Threat intelligence in SEC cyber disclosure: PwC

Stronger threat intelligence means more informed decisions about cyber risk management — and SEC cyber disclosures

Objective analysis by threat intelligence can help determine the scale of the incident, the sophistication of the threat and the potential impact of the incident. This is information needed in determining whether a cyber incident is material and subject to disclosure in accordance with the new SEC rule.
A strong threat intelligence program can also bolster an organization's ability to identify, protect, detect, respond and recover — core functions of cyber resilience and risk management — which are now the subject of expanded SEC disclosures.
Threat intelligence can provide objective rationale for cyber risk management practices to fortify security operations and broader business decisions against future threats.

One of the core objectives of threat intelligence is to put threat activity in context within the organization, within an industry, within a geography, and in comparison to other industries. Contextualizing helps answer the question: How serious is this threat to our business?

Contextualization is important to inform decision makers and other stakeholders about the nature of threat activity, the scale and scope of observed threat actor operations, the motivations driving threat actors, and a myriad of other factors such as geopolitical issues as well as advancements in technology and security practices.

These insights equip organizations with the necessary context for distinguishing a singular, innocuous incident from a broader breach or highly sophisticated and persistent threat to the organization involving a series of related occurrences.

Without sound threat intelligence, it’s impossible to respond quickly to breaches amid incomplete information. Threat intelligence has been an important foundation for response, remediation and communication strategies during and after an incident, as well as for recommendations on future efforts to improve a company’s cyber posture.

Without sound threat intelligence, it would be challenging to comply with the new SEC rule on disclosing material cyber incidents.

In July 2023, the SEC issued a new disclosure rule related to cybersecurity that applies to all SEC registrants reporting under the Securities Exchange Act of 1934. The rule requires timely disclosure of certain information about a cyber incident if the incident is determined to be material, beginning December 18, 2023.

The use of threat intelligence in making judgments about materiality of cyber incidents

To apply the securities law materiality standard in the context of a cyber incident, it is important that companies are prepared to conduct an objective analysis of both quantitative and qualitative factors, including evaluation of an incident’s impact and reasonably likely impacts. There’s often a high degree of judgment in making a materiality determination, and it can benefit from an informed and deliberative threat intelligence program.

Threat intelligence can enhance leaders’ confidence in determining materiality of a cyber incident. Specifically, threat intelligence can provide timely and accurate information on aspects of the threat landscape including technical indicators, threat actor techniques, threat actor motivation (espionage, financial) and in some cases, origin and sponsor. The CISO or CIO needs threat intelligence insights so they can escalate properly and promptly — in the right context — to the CFO, General Counsel, and disclosure committee. The CFO needs solid and judicious information to apply the materiality standard in a defensible manner. The General Counsel needs information that is properly qualified to help in making legal judgments about an event or incident. By properly qualified, we mean information that is provided within the context of what’s known, yet unknown, or still developing. Threat intelligence can contribute to a clear process and methodology to articulate and substantiate the analysis behind the materiality evaluation.

By investigating questions like the following, threat intelligence can help assess both quantitative and qualitative factors in determining materiality.

What was the nature of the attack?
What are the characteristics of the threat actor?
What systems were compromised and what information was stored on these systems?
What was the timeline and nature of the response?
What are the potential ongoing effects to the company and impacts on the future trends of the business?
What industry does the company operate in, and how have investors considered cyber risks in valuations, if at all?
What are the potential legal implications associated with the incident?

What was the nature of the attack?

Is the incident an isolated issue?
Is it linked to other events identified within the organization? (i.e. do a series of occurrences in the organization relate to the aggregated incident?)
Is it a component of a larger campaign affecting numerous victims?

What are the characteristics of the threat actor?

What is the particular motivation of the threat actor? Was it financial, espionage, sabotage, hacktivism, multiple motivations? Is the motivation unknown?
Who are the threat actors? Is the threat actor known to have or suspected of having conducted similar attacks? What does the company’s threat intelligence analysis and tracking of attribution reveal about involvement across related events?
Does the threat actor have specific or known tactics, techniques, and procedures (TTPs), infrastructure, capabilities, or other attributes which make it unique, trackable or detectable?
Was the company specifically targeted or was it a target of opportunity?

What systems were compromised and what information was stored on these systems?

Does the threat actor have a specific objective for the attack or intended impact on the victim organization, such as compromising confidentiality, integrity and/or availability?
Was the incident precipitated by another compromise (e.g., supply chain or third party incident) or caused by a threat actor exploiting a discovered and/or disclosed vulnerability?
What information was on the system that could have been accessed, leveraged or modified by the threat actor?
Were the affected systems altered or destroyed as part of the incident?

What was the timeline and nature of the response?

Was the threat actor in the organization’s network/systems for an extended period of time? How quickly did the threat actor socially engineer, move laterally or conduct other actions?
Does the threat actor monitor organizational communications and shift in response to remediation efforts?
Did the threat actor achieve its objective by the time it was discovered or the company’s response started?
Did the company’s response involve operational shutdowns and isolations of network segments?

What are the potential ongoing effects to the company and impacts on the future trends of the business?

What are the implications of the incident on the victim organization’s security posture, sensitive and proprietary data, operational and business relationships, and other factors?
Is the incident tied to broader threat activity or aspirations which have implications for a nation’s economy, technological advancements and national security?

What industry does the company operate in, and how have investors considered cyber risks in valuations, if at all?

Is the threat actor known to have or suspected of having conducted similar attacks in the same industry? What was the impact to those victims organizations as well as the broader supply chain?
What other disclosures have been made in the sector or industry, including how those disclosures have affected market sentiment for other victims, i.e. how other disclosed incidents affected stock price?
Has the threat actor threatened to contact investors or post incident details in a public forum?

What are the potential legal implications associated with the incident?

Has the threat actor gained unauthorized access to sensitive, regulated and/or protected data and/or systems?
Has the threat actor exfiltrated this data?
Has the threat actor leaked, sold, or otherwise transmitted this data to additional unauthorized parties?

Click here for a handy reference on how threat intelligence can help when evaluating materiality of a cyber incident.

The effective use of threat intelligence for expanded disclosure requirements

The new SEC cyber disclosure rule requires SEC registrants to comply with expanded disclosure requirements beginning with annual reports for fiscal years ending on or after December 15, 2023. These requirements will stress test how effectively organizations define and identify cyber risk and incidents in their environment, something that strong threat intelligence practices can support.

The specific requirements for risk management and strategy have two parts:

Describe the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items:
1. Whether and how any such processes have been integrated into the registrant’s overall risk management system or processes;
2. Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
3. Whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.
Describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.

Here’s how you can quickly check how well you’re putting threat intelligence capabilities at the service of better cyber risk management and disclosures.

Strategy and prioritization
Communication and coordination
Security operations
Threat detection and threat modeling

Strategy and prioritization

Do you use threat intelligence to prioritize threats and issues most relevant to the organization, distinguishing the material risks from the rest?
Do you apply that framework to internal stakeholders, such as security operations and management?
Does threat intelligence inform decisions that may affect the organization’s security posture?
Does it help the organization meet its regulatory and compliance requirements?

Security operations

Does threat intelligence assist the patching team with prioritizing vulnerabilities to address?
Does the security operations team tune its alerts based on priority threats and issues?
Does threat intelligence support incident responders by researching indicators and other data points and relaying intelligence?

Threat detection and threat modeling

Does threat intelligence provide realistic and relevant scenarios and threat actor tactics, techniques and procedures (TTPs) for threat modeling scenarios?
Does it enrich threat hunts with tactical and strategic intelligence?
Does it track emerging threats and issues, alerting stakeholders as needed?
Does threat intelligence use a wide array of sources and tools to detect potential threats to the organization?
Does it help anticipate how changes in the threat landscape may impact the organization and its clients, suppliers, and future business plans?

Bottom line

Threat intelligence can be a powerful resource for the CISO, CIO, CFO, General Counsel and disclosure committee. The strength and discipline of threat intelligence goes to the heart of making well informed decisions — both in the determination of the materiality of a particular cyber incident and in addressing a risk that the cyber strategy is meant to mitigate.

Download the full PDF here

Threat intelligence: a basis for sound cyber disclosures