Securing the Road Ahead: The Automotive Perspective of the New SEC Cybersecurity Rules

Cybersecurity has been recently positioned as a top priority by the SEC, requiring corporate America to disclose information on material cyber attacks. In addition to providing details on the breach, companies will be required to also describe the timing of the incident, the impact, and measures taken in response to the incident.

This announcement by the SEC essentially categorizes material cybersecurity incidents as “major events” that require companies to file an 8-K report. Up until now it was unclear whether cybersecurity incidents are included in 8-K requirements. The disclosure comes with a very strict timeline, requiring companies to disclose information to investors within four (4) days of the determination the breach was material.

Objections were soon to follow. Companies are raging over the 4-day timeline, claiming that it’s too short and prevents executives from focusing on the actual incident and essential remediation. The NYSE has responded on behalf of its listed companies that premature reporting may cause additional damage and that in some cases reporting should be delayed.

The Impact of Cyber Disclosure on the Automotive Industry

The impact of automotive-related cybersecurity incidents has been a top priority for legislators around the globe. UNECE WP.29 R155, which requires automakers to closely monitor cybersecurity incidents related to vehicles, does not apply in the United States. However, US Automotive manufacturers (OEMs) are studying R155, as well as ISO/SAE 21434, very closely – they apply directly to vehicles sold in UNECE countries which include major markets such as Europe, Japan, Australia and more.

NHTSA is gradually adopting the flavor of R155 and shifting its focus on adding cybersecurity protective measures. In its latest response to the Right to Repair Act, NHTSA made it very clear that cybersecurity trumps the initial values behind the right of equipment owners to self-repair without relying on the OEMs.

The U.S. Department of Commerce National Institute of Standards and Technology (NIST) expands the scope of impact of cybersecurity in the automotive ecosystem in their July 2023 release. NIST IR 8473 offers a cybersecurity framework profile for electric vehicle charging stations. Relying on a complex infrastructure, interconnectivity and multiple data networks, EV charging stations leave users as well as power grids vulnerable to a wide range of cybersecurity risks.

Other countries, including China, are also investing tremendous efforts in new regulations that will protect not only the safety of vehicles, but also the sensitive data produced by connected vehicles.

The million dollar question, or in the case of the Automotive industry the billion dollar question, is how will this impact the reporting of automakers regarding cybersecurity breaches and incidents.

Up until now, OEMs were working behind the scenes to remediate cyber risks. Very little information was disclosed to the media and investors. Based on Upstream’s research, during 2022 there were 268 publicly disclosed cybersecurity incidents in the automotive and smart mobility ecosystem. We assume this is just the tip of the iceberg, as incidents grow in frequency, scale and sophistication. According to Upstram’s research, the same assumption also applies to the complex EV charging supply chain, which experienced a sharp rise in cybersecurity incidents, accounting for 4% of total automotive cybersecurity attacks.

Another element that needs to be considered is the definition of “material” cybersecurity breach. Is an incident related to cyber-based car theft considered “material”? What about if there were hundreds of vehicles stolen due to cybersecurity vulnerability? Is “materials” only related to safety or also to data breaches or financial impact.

In addition, the four-day clock starts to tick only after the OEM determines that a cybersecurity incident is material. This requirement adds ambiguity to the process and may encourage OEMs to take a counter-intuitive strategy to stretch cybersecurity investigations instead of working effectively to remediate risks as soon as possible.

How will investors react to automotive-related cybersecurity breaches will be put to the test. But how consumers will react is also extremely important. Will this new requirement lead to new standards for vehicle safety, similar to crash testing standards?

Bottom line, from a strategic perspective, this new SEC reporting requirement establishes the importance of cybersecurity incidents and breaches and will help raise awareness by investors, the media and most importantly consumers. The SEC rule takes an enormous leap forward when it comes to the Automotive industry, now requiring OEMs, EV charging suppliers, and many other stakeholders to keep a close monitoring of cybersecurity risks, breaches and incidents, put in place proper detection and response platforms, establish effective workflow and playbooks to remediate risks, and report on a timely manner.