Streamlining material code change detection and response for SEC compliance

TL;DR: Apiiro can help companies ensure SEC compliance by automating material change detection, contextually triggering the appropriate security responses (penetration test, threat model, risk-based code review, etc.), and arming teams with quantifiable evidence to disclose their risk management processes.

A few months ago, the SEC issued a new disclosure rule after observing that disclosure practices regarding cybersecurity incidents, risk management, and governance have been inconsistent—despite interpretive guidance issued by the SEC in 2011 and 2018. Amongst other things, the new rule outlines that starting as early as December 2023, organizations must disclose information about cybersecurity incidents that are determined to be “material” within four business days—a much shorter timeline than previously required.

The rule also stipulates that organizations must detail the internal processes that exist for assessing, identifying, remediating, and managing material risks, so that public companies can deliver “enhanced, consistent, comparable and decision-useful disclosures that would allow investors to evaluate public companies’ exposure to material cybersecurity risks and incidents and their ability to manage and mitigate those risks.”

To rise to the challenge, publicly traded companies will need a risk management and cybersecurity program that is robust enough for them to be able to identify, respond, and communicate their findings, not just internally, but publicly in greater detail than they have previously.

What is materiality in the SEC rule for cybersecurity?

Although the SEC disclosure rule includes examples of cybersecurity incidents that they deem “material,” the definition of materiality is broad, leaving teams to grapple with this ambiguity.

Their definition of materiality relies on federal securities law materiality, which deems something material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.” This includes both quantitative and qualitative factors like:

• Harm to a company’s reputation
• Disruption to business operations
• Harm to a company’s customer or vendor relationships
• Harm to competitiveness
• The possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-US authorities
• Impact on business value
• Actual and expected direct and indirect costs stemming from the incident

Applying this definition in the context of security requires a cross-functional effort across security, technology, financial, and legal teams. The challenge is that for every organization, this materiality judgment will look different depending on your specific application architecture and business context.

To meet the SEC requirements, you’ll need a well-defined process not only for detecting and determining that a security incident is material but also for responding to and disclosing these material incidents. Plus, you’ll need a way to share foundational knowledge and report on your organization’s security posture to bridge the gap across internal teams and the board.

For application security teams, managing ‘material’ risk in software development has always been, and will remain, paramount. To accomplish this under the SEC directives at scale, Apiiro is here to help!

Detecting, addressing, and disclosing materiality in application security issues with Apiiro

When you’re evaluating how to improve your strategy to better align with the new rules, consider automating materiality detection, response, and disclosure so you can consistently address material risk. In software development, material risk includes not just material incidents or events, but also material changes to your code.

Apiiro’s deep application security posture management (ASPM) platform automates material change detection for real-time and continuous coverage, control, and visibility throughout the lifecycle of a change, so you can easily meet the new SEC disclosure rules. Here’s how Apiiro can help at each stage of the process:

Detection: Material change detection and assessment

Detecting and determining materiality in the software development process is complex. From an application security lens, a material change is any change that has the potential to introduce significant risk to the application, infrastructure, or open source code. Understanding whether or not a change is actually risky—and to what degree of risk it poses—to your organization depends on factors like the potential likelihood of a risk materializing—given your unique application architecture and the nature of the finding—as well as the potential impact such a risk would have on your business or application.

This means that making a materiality judgment requires an in-depth understanding of application and software supply chain components (data models, entry points, pipelines, etc.), developer behavior intelligence, and continuous, change-based visibility across your codebase—something that does not scale when detecting and assessing materiality using traditional application security tools or attempting to do so manually.

Apiiro does exactly that. By connecting to your source control management (SCM) and to tools across your development process (AST tools, CI/CD pipelines, K8 clusters, and more), Apiiro builds an inventory of all applications, components, dependencies, and risk, and correlate security signals across your entire attack surface. With this unparalleled visibility, the platform is uniquely positioned to automatically analyze a number of contextual factors to automatically determine the likelihood and impact of a risk to your organization, flag the change as a material risk, and prioritize the risk in alignment with your organization’s policy.

This can help answer critical questions like:

• Does this change introduce risk that is reasonably or likely to be material?
• Are we capturing related occurrences that should be considered together?
• Do we have the information needed to disclose the nature, timing, and scope of the change as well as its potential impacts?

Being able to programmatically answer those questions ensures that materiality detection and assessment are made “consistently” and “without unreasonable delay” after discovery while drastically reducing investigative hours and streamlining operational risk management.

Response: Responding to material change

One of the core challenges in complying with this SEC rule is providing evidence to show that your detection and response to these material changes is done in a consistent, data-driven manner. In a world where teams still rely on self-attestation and subjective criteria to drive risk assessment, threat modeling, penetration tests, and critical security processes, producing this evidence (especially in a short amount of time) sometimes just isn’t feasible. This creates a huge burden of proof for security teams and developers, and it also adds friction between teams and auditors.

With Apiiro, you can automate material change response by creating policies and workflows that automatically trigger the appropriate security response (penetration test, threat model, risk-based code review, etc.) based on the change, its business impact, and other factors.

Apiiro also captures relevant insights, like tying changes back to code owners, a timeline of each material change, and detailed context so you can understand and communicate the impact of a risky material change, both to internal and external stakeholders.

With this approach, you can easily answer questions like:

• Can we show what mechanisms are in place to evaluate a change’s impact?
• Can we prove that we made a data-driven decision in our response to this change?

This not only streamlines your response but also arms your teams with quantitative evidence that data-driven response protocols are applied consistently and objectively, ultimately reducing the burden of documenting and defending your response to each material change.

Disclosure: Documenting and communicating material events

Under the new rule, if harm is foreseeable or possible, organizations are required to disclose information within four business days of determining that a ‘cyber incident’ is material. Meaning, that teams will need to quickly capture details around the nature and impact of the material change or event as they’re actively assessing and responding to these risks. This is a tight turnaround and an additional impediment for security teams that are already racing against the clock to match the rapid pace of development.

The challenge is that most security tools, like application security testing (AST) and application security orchestration and correlation (ASOC) tools, fall short of capturing this information. Although they have promised holistic visibility into their security posture to assess and manage their organizational risk, they lack connection to the broader software development lifecycle, making it challenging for teams to understand the full picture of risk and glean insights into their security posture.

By unifying risk visibility, prioritization, and remediation as well as automating many of the time-consuming, complex tasks involved in the material change assessment and response processes, Apiiro empowers you to automatically track the entire end-to-end lifecycle of a material change so you always have attestation documentation ready, including:

• Specific, quantifiable criteria for materiality determination,
• Likelihood, impact, and severity of this material change
• Steps taken to mitigate or remediate and the individuals involved in the process
• Safeguards implemented to avoid repeating risk introduction
• Metric tracking for holistic analysis of your entire security posture.

Showcasing this evidence makes it possible to testify that your cybersecurity risk management, strategy, and governance meet SEC stipulations.

If you’re curious to dive deeper into the mechanics of Apiiro’s automated material change assessment process, we’ve mapped out the process in this post. Or, to learn more about automating your material change detection for SEC compliance, schedule an Apiiro demo to see it in action.