Amy Schurr is content marketing director for NowSecure. A former B2B journalist, she has spent her career covering technology and how it enables organizations.
New U.S. Securities and Exchange Commission (SEC) regulations for cybersecurity disclosures will reshape how companies report on risk management strategies and disclose and manage security incidents. Changes to the federal government agency’s reporting requirements took effect in December 2023.
Experts expect the mandatory enhanced cybersecurity disclosures to compel companies to enhance proactive protection measures to better manage risk. NowSecure Founder Andrew Hoog recently shed light on the intersection of mobile app security and regulatory disclosures in a NowSecure Connect 2024 virtual conference session, “Analyzing the Impact of the SEC’s New Cybersecurity Rules.” Here’s a deep dive into what security, privacy and compliance managers and executives need to know about these new requirements and the implications for mobile app risk.
Security practitioners often face the challenge of translating technical issues into business terms. Hoog pointed out that security teams often receive pushback from the C-suite executives because they talk at a highly technical level that business leaders don’t understand.
“Risk is the language of business,” said Hoog. Speaking in this universal language of business enables clearer communication with executives and board members. Understanding and articulating security and privacy issues in terms of business risk makes it easier to secure the necessary resources and support.
In addition, mastering the language of risk can aid career advancement particularly for those who aspire to senior security roles such as Vice President of Application Security or Chief Information Security Officer (CISO). It positions security professionals as strategic partners in the business rather than simply technical experts. “The more you have the ability to translate technical language into business language, the better positioned you’ll be to move into those roles,” advised Hoog.
Viewing security through the lens of risk helps in understanding the broader impact of security incidents. High-profile breaches in healthcare, for instance, can disrupt entire regions and services, illustrating the far-reaching consequences of cybersecurity failures.
“Risk is the language of business.” – NowSecure Founder Andrew Hoog
The U.S. Securities and Exchange Commission (SEC) oversees more than $100 trillion in securities trading in U.S. equity markets annually. The SEC mission regulates the securities industry to protect investors; maintain fair, orderly and efficient markets; and facilitate capital formation. The agency enforces laws requiring public companies to disclose meaningful financial information and other information to the public to ensure investors have access to the facts they need to make informed investment decisions.
New SEC rules took effect in December 2023 requiring companies to address cybersecurity risk management, strategy and governance in annual reporting and disclose cybersecurity risks and incidents when they occur. These rules aim to provide investors with better information to assess the cybersecurity posture of companies. Security leaders should know about two key SEC documents for reporting on cybersecurity: Form 10-K and Form 8-K.
Materiality refers to the significance of an incident in affecting a company’s financial condition, operations, reputation, or legal standing. The SEC’s focus on materiality ensures that only significant incidents are reported, avoiding the noise of minor events.
“The SEC isn’t looking for if you had your website scanned or had a little blip here,” said Hoog. “They’re talking about an incident that will materially affect the business in which the average investor would say, ‘I need to know about that attack to be able to determine whether or not it’s going to impact that particular company.’ “
The SEC maintains an online database called EDGAR (Electronic Data Gathering, Analysis and Retrieval) that provides access to corporate filing submissions. The publicly accessible resource offers an API and publishes data in XBRL format for developers to integrate into their systems.
Hoog parsed and analyzed the SEC data to explore the Form 8-K and Form 10-K disclosures for companies. Watch the NowSecure Connect 2024 session replay to view his analysis and see up-to-date information in his Cybersecurity Incident Tracker and Cybersecurity 10-K Tracker tools.
Not surprisingly, most of the incident disclosures came from financial companies but also saw cyberattacks against healthcare, industrial and technology companies. Most disclosures attributed the attacks to criminal organizations but nation-state attacks are on the rise and accounted for a few of them.
Mobile apps power customer engagement and revenue generation. For example, Starbucks reports that more than 33% of its revenue flows through its mobile app. But despite the prevalence and importance of mobile apps in driving business value, they are conspicuously absent in most companies’ cybersecurity disclosures.
Only 0.4% of some 3,600 analyzed 10-K filings mention mobile app security, a glaring oversight given that mobile apps account for approximately 70% of Internet traffic. “Companies either drive revenue with their mobile applications or drive customer loyalty, and they’ve probably done it in a way in which they’ve reduced operational costs and increased efficiency,” said Hoog.
Mobile application security risks abound and NowSecure benchmark testing finds that 95% of mobile apps contain at least one security vulnerability. Failing to address mobile AppSec leaves companies open to significant brand damage and compliance penalties.
“Companies seem to be overlooking the reputational and legal impacts [of mobile apps in their SEC disclosures],” Hoog cautions. “Are you tying mobile risks to your cybersecurity strategy all the way through to revenue or retention in your business?,” he asked. I think that companies that do are going to be in the best position to be able to respond to an incident when it occurs.”
