Hot news notes 3350297 and 3399691 patch a critical OS command injection vulnerability in SAP S/4HANA and ECC. The notes are only applicable for installations with active IS-OIL software components. You can use transaction SFW_BROWSER to check the status of the OIB_QCI and OI0_COMMON_2 switches in BUSINESS_FUNCTION_BASIS_COM and COMMODITY_MGMT_&_BULK_LOGISTIC. IS-OIL is active if both switches are on. The notes are not relevant if only the OI0_COMMON_2 switch is on. The corrections in the notes will remove the Test Selected Routines option in report ROIB_QCI_CALL_TEST and block direct execution of Function Module OIB_QCI_SERVER.
Note 3411067 corrects multiple high-risk vulnerabilities in security integration libraries and programming infrastructure in the SAP Business Technology Platform (BTP) that could be exploited to escalate privileges. The note applies to all customers with applications developed on SAP BTP. The libraries are used to perform authentication and authorization checks calling SAP BTP Cloud Foundry Authorization and Trust Management Service (XSUAA) and SAP Cloud Identity Services – Identity Authentication (IAS). Customers should update the relevant integration libraries and programming infrastructure specified in the note to the recommended versions.
Note 3385711 provides a server-side fix in SAP NetWeaver AS ABAP for an information disclosure vulnerability that can be exploited in the SAP GUI clients for Windows and Java. The solution enables an authentication check to address the vulnerability.
Notes 3394567 and 3382353 deal with access control and cross-site scripting vulnerabilities in SAP Commerce Cloud and SAP BusinessObjects Business Intelligence, respectively.
Hot News note 3355658 patches a critical missing authentication check vulnerability in SAP Business One. The vulnerability has a CVSS Base Score of 9.6/10 with a high impact to confidentiality, integrity and availability. SAP Business One allows read and write-access to SMB shared folders to anonymous users. The impacted components are the Crystal Reports (CR) shared folder, Traditional Mobile app (attachment path), RSP (log folder logic), Job Service and BAS (file upload folder). The correction in the note modifies SMB shared folder permissions to only grant read and write access to authenticated and authorized users.
Note 2494184 was updated for a Cross-Site Request Forgery (CSRF) vulnerability impacting multiple SAP Sybase solutions including ASE, Event Stream Processor IQ, Replication Server, and SQL Anywhere.
Note 3362849 addresses an information disclosure vulnerability impacting the Internet Communication Manager (ICM) in SAP NetWeaver Application Server ABAP. The required kernel patches to correct the vulnerability are specified in the note.
Note 3366410 patches an information disclosure vulnerability in SAP NetWeaver Application Server Java that allows attackers to brute force the Java Logon application to discover legitimate user IDs. The vulnerability impacts version 7.50 of the J2EE Engine Server Core.
SAP RISE is a cloud-based service offering from SAP that includes the private edition of SAP S/4HANA Cloud at the core. As part of the offering, SAP maintains privately-managed, single-tenanted accounts for each customer with hyperscale providers including AWS, Azure and GCP. The accounts are fully managed by SAP. Therefore, SAP acts as a cloud service provider and the customer is essentially a consumer of an SAP cloud service.
SAP customers are responsible for most aspects of security for on-premise deployments or cloud deployments managed directly with hyperscale providers. However, SAP RISE divides the responsibilities between SAP and customers.
As the cloud service provider, SAP assumes many of the responsibilities for security that would otherwise lay with the customer. This includes security at the hyperscaler and network level, as well as security for databases and servers, including operating systems for SAP servers.
Customers are responsible for the application and data layer. However, the responsibility for these areas can also be shared with SAP through optional Cloud Application Services (CAS) that extend the services delivered through SAP RISE. For example, SAP can assume the responsibility for identifying, analyzing, and implementing required security notes. However, this requires an additional CAS package that is not included in standard RISE services. If the customer does not obtain the package, the responsibility for analyzing and selecting notes for implementation lays with the customer. Once selected, the customer can create a service request for SAP to apply the notes.
The security of custom code is also the responsibility of each customer. Customers are encouraged to analyze custom code and remove obsolete, redundant and duplicate code to comply with SAP’s Clean Core principle. The remaining custom developments can be adapted and migrated to systems maintained by SAP Enterprise Cloud Services. However, customers are responsible for ensuring that the developments are secure and do not contain code-level vulnerabilities. RISE customers can secure custom SAP programs and applications using the SAP-certified Cybersecurity Extension for SAP (CES). CES supports the automated detection of code vulnerabilities in ABAP and UI5 applications. It can be used to support S/4HANA migrations and on-going development and maintenance activities for custom applications.
With the exception of SAP HANA, access control is also the responsibility of customers. This includes managing end user permissions and administrative privileges. Customers can opt-in for optional CAS packages that provide SAP managed services for this area. The Cybersecurity Extension for SAP can be used to monitor access privileges for systems in SAP RISE including segregation of duties violations and access to critical roles, profiles, transactions and authorizations at both the functional and technical level. This includes S/4HANA and supporting systems.
Security hardening is applied by SAP through standard builds used for each ABAP system. The builds include mandatory security settings documented in SAP Note 3250501. This includes areas such as security-relevant profile parameters, securing standard users, deleting unused clients, deactivating vulnerable ICF services, system and client change options, and hardening for the RFC gateway and message server. The settings can be overridden by customers. Therefore, it is important to automate monitoring for compliance with the hardening requirements. This can be performed using the Cybersecurity Extension for SAP. Compliance Reporting in CES will automatically identify compliance gaps for SAP systems against the requirements of SAP Enterprise Cloud Services (ECS) in Note 3250501.
The final area that customers are responsible for is logging and monitoring. SAP provides customers with access to application logs. Customers can request access to OS, DB and network logs. This is provisioned using a premium offering called LogServe. The application and infrastructure logs can be integrated with SIEM solutions to automate threat detection and response. Alternatively, customers can pay for SAP Enterprise Threat Detection (ETD), cloud edition, or opt for a 24/7 or 8/5 managed service from SAP based on ETD. Neither option is included in standard RISE services.
The cloud edition of ETD includes less than 50 patterns for detecting Indicators of Compromise (IOC) in SAP solutions. The Cybersecurity Extension for SAP provides more than 900 patterns to detects IOCs in SAP systems, including patterns for databases, operating systems, and standalone components such as the SAProuter and Web Dispatcher.
Overall, SAP RISE does not delegate the responsibility for security patching, secure development, access control, hardening, and logging and monitoring from customers to SAP. This is possible for some areas but only through the addition of optional packages that are not included in standard RISE services. Customer and SAP responsibilities are detailed in a comprehensive matrix provided by SAP ECS for more than 1000 tasks. The matrix is a reference for standard, optional, and additional services, excluded tasks, and services available through available CAS packages that are subject to additional service fees. Note that the matrix is subject to change by SAP.
Hot news note 3340576 patches a critical missing authorization check in the SAP Common Cryptographic Library (CommonCryptoLib) that could enable attackers to escalate privileges. CommonCryptoLib is installed in multiple SAP products including SAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premise, as well as SAP HANA Database, SAP Web Dispatcher, and SAP Host Agent. The installation of CommonCryptoLib 8.5.50 or higher in impacted products is recommended to address the vulnerability. This can be performed by upgrading the relevant software components to the recommended versions detailed in the note.
Note 3333426 was updated for a Server-Side Request Forgery (SSRF) in the GRMG Heartbeat application of SAP NetWeaver AS Java. The vulnerability could lead to information disclosure that could be used to perform further attacks against AS Java. The update impacts support packs 25 and 26 for the software component LM-CORE.
Notes 3324732 and 3371873 address a log injection vulnerability in the Log Viewer of AS Java. The support package patches specified in the note implement encoding and validation for user input to address the vulnerability in the impacted components.
Notes 3372991 and 3357154 patch Cross-Site Scripting (XSS) and missing XML validation vulnerabilities in SAP BusinessObjects and SAP PowerDesigner Client, respectively.
According to a recent report from SAPinsider, almost two-thirds of organizations are placing cybersecurity projects on hold or scaling back planned investments in cybersecurity due to the current economic climate. 18 percent of organizations are reducing the size of cybersecurity teams. The latter can have a drastic effect on collaboration and morale. The impact is also long-lasting and difficult to reverse. According to the Ponemon Institute, it takes an average of 7.3 months to recruit and train security analysts. The training required by new analysts also draws time from experienced analysts, reducing the overall effectiveness of cybersecurity teams.
Organizations are experiencing budgetary and resource constraints against a background of rising cyber attacks. The SAPinsider report quotes JP Perez-Etchegoyen, CTO of Onapsis, “threat actors aren’t going to slow down because of a recession. The risk is real, and the impact is huge. We see threat actors targeting organizations even more now than before.”
This article discusses several ways organizations can manage cyber threats without increasing cybersecurity budgets or resources. In fact, many of the recommendations will lead directly to cost savings and the more efficient use of resources in cybersecurity teams.
1. Eliminate Duplicate Security Solutions
Based on research performed by IBM Security and the Ponemon Institute, organizations deploy an average of 45 security solutions. The quantity of tools used by organizations does not lead directly to improved cybersecurity. Organizations using 50 or more tools were ranked as less able to detect and respond to attacks than those using fewer tools. Increasing the number of security solutions creates complexity, requires more employee training, and creates integration issues. Since security solutions can also suffer from software vulnerabilities and widen the attack surface, too many solutions can increase both workloads for regular patching and aggregate risk.
SAP Application Lifecycle Management (ALM) platforms such as SAP Solution Manager, SAP Focused Run, and SAP Cloud ALM are widely-used for monitoring and diagnostics scenarios in SAP landscapes. With the exception of SAP Focused Run, usage rights for the platforms are included in SAP support agreements. The platforms include direct connectivity to SAP systems and applications to extract and analyze configuration, software and user-related data in SAP applications, databases and hosts. The platforms also include security tools to support vulnerability management and patch management.
Organizations can leverage these ALM platforms to perform many of the same functions of costly third-party alternatives. This will avoid unnecessary license fees and installing and maintaining hosts, connections, agents and users required by third party tools.
Organizations can extend the capabilities of ALM platforms using addons such as the Cybersecurity Extension for SAP from Layer Seven Security for areas such as threat detection and custom code security. This is less costly and involves less maintenance than third party solutions that require separate servers, infrastructure and connections, including external connections to other networks using Internet protocols.
2. Minimize Manual Steps in SAP Security Patching
Regularly patching SAP systems is the single most important action you can take to secure business-critical SAP applications from cyber threats. Despite the concern surrounding zero-day vulnerabilities, every known SAP exploit targets existing vulnerabilities patched by SAP through security notes. In other words, there is no evidence of the exploitation of zero-day vulnerabilities for SAP applications. However, there is a wealth of evidence for the exploitation of known vulnerabilities that have been fully patched by SAP. This includes well-known SAP vulnerabilities such as ICMAD, RECON and 10KBLAZE.
Organizations take an average of three months to implement hot news notes for critical SAP vulnerabilities. Yet threat actors can weaponize SAP vulnerabilities within 72 hours of a patch release. Therefore, it is important to minimize the window of opportunity for attackers by rapidly discovering, analyzing and implementing SAP security notes.
System Recommendations (SysRec) in SAP Solution Manager should be used to automate the discovery and full lifecycle management of SAP security notes. SysRec is a standard application, recommended by SAP for patch management. It is automatically enabled during the installation and setup of Solution Manager. However, many of the security notes reported by SysRec are false positives. SAP administrators spend a great deal of time manually validating the results of SysRec every month to remove false positives. The workload is especially high in large SAP landscapes with large volumes of systems. The Cybersecurity for SAP automatically identifies and removes false positives in System Recommendations. This improves the quality and reliability of security notes calculated by SysRec and removes the need to manually validate notes before applying corrections.
3. Automate SAP Compliance Audits
SAP solutions often support business-critical processes such as financial reporting, customer relationship management, and human capital management and therefore need to comply with strict standards for information security. This includes requirements for secure configuration, system changes, and administrative access. SAP solutions are subject to regular audits by internal and external auditors and other groups to confirm compliance with such requirements. The audits can place a significant burden on SAP teams. Automating audits can lead to significant improvements in the quality and timeliness of compliance monitoring and lower the manual effort involved in gathering evidence, analyzing results and reporting findings.
Compliance Reporting in the Cybersecurity Extension for SAP automates compliance gap assessments for SAP solutions. This includes regulatory frameworks such as SOX, GDPR and PCI DSS, industry standards such as HIPAA HITRUST and CIP, and security standards such as CIS, NIST and ISO. It also supports SAP frameworks such as the SAP Security Baseline and the S/4HANA Security Guide. Customers can also create and publish custom frameworks for monitoring compliance against company-specific policies and standards. Reports can be scheduled and automatically sent to stakeholders including compliance and audit teams on a regular interval.
4. Tune Security Alerts
Security solutions can trigger alerts and notifications for suspected security incidents that upon further investigation are false positives. Solutions can also overwhelm users with a large volume of alerts that cannot be realistically investigated with available resources. The latter scenario is known is alert flooding. This leads to wasted effort and reduces the confidence level of end users in the underlying solutions. It can also increase infrastructure costs through higher data volumes and events per second.
False positives and alert flooding can be minimized by tuning alerts for specific systems and landscapes. This enables security solutions to learn the unique event and user patterns for each system and exclude the patterns from alerting. The Cybersecurity Extension for SAP supports advanced tuning for event collection and alerting. Users can maintain exclusions for alerts based on user, client, event ID, transaction, source/ destination IP or terminal, and other variables to prevent false positives and alert flooding. Users can also select enable/ disable specific alerts to customize monitoring and focus, for example, on critical or high priority incidents only.
5. Automate Incident Response
Automating incident response for security alerts can improve the efficiency of security operations and response times. It also supports compliance with standard operating procedures for incident management since there is less risk of human error. The guided procedure framework in SAP Solution Manager and SAP Focused Run includes a library of automated alert reaction procedures. SAP users can also use the framework to author their own procedures as custom guided procedures. The procedures can automate routine tasks such as transaction, program or report execution, as well as more complex tasks such as locking/ unlocking users or restarting systems that may have been disrupted by a denial of service attack.
The Cybersecurity Extension for SAP also includes incident response procedures that users can execute to investigate security alerts. The procedures provide best practices and playbooks for responding to alerts and enable users to document findings, attach evidence, generate reports, and manage the status of alerts. It also provides a complete audit trail for each investigation performed by analysts.
6. Integrate SAP Logs with SIEM Solutions
Security Information and Event Management (SIEM) solutions enable Security Operations Centers (SOC) to ingest and monitor logs from various endpoints in networks. They provide a centralized platform for monitoring multiple assets within an enterprise. Centralized monitoring through a single or multiple SOCs can improve efficiency and lower costs, as well as improve visibility and capability to respond to threats across different assets.
There are inherent challenges with integrating SAP logs with SIEM solutions. The challenges are discussed in detail in the whitepaper SIEM Integration for SAP from Layer Seven Security. The Cybersecurity Extension for SAP supports seamless integration with SIEM solutions. It removes the effort and complexity for successfully ingesting SAP logs. This is achieved through filtering, normalizing and enriching of SAP logs and through the creation of a single point of integration between SIEM solutions and a data source containing event logs from all target SAP systems.
Hot news notes 3245526 and 3320355 patch critical code injection and information disclosure vulnerabilities in SAP BusinessObjects Intelligence Platform (BOBJ). Note 3245526 was re-released in September with updated support package and patch level details. The note patches a command injection vulnerability that can be exploited to escalate privileges in the platform. The vulnerability impacts the Enterprise component in BOBJ versions 4.2 and 4.3.
Note 3320355 removes sensitive information in responses from Promotion Management in BOBJ to clients in order to prevent information disclosure that could lead to the complete compromise of the application. Attackers require access to the promotion job folder for exploitation of the vulnerability. A temporary workaround can be applied by removing rights to the folder from users that do not require access.
Note 3370490 addresses a high-priority cross-site scripting vulnerability in the BOBJ Web Intelligence HTML interface. Due to insufficient file type validation, the Web Intelligence HTML interface allows a report creator to upload files from the local system into a report over the network. When uploading an image file, an authenticated attacker could intercept the request, modify the content type and the extension to read and modify sensitive data. The solution included in note 3370490 patches the vulnerability by blocking unauthorized file types.
Note 3327896 removes a high-risk buffer overflow vulnerability in the SAP Common Crypto Library that could be exploited to trigger a denial of service. A manipulated data package with a corrupted SNC NAME ASN.1 structure can lead to a parser error and crash the application. Customers should upgrade to CommonCryptoLib to 8.5.49 or higher.
Earlier this month, MGM Resorts reported a major cyber attack that severely disrupted its operations including online and payment processing systems. Threat actors are reported to have breached MGM’s network and systems and exfiltrated several terabytes of sensitive data. The company was forced to shut down several key systems as it worked with law enforcement agencies and cybersecurity companies to investigate and contain the breach.
MGM reported the incident in form 8-K filings required by the Securities and Exchange Commission (SEC). New SEC rules effective from September 5 require publicly listed organizations in the U.S to disclose material cybersecurity incidents within four business days.
The hacking group Scattered Spider, part of the ALPHV cyber criminal organization, has claimed responsibility for the breach. Scattered Spider is believed to have breached around 100 organizations within the last two years, mostly in the U.S and Canada. According to statements released by ALPHV, also known as BlackCat, the group was able to breach MGM by exploiting vulnerabilities in an access and identity management provider and cloud tenant. Once they gained administrative access to more than 100 ESXi hypervisors at MGM, ALPHV began deploying ransomware in the compromised systems. Ransomware is a form of malware that encrypts the file system to lock targets until a ransom is paid by the victim.
Caesars Entertainment also reported in September that it had been the victim of a successful ransomware attack that breached personally-identifiable information in it’s loyalty program database including drivers license and social security numbers. Caesars disclosed in it’s 8-K filing with the SEC that the organization paid a $15 million ransom to prevent the disclosure of the stolen data and restore access to its compromised systems.
The business impact of ransomware can be significant in terms of both direct and indirect costs and reputational harm. For example, according to the credit rating agency Moody’s, the cyberattack at MGM could negatively impact the credit rating of the company.
SAP systems are not immune to ransomware. They can be compromised through vulnerable operating systems supporting SAP solutions, insecure protocols, interfaces and cross-system interfaces, and OS commands performed through the application layer that exploit trust relationships between SAP applications and hosts. In response to the recent breaches at Caesars and MGM, Layer Seven Security has released an updated guide for securing SAP solutions from ransomware. Layer Seven Security is an industry-leader in cybersecurity services and solutions for SAP. The guide provides clear and succinct recommendations to prevent and detect ransomware attacks in SAP systems, as well as restore systems during the recovery phase. You can download the guide directly from SAPinsider by following this link.
Version 5.0 of the Cybersecurity Extension for SAP (CES) is scheduled for general availability in September. It includes several enhancements, configuration checks and new patterns to improve vulnerability management and threat detection for SAP solutions. This article discusses some of the key changes.
Trend Analysis Trend Analysis is a new application in CES that tracks changes in vulnerabilities, security notes, and alerts over two years. It can be used to monitor security results across periods. For example, the number of vulnerabilities in the current period can be compared with results from the prior month to assess the effectiveness of remediation activities. Results can be analyzed using daily, weekly, monthly, or quarterly intervals, as well as custom date ranges. Results are visualized using multiple charts and tables with the option to export results. The advanced filter can be used to focus trend analysis for specific business units, areas, landscapes, systems, priorities, and other variables.
Systems Systems is another new application in CES. It displays system information for targets that are monitored by CES. Target systems are selected from the available managed systems in SAP Solution Manager and SAP Focused Run. System information is displayed in cards for each system. The information includes attributes such as the SAP System ID, landscape, environment, priority and group. Groups are typically business units that are maintained during the installation phase. The application includes a filter to search for specific systems based on attributes.
Actively Exploited Vulnerabilities CES version 5.0 automatically detects actively exploited vulnerabilities. The vulnerabilities are identified and flagged based on automated correlation with event logs and alerts in CES. Results in Vulnerability Management can be filtered to focus on vulnerabilities that have active alerts. Users can also create and publish alarms to their Launchpads for actively exploited vulnerabilities using the Save as Tile option.
SAP GRC Integration SAP GRC identifies users with access to sensitive functions and conflicting functions that should segregated between users. It also detects if the functions that comprise an access risk are executed by users. CES v5.0 integrates with SAP GRC to report and alert for access risks where the relevant sensitive or conflicting functions are executed by users. This enables organizations to be notified immediately for access violations and investigate the risks using the incident response capabilities of the Cybersecurity Extension for SAP.
Report Scheduling The Cybersecurity Extension for SAP supports export to PDF, CSV and Excel for compliance, vulnerability and other security reports, including reports related to security notes, events and alerts. In earlier versions, the reports were exported on demand. Version 5.0 supports the scheduling and automatic distribution of reports by email. Users can customize email settings including the subject and text. Distribution lists are supported.
User Experience CES v5.0 includes a redesigned application launchpad.
Vulnerability Management includes a card view for system selection. Users can switch to the dashboard view supported in earlier versions, if preferred.
Compliance Reporting also includes a redesigned interface for selecting frameworks and systems and navigating results.
Security Alerts includes a heat map for analyzing alerts by system and column charts for analyzing alerts by 24 hour, 7 day, and 30 day intervals.
SAP ASE The Cybersecurity Extension for SAP supports full-stack monitoring for SAP systems including application, database and host layers. SAP ASE is a widely-used relational database server for SAP solutions. Version 5.0 includes extended support for ASE monitoring including new vulnerability checks for checking logon settings, remote logins, password policies, database users including default and inactive users, critical database roles, database encryption, and audit settings. It also delivers alerts for critical database events such as failed logons, locked users, logons by default users such as sa, changes to the database configuration including disabling auditing, role and user changes, new procedures or services, remote procedure calls, the execution of stored procedures, and table contents transferred to/ from external files.
SUSE Linux Enterprise Server Version 5.0 includes several new alerts for SLES operating systems supporting SAP solutions. This includes alerts for locked and unlocked users, new users, login failures, password changes, replay attacks, users that switch to root, and threats from the execution of malicious programs in SAP hosts.
Hot news note 3341460 patches multiple critical vulnerabilities in the data modelling and management solution SAP PowerDesigner. This includes an access control vulnerability for CVE-2023-37483 that has a CVSS score of 9.8/10. The vulnerability can be exploited by attackers to execute arbitrary queries against back-end databases via proxies. It also includes an information disclosure vulnerability that can enable threat actors to access password hashes in client memory. SAP PowerDesigner Client and Proxy should be upgraded to version 16.7 SP06 PL04 or 16.7 SP07 to patch the vulnerabilities. The patches include fixes for proxy side authentication and authorization, and logging of attempted access control violations.
SAP PowerDesigner is also impacted by a code injection vulnerability addressed by note 3341599. SAP SQL Anywhere bundled with some versions of PowerDesigner allows an attacker with local access to take control of the application by loading malicious libraries that can be executed by PowerDesigner. The note recommends upgrading to SP07 PL01 that includes a patched version of SQL Anywhere that does not load custom unicode extension DLL by default.
Note 3344295 addresses a high-risk authentication bypass vulnerability in the SAP Message Server. The vulnerability can be addressed by applying the kernel patches specified in the note. However, the related exploits can be mitigated by setting the profile parameter system/secure_communication to ON, protecting the internal port of the Message Server, and setting the trace level to a value lower than 2.
Notes 3317710 and 3312047 patch binary hijack and denial of service vulnerabilities in SAP BusinessObjects Business Intelligence (BOBJ).
Note 3346500 removes the ability for users to authenticate with an empty passphrase in SAP Commerce Cloud by changing the default value of the configuration property user.password.acceptEmpty from true to false.
The Securities and Exchange Commission (SEC) issued a final rule on July 26, 2023 that will require public companies to disclose material cybersecurity incidents on Form 8-K within four business days of discovery. In addition, the SEC will now require public companies to disclose on an annual basis in Form 10-K their process for assessing, identifying and managing material risks from cybersecurity threats, as well as information on how companies’ boards and officers govern cyber risk management.
The incident reporting requirements become effective for companies, other than smaller reporting companies, on December 18, 2023. Smaller reporting companies will not be subject to the rule until June 15, 2024. All reporting companies will be subject to the disclosure rules covering their cybersecurity risk management process in annual reports for fiscal years ending on or after December 15, 2023.
For purposes of both the new Form 8-K requirements and the required annual risk management disclosure, a “cybersecurity incident” is defined as “an unauthorized occurrence, or a series of unauthorized occurrences, on or conducted through the registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” The rules also define a “cybersecurity threat” as any potential occurrence that could result in a cybersecurity incident. The rules cover all “information systems” which is defined to include electronic information resources owned or used by the registrant that are used to collect, process, maintain, use, share, disseminate, or dispose of information used to maintain or support the registrant’s operations.
The new rule adds item 1.05 to Form 8-K covering “material cybersecurity incidents.” When the rules become effective, public companies will have to disclose information relating to a material cybersecurity incident four business days after they determine they have experienced one. The disclosure must include the following information: (i) a description of the material aspects of the nature, scope, and timing of the incident and (ii) an assessment of the material impact or reasonably likely material impact of the incident on the company, including the financial impact and the impact on operations. However, companies need not disclose “specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.” The adopting SEC release notes that, in assessing the impact of the incident, companies should consider qualitative factors (impact on reputation, actual or potential litigation or regulatory investigations, or competitiveness) as well as quantitative factors.
The determination of materiality relies on the standard securities law formulation that considers whether there is a substantial likelihood that a shareholder would consider the information important in making an investment or whether the information would significantly alter the “total mix” of information available about the company. The determination must be made “without unreasonable delay” following discovery of the incident and the filing must indicate if any required disclosure has not been determined or is not available at the time of the filing. That said, the SEC advises that while the determination “need not be rushed prematurely, it also cannot be unreasonably delayed in an effort to avoid timely disclosure.” Significantly, the release notes that the fact that the full extent of the incident is not yet known or that further investigation will be necessary “should not delay the company from determining materiality.” Examples of unreasonable delay include delay in scheduling a board committee meeting to determine materiality or revision of internal policy to extend assessment deadlines or to change the criteria used to determine incident reporting to management or the board.
The rule identifies two circumstances in which a disclosure delay is permissible. First, the Form 8-K filing may be delayed if disclosure would pose a substantial risk to national security or public safety. The delay is permissible if the U.S. Attorney General has notified the SEC that a substantial risk exists, in which case a delay of up to 30 days is permissible with additional extensions possible if the substantial risk continues to exist. Second, for a company subject to the breach disclosure rules of the Federal Communications Commission relating to customer proprietary network information, disclosure may be delayed if the company notifies the SEC no later than the day disclosure would otherwise be required under the SEC rules.
The SEC also adopted new Item 106 to Regulation S-K that will require a reporting company to provide disclosure in their annual report that identifies “the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.”
This formulation represents a revision of the rule included in the March 9, 2022 proposed regulations which would have required a more granular discussion of a company’s cybersecurity risk management structure. The agency agreed with commenters who argued that a more detailed level of disclosure went beyond the level that is material to investors and could increase vulnerability to an attack by revealing important operational details of the risk management process.
The final rule also focuses on a non-exclusive list of three areas of disclosure that will help investors to place the disclosed cybersecurity processes in context:
Whether and how the cybersecurity processes have been integrated into the registrant’s overall risk management system or process;
Whether the registrant engages consultants, auditors or other third parties in connection with their cybersecurity processes; and
Whether the registrant has a process to identify material risks from cybersecurity threats associated with the use of third-party service providers.
Separately, the new rules will require disclosure about the board’s oversight of the company’s cybersecurity risk. Specifically, the disclosure must include information on how the board manages the oversight process, i.e., through a board committee or subcommittee, and the process whereby the board or board committee is informed about such risks. The agency dropped language in the proposed regulations that would have required disclosure of board level cybersecurity expertise.
The disclosure must also identify management’s role in assessing and managing material risks from cybersecurity threats with a focus on three areas:
Identification of the management positions and committee that are responsible for assessing and managing cybersecurity risks and the relevant expertise of such persons or committee members;
The process by which such persons are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
How such persons report information about cybersecurity risk to the board and/or the appropriate board committee.
The Cybersecurity Extension for SAP (CES) enables organizations to secure mission-critical SAP solutions from cyber threats that may require public disclosure in accordance with the new SEC rules. CES implements industry-leading vulnerability management, patch management, threat detection and response for SAP to minimize the risk of cybersecurity threats and enable the detection and investigation of security incidents.
