Cybersecurity has been recently positioned as a top priority by the SEC, requiring corporate America to disclose information on material cyber attacks. In addition to providing details on the breach, companies will be required to also describe the timing of the incident, the impact, and measures taken in response to the incident.
This announcement by the SEC essentially categorizes material cybersecurity incidents as “major events” that require companies to file an 8-K report. Up until now it was unclear whether cybersecurity incidents are included in 8-K requirements. The disclosure comes with a very strict timeline, requiring companies to disclose information to investors within four (4) days of the determination the breach was material.
Objections were soon to follow. Companies are raging over the 4-day timeline, claiming that it’s too short and prevents executives from focusing on the actual incident and essential remediation. The NYSE has responded on behalf of its listed companies that premature reporting may cause additional damage and that in some cases reporting should be delayed.
The Impact of Cyber Disclosure on the Automotive Industry
The impact of automotive-related cybersecurity incidents has been a top priority for legislators around the globe. UNECE WP.29 R155, which requires automakers to closely monitor cybersecurity incidents related to vehicles, does not apply in the United States. However, US Automotive manufacturers (OEMs) are studying R155, as well as ISO/SAE 21434, very closely – they apply directly to vehicles sold in UNECE countries which include major markets such as Europe, Japan, Australia and more.
NHTSA is gradually adopting the flavor of R155 and shifting its focus on adding cybersecurity protective measures. In its latest response to the Right to Repair Act, NHTSA made it very clear that cybersecurity trumps the initial values behind the right of equipment owners to self-repair without relying on the OEMs.
The U.S. Department of Commerce National Institute of Standards and Technology (NIST) expands the scope of impact of cybersecurity in the automotive ecosystem in their July 2023 release. NIST IR 8473 offers a cybersecurity framework profile for electric vehicle charging stations. Relying on a complex infrastructure, interconnectivity and multiple data networks, EV charging stations leave users as well as power grids vulnerable to a wide range of cybersecurity risks.
Other countries, including China, are also investing tremendous efforts in new regulations that will protect not only the safety of vehicles, but also the sensitive data produced by connected vehicles.
The million dollar question, or in the case of the Automotive industry the billion dollar question, is how will this impact the reporting of automakers regarding cybersecurity breaches and incidents.
Up until now, OEMs were working behind the scenes to remediate cyber risks. Very little information was disclosed to the media and investors. Based on Upstream’s research, during 2022 there were 268 publicly disclosed cybersecurity incidents in the automotive and smart mobility ecosystem. We assume this is just the tip of the iceberg, as incidents grow in frequency, scale and sophistication. According to Upstram’s research, the same assumption also applies to the complex EV charging supply chain, which experienced a sharp rise in cybersecurity incidents, accounting for 4% of total automotive cybersecurity attacks.
Another element that needs to be considered is the definition of “material” cybersecurity breach. Is an incident related to cyber-based car theft considered “material”? What about if there were hundreds of vehicles stolen due to cybersecurity vulnerability? Is “materials” only related to safety or also to data breaches or financial impact.
In addition, the four-day clock starts to tick only after the OEM determines that a cybersecurity incident is material. This requirement adds ambiguity to the process and may encourage OEMs to take a counter-intuitive strategy to stretch cybersecurity investigations instead of working effectively to remediate risks as soon as possible.
How will investors react to automotive-related cybersecurity breaches will be put to the test. But how consumers will react is also extremely important. Will this new requirement lead to new standards for vehicle safety, similar to crash testing standards?
Bottom line, from a strategic perspective, this new SEC reporting requirement establishes the importance of cybersecurity incidents and breaches and will help raise awareness by investors, the media and most importantly consumers. The SEC rule takes an enormous leap forward when it comes to the Automotive industry, now requiring OEMs, EV charging suppliers, and many other stakeholders to keep a close monitoring of cybersecurity risks, breaches and incidents, put in place proper detection and response platforms, establish effective workflow and playbooks to remediate risks, and report on a timely manner.
Upstream’s 2024 Global Automotive Cybersecurity Report
Upstream Participates in TISAX, Accelerating Customer Onboarding & Ensuring Data Protection
In the fast-evolving landscape of the automotive industry, ensuring robust information security practices is paramount. Recognizing the significance of TISAX, the Trusted Information Security Assessment…Read more
Revving Up Safety: UN Regulation R155 Now Covers Motorcycles
On Jan. 26, the UNECE decided to include motorcycles, scooters, and electric bicycles in the scope of UNECE WP.29 R155. With this move, the UNECE…Read more
NIS2 Directive’s Impact on the Smart Mobility Ecosystem
The NIS2 Directive, expected to become mandatory in October 2024, aims to significantly enhance the cybersecurity framework within the European Union. It broadens the scope…Read more
CEO View: Yoav Levy on Future of Automotive Cybersecurity
DLD 2024 (Digital-Life-Design) is a world-renowned innovation conference, that provides a platform for people eager to change the world in the digital era. Yoav Levy,…Read more