks and incidents are part of a current trend toward more stringent SEC cybersecurity-related requirements.
However, much like the cybersecurity industry itself, the SEC is often in a reactive position, working to catch up with the increasingly sophisticated tactics of threat actors. This reactive posture likely explains the SEC’s heightened emphasis on cybersecurity-related disclosures, which are expected to prompt greater shareholder scrutiny of how companies manage material cybersecurity risks.
Adding to the complexity, as discussed in relation to AI, the nature of cybersecurity risks is constantly evolving. The emergence of new and advanced threats compounds the challenges companies face in managing these risks. Public companies are under mounting pressure to implement robust cybersecurity risk management practices that not only satisfy regulatory compliance but also align with shareholder expectations. This dual challenge is growing more formidable and shows no signs of easing in the near future.
How Intelligize+ AI™ Can Help
Intelligize+ AI provides the tools you need for your SEC cybersecurity compliance research. Use the different solutions offered in our platform to research your peers’ cybersecurity disclosures, SEC cybersecurity-related regulations and enforcement actions, SEC comment letters noting registrants’ problematic cybersecurity disclosures, and relevant law and accounting firm memos. Contact us to learn more.