Material Determination – The Role of Application Security

The US Federal Securities and Exchange Commission (SEC) new Cybersecurity Disclosure rules came into effect today. This new set of rules requires companies to report to the SEC using the new Form 8-K any “cybersecurity incident they determine to be material and describe the material aspects of the nature …”.

If you are cybersecurity, it is worth reading their fact sheet (here).

The SEC has chosen the term “material” intentionally and has not provided clear guidance within the context of cybersecurity breaches how a company will determine what is material, and what is not.

I’m not a lawyer and under no circumstances take legal advice from me. But, as a non-lawyer I’d like to discuss the role application security has in how I think material will be decided upon.

Asking my good friend ChatGPT, she recommends that the following factors are considered during the determination if a cyber incident is material or not:

-          Magnitude of the Incident

-          Financial Impact

-          Reputational Impact

-          Legal and Regulatory Implications

-          Operational Disruption

I think these are all good aspects to look at, so I’ll stick with them.

Here’s my hypothetical for this discussion. A software company hasn’t put in a robust application security program. As such, they are not conducting security testing, software composition analysis, or other application security practices. They are SOC 2 compliant, but pretty much a paper tiger when it comes to actually embracing compliance. Unbeknownst to them, a popular open-source package they use extensively has serious exploitable vulnerability. Despite a patch being available for several months they are oblivious to the risk that exist in their product. Hackers find this out, and the company is compromised.

My hypothesis is that the lack of having an application security program in place will directly contribute to them having to declare this breach as material, and thus reportable to the SEC.

Magnitude of the Incident

This exploitable vulnerability occurred in an open-source package used across the company’s product. This significantly increases the magnitude of the incident, increases the exploitable threat surface, and enable the hackers to conduct lateral movement within the environment.

Reputational Impact

Depending on how the want to fill out Form 8-K or notify their customers, the story could sound like “we failed to patch something that could have been patched months ago” or otherwise as bad. Someone will take their spin and covert it into “they failed to do basic cyber hygiene”. Customers will question if they can continue to trust a company that can’t do the basics. There reputation impact will be significantly higher than if their answer was “despite a robust security program, an unforeseeable zero day was exploited.”

Legal and Regulatory Implications

First of all, any auditor worth their salt will take a close look at the evidence you previously provided demonstrating that you had processes in place to prevent this vulnerability from being in your product. This will include looking at your application security program. Does your policies say you have one, but it really isn’t implemented across the board? You can rightfully expect additional risk to maintaining your current certifications.

Secondly, if you sell software to the US Government, you may have had your CEO attest that all software was developed under NIST 800-218, the Secure Software Development Framework (SSDF). The SSDF is designed to help prevent this situation, and does require at a minimum vulnerability scanning in development and processes in place to keep everything patched. If I’m the Government, I’m going to start asking some hard questions as to that attestation and what your actual compliance level to SSDF is.

Conclusion

There is no such thing as perfect cybersecurity and no application security program is going to change that. However, I believe a robust application program can reduce the risk of a material cybersecurity breach from occurring. Even when there is a cybersecurity breach, I believe that depending on the nature of the breach, having a robust application security program will impact the determination on if the breach is material or not.

If you do not have a robust application security program, think of it this way. You can pay the price for cybersecurity now or later, but you will pay. The investment made to not make new headlines is hard to quantify for sure, but it still the investment worth making.