Are hackers more active this year? What is going on? If you see news about cybersecurity incidents at an increasing frequency lately, this may be driven by new regulatory reporting requirements.
In mid-December 2023, new cybersecurity rules from the U.S. Securities and Exchange Commission (SEC) went into effect. Notably, companies must report material cybersecurity incidents within 96 hours (four days) in a Form 8-K.
We are already seeing its impact: in just the last month, 8-Ks disclosing cybersecurity incidents were released by Hewlett Packard Enterprise, Fidelity National Financial, First American Financial, and loanDepot. On December 18, VF Corp (the parent company of North Face and Vans) saw their stock price drop by over 7% after disclosing a cybersecurity incident under the SEC reporting rules.
Thanks to the new SEC rules, I expect to see more news about hacks and data breaches this year - and related stock price movements - but I don’t think it represents a significant increase in real cybersecurity incidents. Instead of burying skeletons in their closet, companies will be required to inform the public about what really happened (when it is significant enough to be “material”).
There is also a carve-out to delay disclosure of an incident, if it would risk national security or public safety. The FBI, in coordination with the Department of Justice, has issued guidance on how to request a delay - but you need to request a delay as soon as you decide that an 8-K filing is necessary.
At Anjuna, we see the impact of new security regulations and guidelines: not only the SEC’s disclosure requirements, but also the United States Executive Order on secure AI, the European Union’s DORA Regulation, the United Kingdom’s PRA SS2/21, and so on. That’s why the Anjuna Seaglass platform is built with compliance in mind. Using Confidential Computing in your preferred cloud, Anjuna Seaglass stops attackers and insider threats alike, helping you comply with the latest data security regulations, reduce the potential blast radius of critical vulnerabilities, and prevent breaches entirely.