Unpacking the SEC cybersecurity reporting rules: Enhance compliance efforts and reduce risk with ADR

Research shows that the majority of companies filing cybersecurity reports are doing so twice as long after an incident as the Securities and Exchange Commission (SEC) requires: nine days instead of the rule’s stipulated four days. Perhaps a bigger issue is that only a few companies are filing, and those that are filing are using boilerplate language lacking specific details. 

Why the lackluster compliance? Some think the reporting mandates, updated in December 2023, go too far and place too heavy a burden on companies, which struggle to comply in such a short timeframe. As well, companies may simply lack the necessary tools to comply. 

Below you’ll find background on the SEC’s updated rules and companies’ tentative response to them, plus a look at how the right tools can help teams identify issues, recommend resolution, and provide the visibility and reporting they need to meet compliance.

The SEC is hearing crickets

As reported in December 2024, for the first 11 months after the SEC’s cyber incident reporting rule (PDF) went into effect, only 71 incidents had been disclosed by publicly traded companies, according to incident management software vendor BreachRx. 

Nor are the reports providing the cybersecurity transparency and accountability the SEC is after: The research found that the reports are filled with copy-paste language from 10-K filings, as opposed to useful, detailed findings. 

Some of the key findings: 

• 17% of 8-K filings specified material impact
• 4% of 8-K filings disclosing a cyber incident for the first time specified material impact
• Less than half of filings provide specific insights into organizations’ incident response procedures
• Most 10-K filings describe companies’ cyber risks and incident response and disclosure procedures in nearly identical and generic terms

In today’s evolving regulatory landscape, compliance with the SEC’s new reporting requirements is not only a legal obligation but also a cornerstone of maintaining investor trust and safeguarding an organization’s reputation. Experts say that thorough reporting is actually in organizations’ best interest, given that it entails adopting cybersecurity controls that are, in fact, best practices. 

Experts: Thorough reporting means finally knowing exactly what you need to fix

Cybersecurity controls enhance monitoring and reporting on incidents, say compliance and risk experts. Additionally, they empower security teams to identify vulnerabilities and address them promptly to prevent attacks and breaches. 

“Every regulatory mandate differs from the next, but they share some common requirements regarding remediation and reporting,” said Richa Gupta, Contrast Security Director of Risk and Compliance. “When we talk about security best practices, every company should be able to identify the vulnerabilities in an application and prioritize how they are remediated. The right tools can help teams identify issues, recommend what the resolution should be, and provide the necessary visibility and reporting to meet compliance goals and requirements.” 

What are the SEC’s new cybersecurity rules?

Below is an overview of the SEC’s new requirements. (It’s worth noting that with the new U.S. administration taking office in January 2025, these rules may evolve further. For now, the current mandates provide a target baseline for companies to meet, regardless of their size or the industry in which they operate.)

• Disclosure of material cybersecurity incidents
  Form 8-K item 1.05 — Public companies must disclose any material cybersecurity incidents on Form 8-K within four business days after determining the incident’s materiality, including the nature, scope, timing and material impact (or likely material impact) of the incident on the company.
  An incident is considered material if it is likely to be important to an investor’s decision-making. Qualitative and quantitative factors are important to consider, such as reputational damage, customer relationships and financial impacts.
• New regulation S-K item 106 — Companies must describe their processes for assessing, identifying and managing material risks from cybersecurity threats and whether any risks from cybersecurity threats have materially affected — or are likely to materially affect — the business. This includes any risks resulting from previous cybersecurity incidents.
• Annual reporting requirements
  Form 10-K and form 20-F — Companies must include information about their cybersecurity risk management, strategy, governance and the board of directors’ oversight of cybersecurity risks in their annual reports, including management’s role in assessing and managing material risks from cybersecurity threats.

Which Application Security (AppSec) tools can help with SEC cybersecurity compliance?

The SEC’s cybersecurity disclosure rules require public companies to proactively address vulnerabilities to avoid the significant consequences of a vulnerability being exploited and the resulting breach. To meet such mandates, organizations should use tools like Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST), pen testing and Application Detection and Response (ADR) to enhance their ability to monitor, detect and prioritize remediation of vulnerabilities. According to Gupta, it’s all about creating secure code.

Companies should look for a platform that enables real-time monitoring, rapid response, comprehensive risk assessment and robust documentation to meet the SEC’s (and other) regulatory deadlines, minimize risk exposure and demonstrate proactive governance. Such platforms also help organizations build a resilient cybersecurity posture that addresses current SEC guidelines.

Drilling down into the specific necessary capabilities companies should look for, such features include: 

• Continuous, real-time monitoring and incident detection: provides continuous monitoring of application and application programming interface (API) activities, crucial for the timely detection of cybersecurity incidents and the requirement to disclose material cybersecurity incidents promptly.
• Rapid incident response: generates automated alerts when potential security breaches are detected, enabling companies to assess the materiality of an incident quickly. This capability is essential for meeting the four-business-day reporting requirement for material incidents on form 8-K.
• Risk management and governance: helps organizations identify and manage cybersecurity risks by providing insights into potential vulnerabilities and threat vectors, meeting the SEC’s requirement for companies to describe their processes for assessing and managing material risks from cybersecurity threats in their annual reports.
• Documentation and reporting: maintains detailed logs of all detected incidents and responses, critical for preparing accurate disclosures about past incidents and current risk management strategies. This documentation supports compliance with the SEC’s emphasis on providing useful information to investors.
• Board oversight support and enhanced visibility: provides real-time data on cybersecurity threats and responses, enabling board directors to fulfill their oversight responsibilities more effectively.

When an incident occurs, the stakes are high. Companies must put thorough and timely measures in place to address stringent regulatory mandates and maintain a solid risk posture. With the right security tools, companies can navigate the complexities of cybersecurity reporting with confidence, streamlining compliance efforts and positioning themselves as leaders in security and transparency. The result? Reduced vulnerabilities, less exposure to regulatory fines and an enhanced ability to protect both business operations and shareholder value.  

Want to learn more about how Contrast ADR can help your compliance efforts? Book a demo today.

Read more:

• Contrast blog: Contrast Security founder Jeff Williams explains how to fix AppSec in production

• Contrast blog: Wake up, CISOs: You need an ADR flashlight to see into critical application blindspots
• Contrast blog: Bringing the application layer into cybersecurity monitoring and response
• Contrast blog: If only I’d known ADR was possible when I was a SOC analyst!