Securing the Road Ahead: The Automotive Perspective of the New SEC Cybersecurity Rules

ROY BACHAR

Chief Business Officer

August 1, 2023

Cybersecurity has been recently positioned as a top priority by the SEC, requiring corporate America to disclose information on material cyber attacks. In addition to providing details on the breach, companies will be required to also describe the timing of the incident, the impact, and measures taken in response to the incident.

This announcement by the SEC essentially categorizes material cybersecurity incidents as “major events” that require companies to file an 8-K report. Up until now it was unclear whether cybersecurity incidents are included in 8-K requirements. The disclosure comes with a very strict timeline, requiring companies to disclose information to investors within four (4) days of the determination the breach was material.

Objections were soon to follow. Companies are raging over the 4-day timeline, claiming that it’s too short and prevents executives from focusing on the actual incident and essential remediation. The NYSE has responded on behalf of its listed companies that premature reporting may cause additional damage and that in some cases reporting should be delayed.

The Impact of Cyber Disclosure on the Automotive Industry

The impact of automotive-related cybersecurity incidents has been a top priority for legislators around the globe. UNECE WP.29 R155, which requires automakers to closely monitor cybersecurity incidents related to vehicles, does not apply in the United States. However, US Automotive manufacturers (OEMs) are studying R155, as well as ISO/SAE 21434, very closely – they apply directly to vehicles sold in UNECE countries which include major markets such as Europe, Japan, Australia and more.

NHTSA is gradually adopting the flavor of R155 and shifting its focus on adding cybersecurity protective measures. In its latest response to the Right to Repair Act, NHTSA made it very clear that cybersecurity trumps the initial values behind the right of equipment owners to self-repair without relying on the OEMs.

The U.S. Department of Commerce National Institute of Standards and Technology (NIST) expands the scope of impact of cybersecurity in the automotive ecosystem in their July 2023 release. NIST IR 8473 offers a cybersecurity framework profile for electric vehicle charging stations. Relying on a complex infrastructure, interconnectivity and multiple data networks, EV charging stations leave users as well as power grids vulnerable to a wide range of cybersecurity risks.

Other countries, including China, are also investing tremendous efforts in new regulations that will protect not only the safety of vehicles, but also the sensitive data produced by connected vehicles.

The million dollar question, or in the case of the Automotive industry the billion dollar question, is how will this impact the reporting of automakers regarding cybersecurity breaches and incidents.

Up until now, OEMs were working behind the scenes to remediate cyber risks. Very little information was disclosed to the media and investors. Based on Upstream’s research, during 2022 there were 268 publicly disclosed cybersecurity incidents in the automotive and smart mobility ecosystem. We assume this is just the tip of the iceberg, as incidents grow in frequency, scale and sophistication. According to Upstram’s research, the same assumption also applies to the complex EV charging supply chain, which experienced a sharp rise in cybersecurity incidents, accounting for 4% of total automotive cybersecurity attacks.

Another element that needs to be considered is the definition of “material” cybersecurity breach. Is an incident related to cyber-based car theft considered “material”? What about if there were hundreds of vehicles stolen due to cybersecurity vulnerability? Is “materials” only related to safety or also to data breaches or financial impact.

In addition, the four-day clock starts to tick only after the OEM determines that a cybersecurity incident is material. This requirement adds ambiguity to the process and may encourage OEMs to take a counter-intuitive strategy to stretch cybersecurity investigations instead of working effectively to remediate risks as soon as possible.

How will investors react to automotive-related cybersecurity breaches will be put to the test. But how consumers will react is also extremely important. Will this new requirement lead to new standards for vehicle safety, similar to crash testing standards?

Bottom line, from a strategic perspective, this new SEC reporting requirement establishes the importance of cybersecurity incidents and breaches and will help raise awareness by investors, the media and most importantly consumers. The SEC rule takes an enormous leap forward when it comes to the Automotive industry, now requiring OEMs, EV charging suppliers, and many other stakeholders to keep a close monitoring of cybersecurity risks, breaches and incidents, put in place proper detection and response platforms, establish effective workflow and playbooks to remediate risks, and report on a timely manner.

Newsletter Icon

The 2025 Global Automotive & Smart Mobility Cybersecurity Report

Newsletter Icon

Subscribe
to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

Proactive Quality, Powered by AI: A New Era for Automotive Manufacturing

As global markets tighten and margins shrink, the automotive industry finds itself at a crossroads: how do we balance innovation with efficiency? Nowhere is this…

Read more

Beyond CVEs: Why Automotive Cyber Threat Intelligence Must Cast a Wider Net

The recent volatility of CVE funding is a wake-up call for the automotive industry to rethink its risk and threat intelligence strategy. In the world…

Read more

Agentic AI in Action – How Service-as-a-Software Is Reinventing Automotive Cybersecurity Operations

In my previous post, I explored the paradigm shift brought on by service-as-a-software and agentic AI – and what it means for the future of…

Read more

From Services to Software – What the Agentic AI Economy Means for Automotive Cybersecurity

We are at the dawn of a new era in software and service delivery – one where the traditional boundaries between human expertise and digital…

Read more
Skip to content