On July 26, 2023, the U.S. Securities Exchange Commission (SEC) published new rules on cybersecurity reporting by public companies. As these came out in the middle of the summer break you may well have missed them - so we have read them for you. As you might expect from the SEC, It’s not exactly beach reading.
Reporting of Cyber Incidents
The first set of rules cover the reporting of cyber incidents. Manufacturers are now required to notify the SEC using Form 8-K of an attack on them 4 days after determining that it is material, and include substantial details about the events taking place. This will be straightforward where a Manufacturer has a Cyber Incident Response and Recovery procedure rolled out across the organisation so that the inputs are being managed from day 1 of the attack and the filing requirements are joined up with cyber activities at manufacturing locations away from corporate HQs.
The second part is more interesting. Items IC and 106 of Regulation S-K are all about cybersecurity risk management, strategy and governance, and how companies must describe these in some detail in their annual reports. This may seem straightforward but on closer inspection, it brings a new world of pain for listed businesses as it opens up this complex area to significant new scrutiny.
Up until now, businesses have been able to make broad statements about their cybersecurity preparations, hiding behind bland assurances from their auditors and big four consultancies, or pointing at their cyber-insurance coverage as proof that all is well. But taking this down to the next level is going to invite much more rigorous questioning: Have you thought about this? Have you prepared for that? Have you protected against the other?
This is going to be problematic for manufacturing businesses who will need to make clear what level of risk assessment they have conducted at each of their production facilities. Many will have done nothing in this area. Those that have will know that in many cases they are still in the world of unknown unknowns. With an abundance of legacy systems and older production technologies they rarely have a clear idea of what technology they have in their production plants, let alone what vulnerabilities they contain. Companies are going to have to hustle to run some detailed risk assessments, identify their technology assets and build a plan that shows they are taking cybersecurity seriously. That plan now needs to roll up from each production site to report into security filings through the company executive and board of directors. That is challenging enough when applied to IT owned systems. If you have hundreds of manufacturing plants in different parts of the world you have a mountain to climb to give your shareholders the confidence that you are improving the cyber risks on their investment in your company.
Many companies faced with such a conundrum launch a programme of in-depth site assessments to understand the risk position in each manufacturing facility. This is usually subcontracted to a third party that provides a reassuring layer of independence as well as deploying skilled and experienced resources.
These assessments invariably conclude that the site risk is high based on a lack of detailed understanding of the technologies in place, little management awareness of the processes required, and no plan in place for responding to a cyber attack on the manufacturing systems.
Unfortunately, these assessments don't come cheap, and at the end of the process there is little budget available to dig deeper or to fix the issues raised. The process then languishes and the unknowns remain opaque.
A better approach is to tackle the problem from the bottom up - to work with the existing teams in each plant, providing them with the training needed to allow them to assess their cybersecurity posture and to build a plan to fix the issues identified.
They will bring an engineering mindset to the problem and will find creative ways of tackling this challenge, integrating it into the day to day operations and maintenance processes already in place.
This methodology - called Lean Cybersecurity - then integrates the reporting and visualisation of cyber posture across the business into current executive reporting processes. This coupled with a business wide Cyber Incident Response and Recovery protocol, will make the new SEC filing rules straightforward to deliver.
At Amovada, we understand the challenges organisations face in managing technical debt and cybersecurity risks in their manufacturing environments. Our expertise lies in assisting companies in implementing a holistic approach to address these concerns effectively. Our team of experienced professionals can conduct comprehensive assessments of your manufacturing systems, identify technical debt and cybersecurity risks, and provide tailored recommendations for prioritised maintenance activities. We offer strategic guidance in integrating cybersecurity measures, developing roadmaps, and establishing a culture of continuous improvement. With our support, your organisation can navigate the complexities of OT technical debt and cybersecurity, ensuring the safety, reliability, and resilience of your industrial operations. Contact Amovada today to embark on a journey towards optimised maintenance and robust cybersecurity in your manufacturing environment.