Panaseer predicts SEC reports could see up to 2600 NIST mentions
Cybersecurity firm Panaseer has released a new analysis predicting a significant rise in mentions of the National Institute of Standards and Technology (NIST) in annual reports to the Securities and Exchange Commission (SEC). According to Panaseer's study, such mentions have already surged twelvefold in the first five months of 2024 compared to the same period in 2023. This increase is attributed to new SEC rules that came into effect in December 2023, mandating greater disclosure of cybersecurity postures in annual reports and filings.
From January to May 2024, there were 1,327 filings mentioning NIST, compared to just 110 during the same period in 2023. Panaseer projects that the number of such filings could reach up to 2,600 by the end of the year, representing a more than 20-fold increase. The dramatic rise underscores the growing emphasis on cybersecurity risk management in the regulatory landscape and points to increased scrutiny that Chief Information Security Officers (CISOs) will face.
Nick Lines, Security Evangelist at Panaseer, commented on the implications of the new SEC regulations: "The SEC's regulations will provide greater transparency, which is a positive step towards giving investors the full picture of an organisation's cyber risk posture. However, organisations must remember that the accuracy of these reports is critical. Cyberattacks are a fact of life for listed businesses. Still, companies have previously reported zero material cybersecurity threats across an entire year, and there have only been 24 filings thus far in the year, which stretches belief. CISOs are in a delicate position: while investors will be put off by a poor cyber risk posture, the SEC will come down hard on inaccurate reports. Either way, CISOs will be in the firing line."
The new SEC mandates require companies to include detailed information about their cybersecurity risk management practices and any material cybersecurity incidents in their periodic reports. This consists of the annual 10-K filings, which now need to detail cybersecurity strategy, board oversight, and the management's role in cyber governance, and the 8-K filings, which must disclose any incidents within four days of determining their materiality.
The increased reporting burden and the potential for legal action highlight the need for precise and reliable assessments of cybersecurity postures. Timothy G. Brown, CISO of SolarWinds, was recently charged by the SEC for fraud and internal control failures related to cybersecurity risks, serving as a cautionary tale for CISOs and their organisations. Accurate statements will require a thorough understanding of the cybersecurity landscape and the capability to translate this into investor and regulatory language.
Jonathan Gill, CEO of Panaseer, advocates for robust and comprehensive security management tools: "As the regulatory landscape becomes increasingly complex, CISOs are getting caught in the crossfire. Yet while Business Intelligence and analytics tools have been commonplace in finance, sales, and leadership for decades, CISOs are left to rely on data from disparate tools with no single, trusted view. They're forced to work with one hand tied behind their back, and the Sword of Damocles dangling over their heads. As the stakes keep getting higher, CISOs need a system of record they can trust to ensure they are reporting accurately and in good faith."
Gill emphasises the necessity of having a unified and transparent view of every asset within the organisation, understanding its ownership, and responsibility for its security. This contextually rich data enables CISOs to quantify risk, address security gaps, and communicate effectively with the board and ERM team. Such a comprehensive approach can assist in building a culture of accountability and provide a reliable foundation for regulatory filings and investor communications.
Panaseer recommends that CISOs focus on ensuring oversight and assurance over their security tools, confirming they are operational and effective across all assets. This approach will help produce accurate reports that reflect the organisation's true cybersecurity posture, mitigate the risk of legal repercussions, and foster trust with investors.