Securing the Road Ahead: The Automotive Perspective of the New SEC Cybersecurity Rules

ROY BACHAR

Chief Business Officer

August 1, 2023

Cybersecurity has been recently positioned as a top priority by the SEC, requiring corporate America to disclose information on material cyber attacks. In addition to providing details on the breach, companies will be required to also describe the timing of the incident, the impact, and measures taken in response to the incident.

This announcement by the SEC essentially categorizes material cybersecurity incidents as “major events” that require companies to file an 8-K report. Up until now it was unclear whether cybersecurity incidents are included in 8-K requirements. The disclosure comes with a very strict timeline, requiring companies to disclose information to investors within four (4) days of the determination the breach was material.

Objections were soon to follow. Companies are raging over the 4-day timeline, claiming that it’s too short and prevents executives from focusing on the actual incident and essential remediation. The NYSE has responded on behalf of its listed companies that premature reporting may cause additional damage and that in some cases reporting should be delayed.

The Impact of Cyber Disclosure on the Automotive Industry

The impact of automotive-related cybersecurity incidents has been a top priority for legislators around the globe. UNECE WP.29 R155, which requires automakers to closely monitor cybersecurity incidents related to vehicles, does not apply in the United States. However, US Automotive manufacturers (OEMs) are studying R155, as well as ISO/SAE 21434, very closely – they apply directly to vehicles sold in UNECE countries which include major markets such as Europe, Japan, Australia and more.

NHTSA is gradually adopting the flavor of R155 and shifting its focus on adding cybersecurity protective measures. In its latest response to the Right to Repair Act, NHTSA made it very clear that cybersecurity trumps the initial values behind the right of equipment owners to self-repair without relying on the OEMs.

The U.S. Department of Commerce National Institute of Standards and Technology (NIST) expands the scope of impact of cybersecurity in the automotive ecosystem in their July 2023 release. NIST IR 8473 offers a cybersecurity framework profile for electric vehicle charging stations. Relying on a complex infrastructure, interconnectivity and multiple data networks, EV charging stations leave users as well as power grids vulnerable to a wide range of cybersecurity risks.

Other countries, including China, are also investing tremendous efforts in new regulations that will protect not only the safety of vehicles, but also the sensitive data produced by connected vehicles.

The million dollar question, or in the case of the Automotive industry the billion dollar question, is how will this impact the reporting of automakers regarding cybersecurity breaches and incidents.

Up until now, OEMs were working behind the scenes to remediate cyber risks. Very little information was disclosed to the media and investors. Based on Upstream’s research, during 2022 there were 268 publicly disclosed cybersecurity incidents in the automotive and smart mobility ecosystem. We assume this is just the tip of the iceberg, as incidents grow in frequency, scale and sophistication. According to Upstram’s research, the same assumption also applies to the complex EV charging supply chain, which experienced a sharp rise in cybersecurity incidents, accounting for 4% of total automotive cybersecurity attacks.

Another element that needs to be considered is the definition of “material” cybersecurity breach. Is an incident related to cyber-based car theft considered “material”? What about if there were hundreds of vehicles stolen due to cybersecurity vulnerability? Is “materials” only related to safety or also to data breaches or financial impact.

In addition, the four-day clock starts to tick only after the OEM determines that a cybersecurity incident is material. This requirement adds ambiguity to the process and may encourage OEMs to take a counter-intuitive strategy to stretch cybersecurity investigations instead of working effectively to remediate risks as soon as possible.

How will investors react to automotive-related cybersecurity breaches will be put to the test. But how consumers will react is also extremely important. Will this new requirement lead to new standards for vehicle safety, similar to crash testing standards?

Bottom line, from a strategic perspective, this new SEC reporting requirement establishes the importance of cybersecurity incidents and breaches and will help raise awareness by investors, the media and most importantly consumers. The SEC rule takes an enormous leap forward when it comes to the Automotive industry, now requiring OEMs, EV charging suppliers, and many other stakeholders to keep a close monitoring of cybersecurity risks, breaches and incidents, put in place proper detection and response platforms, establish effective workflow and playbooks to remediate risks, and report on a timely manner.

Newsletter Icon

The 2024 Global Automotive Cybersecurity Report

Newsletter Icon

Subscribe
to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

Upstream Appoints Dr. Martin Hofmann to the Advisory Board to Accelerate Digital Transformation Across the Automotive Ecosystem

The automotive industry is undergoing a seismic transformation—vehicles are no longer just machines; they are intelligent, connected ecosystems generating vast amounts of data. With this…

Read more

ALPR Cameras in the Crosshairs: A Deep Dive into Critical Cyber Vulnerabilities

In a striking revelation, recent investigations have unearthed critical security vulnerabilities in a popular brand of HD automated license plate recognition (ALPR) cameras. Widely employed…

Read more

The Holy Grail of Vehicle Quality: Using Connected Vehicle Data for Recall Cost Reductions

The recent recall of approximately nearly 200,000 plug-in hybrid electric vehicles of a global OEM has once again shone a spotlight on the challenges facing…

Read more

The US Commerce Department Finalizes The New Cyber Rule, Reshaping Automotive Supply Chains

In a landmark decision to bolster national security, the US Department of Commerce has finalized a new rule aimed at safeguarding the supply chains of…

Read more
Skip to content