As of December 18, publicly owned companies operating in the U.S. are required to comply with the Securities and Exchange Commission’s (SEC) new set of rules requiring them to disclose “material” cyber incidents within 96 hours.
In an 8-K filing, breached organizations must describe the incident’s nature, scope, timing and material impact, including financial and operational.
Additionally, the regulator has also added a new line item called Item 106 that will be included on a company’s annual Form 10-K filing.
This will require businesses to describe their process “for assessing, identifying, and managing material risks from cybersecurity threats.” Companies must also disclose their management’s ability to assess and manage material risks from cyber attacks. Companies that do not comply with the new regulations face major consequences.
Drivers behind the new cybersecurity ruling
Erik Gerding, Director of the SEC Division of Corporation Finance explained that what drove this ruling is the fact that the potential cost of cybersecurity incidents to companies and their investors is rising at alarming rates. This adds to the need for better disclosures.
Gerding: ″In my view, artificial intelligence and other technologies may enhance both the ability of public companies to defend against cybersecurity threats but also the capacity of threat actors to launch sophisticated attacks.”
Cyber incidents in the automotive industry
The automotive industry has experienced its share of material cyber incidents these past few years.
Here’s a snapshot of 2023 cybersecurity attacks covered by Upstream’s AutoThreat® PRO analysts :
- Attack against a Japanese OEM exposed 10 years of customer data, including vehicle geo-location
- Swiss multinational automotive supplier hit by large-scale ransomware attack impacting business operations
- German automotive service provider hit by cyber attack, impacting accessibility to multiple systems
- A US EV charging station network suffered a major data breach that exposed sensitive company data and customer private information (PII)
- A US fleet provide was a victim of a ransomware attack that resulted in drivers being unable to electronically log their on-road hours or track inventory
…and the list goes on.
In fact, it’s expected that automotive cybersecurity incidents will only grow in scale and severity.
With a confluence of factors at play, the cyber risk climate is nearing a boiling point as cybersecurity threats grow exponentially due to factors including:
- Vehicles becoming increasingly connected and software-defined – and therefore more susceptible to attacks
- Lower barrier to entry for threat actors – e.g. learn how to hack a car in 3 easy steps courtesy of social (Tik Tok hacking challenge, anyone?)
- Greater reliance on information and 3rd party systems and cloud services
- Advent of GenAI – a force multiplier for malicious actors
New SEC rules – and the next steps for OEMs and mobility stakeholders
With the new SEC ruling coming into effect, the need for cybersecurity detection and response platforms such as Upstream’s V-XDR has never been more profound.
Why?
1. Fast time-to-security
With a cloud-based V-XDR solution such as Upstream’s, organizations benefit from protection from the get-go, as no agents have to be installed in the vehicles.
2. Automotive purpose-built detection and response
Vehicle XDR (V-XDR) solutions allow OEMs, automotive suppliers and mobility stakeholders to identify cybersecurity threats in virtually near real-time. With Upstream’s cybersecurity platform, automotive players can address these threats, at times before they escalate to material cybersecurity incidents.
3. Using threat intel to eliminate risks proactively
Threat intelligence is a critical tool in an organization’s arsenal.
Our cybersecurity threat intelligence solution, AutoThreat® PRO, offers in-depth insights into emerging threats and malicious actors based on deep and dark-web findings (e.g. chatter on private forums and marketplaces), tailored specifically to an organization’s use cases and profile. By adopting a prevent-first approach, organizations are better positioned in the fight against cybersecurity breaches.
4. Meeting disclosure timelines & reporting requirements
The SEC’s ruling that material cybersecurity incidents must be reported within 4 business days pits organizations against the clock, leaving many scrambling to assemble information on the cybersecurity incident.
Upstream’s platform makes it easier – and faster – to put together an overarching report of a security incident by providing an accurate timeline of the incident. The Upstream platform leverages deep contextual vehicle history to help pinpoint the ‘crumb trail’ leading up to the incident.
5. Enhanced Resilience and Response
As was their intention, the new SEC regulations are putting a bright spotlight on the importance of an organization’s cybersecurity posture and how well prepared they are to detect, respond, report and enhance their cybersecurity response strategies.
With Upstream’s platform and vehicle security operations center (vSOC) in their corner, automotive stakeholders can beef up their security posture. They gain a 360view of the vulnerabilities and threats to their connected vehicles and fleets. These organizations can then leverage Upstream’s threat detection catalog and undertake preemptive action such as building out automated workflows to instigate remediation efforts. Ultimately, this helps organizations to boost their cybersecurity posture and comply with the new ruling.