Securing the Road Ahead: The Automotive Perspective of the New SEC Cybersecurity Rules

ROY BACHAR

Chief Business Officer

August 1, 2023

Cybersecurity has been recently positioned as a top priority by the SEC, requiring corporate America to disclose information on material cyber attacks. In addition to providing details on the breach, companies will be required to also describe the timing of the incident, the impact, and measures taken in response to the incident.

This announcement by the SEC essentially categorizes material cybersecurity incidents as “major events” that require companies to file an 8-K report. Up until now it was unclear whether cybersecurity incidents are included in 8-K requirements. The disclosure comes with a very strict timeline, requiring companies to disclose information to investors within four (4) days of the determination the breach was material.

Objections were soon to follow. Companies are raging over the 4-day timeline, claiming that it’s too short and prevents executives from focusing on the actual incident and essential remediation. The NYSE has responded on behalf of its listed companies that premature reporting may cause additional damage and that in some cases reporting should be delayed.

The Impact of Cyber Disclosure on the Automotive Industry

The impact of automotive-related cybersecurity incidents has been a top priority for legislators around the globe. UNECE WP.29 R155, which requires automakers to closely monitor cybersecurity incidents related to vehicles, does not apply in the United States. However, US Automotive manufacturers (OEMs) are studying R155, as well as ISO/SAE 21434, very closely – they apply directly to vehicles sold in UNECE countries which include major markets such as Europe, Japan, Australia and more.

NHTSA is gradually adopting the flavor of R155 and shifting its focus on adding cybersecurity protective measures. In its latest response to the Right to Repair Act, NHTSA made it very clear that cybersecurity trumps the initial values behind the right of equipment owners to self-repair without relying on the OEMs.

The U.S. Department of Commerce National Institute of Standards and Technology (NIST) expands the scope of impact of cybersecurity in the automotive ecosystem in their July 2023 release. NIST IR 8473 offers a cybersecurity framework profile for electric vehicle charging stations. Relying on a complex infrastructure, interconnectivity and multiple data networks, EV charging stations leave users as well as power grids vulnerable to a wide range of cybersecurity risks.

Other countries, including China, are also investing tremendous efforts in new regulations that will protect not only the safety of vehicles, but also the sensitive data produced by connected vehicles.

The million dollar question, or in the case of the Automotive industry the billion dollar question, is how will this impact the reporting of automakers regarding cybersecurity breaches and incidents.

Up until now, OEMs were working behind the scenes to remediate cyber risks. Very little information was disclosed to the media and investors. Based on Upstream’s research, during 2022 there were 268 publicly disclosed cybersecurity incidents in the automotive and smart mobility ecosystem. We assume this is just the tip of the iceberg, as incidents grow in frequency, scale and sophistication. According to Upstram’s research, the same assumption also applies to the complex EV charging supply chain, which experienced a sharp rise in cybersecurity incidents, accounting for 4% of total automotive cybersecurity attacks.

Another element that needs to be considered is the definition of “material” cybersecurity breach. Is an incident related to cyber-based car theft considered “material”? What about if there were hundreds of vehicles stolen due to cybersecurity vulnerability? Is “materials” only related to safety or also to data breaches or financial impact.

In addition, the four-day clock starts to tick only after the OEM determines that a cybersecurity incident is material. This requirement adds ambiguity to the process and may encourage OEMs to take a counter-intuitive strategy to stretch cybersecurity investigations instead of working effectively to remediate risks as soon as possible.

How will investors react to automotive-related cybersecurity breaches will be put to the test. But how consumers will react is also extremely important. Will this new requirement lead to new standards for vehicle safety, similar to crash testing standards?

Bottom line, from a strategic perspective, this new SEC reporting requirement establishes the importance of cybersecurity incidents and breaches and will help raise awareness by investors, the media and most importantly consumers. The SEC rule takes an enormous leap forward when it comes to the Automotive industry, now requiring OEMs, EV charging suppliers, and many other stakeholders to keep a close monitoring of cybersecurity risks, breaches and incidents, put in place proper detection and response platforms, establish effective workflow and playbooks to remediate risks, and report on a timely manner.

Newsletter Icon

H1'2024 Report: Redefining Automotive & Smart Mobility IoT Cyber Risks

Newsletter Icon

Subscribe
to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

The 2024 Paris Olympics: Navigating the Escalated Cyber Threat Landscape

As the Paris Olympic Games approach, ensuring the safety and success of the event is paramount. Transportation systems and fleets are critical components in this…

Read more

European Legislators are Charging Ahead on IoT Cybersecurity Regulations

IoT devices have become deeply embedded in the automotive and smart mobility ecosystem, dramatically transforming industries with increased efficiencies and innovation. However, this rapid technological…

Read more

The US Federal Government Zooms in on IoT Cybersecurity

As IoT device usage continues to expand across various sectors in the US, government efforts to ensure that these devices are not only effective but…

Read more

The State of Automotive Cybersecurity: Key Insights from Auto-ISAC European Summit

We recently took part in the Auto-ISAC European Summit at the iconic BMW-Welt in Munich, gaining valuable insights into the evolving automotive cybersecurity landscape. As…

Read more