At the end of 2023, a new SEC regulation ordered all public-listed companies to disclose material cybersecurity incidents within four days. This is to safeguard investors and market integrity, but there was some confusion over what a ‘material incident’ even is.
“The definition is somewhat vague, but according to TSC Industries, Inc. v. Northway, Inc., an incident is material if ‘there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision’,” says Vishal Gauri, the Chief Strategy Officer at Seclore, a data-centric security company that protects and controls digital assets to help enterprises prevent data theft and achieve compliance.
The SEC regulation incited quite a bit of buzz across the security industry when it was announced.
“There's certainly value in this new rule, namely that it will help standardise cybersecurity risk reporting and provide more transparency for investors and stakeholders who ought to know about significant security-related events of public companies,” says Gauri. “But it’s not without its complications. For one, there's a grey area when it comes to what exactly qualifies as a material incident. In addition, the four-day time frame is very narrow.”
Here, he tells us more about recent cybersecurity acts and the future of chip manufacturing.
Cybersecurity wake-up call for manufacturers
“I’ve worked at several tech companies over the past 20 years,” says Gauri. “Early in my career, I worked on developing semiconductor processes and equipment at Novellus Systems. I’m the inventor of 18 patents in the area.”
Seclore is headquartered in Santa Clara, California, and was founded on the principle that traditional cybersecurity methods — which focus on securing networks and devices — are no longer sufficient. Seclore has 2,000 customers across nearly 30 countries, who use the Seclore platform to protect sensitive data and digital assets.
In August of 2022, the Biden administration signed the CHIPS and Science Act into law, promising to strengthen American manufacturing, supply chains and national security. For manufacturers who had suffered under the recent supply chain disruptions, the CHIPS Act was a sign of investment in a more balanced future.
“It’s still in the early innings, as President Biden only signed the CHIPS and Science Act into law in August 2022, but we’re already starting to see the impact,” said Gauri. “The US has seen investments in and openings of chip facilities in North Carolina, New York, Arizona, Utah, Kansas and California.”
This is going to create thousands of new jobs across the country. More broadly, one of this law’s primary goals is to help accelerate domestic chip production, as 75% of semiconductor manufacturing currently happens in China and East Asia.
“Though it will take several years, these ongoing investments will help ensure the USA is less dependent on other countries for chips, thus protecting the USA from future potential supply chain disruptions,” he adds.
Under SEC’s new cybersecurity rule, organisations and their security teams will now be tasked with the actual work of identifying, assessing, investigating, mitigating and solving the security incident, while simultaneously doing the side-work of filing it to the SEC, which could in fact take time away from addressing the timely issue at hand.
According to Gauri, there is one potential upside of this rule.
“This is that it can serve as yet another wake-up call for organisations that they need to be prioritising and investing in cybersecurity.”
What cybersecurity regulation could look like for manufacturing
For public companies in the manufacturing sector, they will now have to comply with the SEC’s new disclosure requirements which will require them to be both swift and transparent when it comes to cybersecurity incidents they may face.
“That said, given the incredibly sensitive IP that semiconductor companies handle, it’s entirely possible that more regulation is on the horizon for chip makers and suppliers specifically,” says Gauri. “It could come in many forms, including robust risk reporting, risk quantification, the disclosure of not just material incidents but attack attempts or close calls, third-party auditing, keeping an up-to-date Software Bill of Materials.”
There are a number of things that semiconductor companies can do to prepare for future cybersecurity-related regulation, according to Gauri. The first is ensuring that your cybersecurity hygiene is exemplary.
“Get the basics right: require password updates, install software updates and patches expeditiously, back up data, ensure an accurate inventory of all devices across the enterprise and train employees about cybersecurity awareness and policies. These practices are table stakes,” he advises.
From there, chip companies need to manage their third-party risks across the manufacturing supply chain.
“US chip manufacturers work with a slew of third-party vendors every day, often sharing sensitive data — including chip IP and designs — with those parties,” he adds. “Companies thus must invest in security tools that give them the ability to see, protect and control their data, wherever it travels, inside and outside the perimeter.”
Finally, semiconductor companies should start the process of aligning their cybersecurity and legal teams.
“As regulation and disclosure requirements become more commonplace, cybersecurity will increasingly become a matter for the company’s legal department, so it’s important to start fostering open lines of communication now,” he continues. Gauri suggests that there’s a lot that manufacturers can learn from previously-passed legislation in other industries.
“The financial services industry is one that’s often in the crosshairs of cyber attackers, due to its sensitive PII data and potential for significant monetary theft,” Gauri states. “As a result, the industry has been subject to various sets of regulation, including the Gramm-Leach-Bliley Act (GLBA), a law passed in 1999 that remains the active data privacy law for the financial services industry. Though this regulation likely came with initial growing pains, it has served a pivotal and lasting purpose in keeping financial institutions accountable and customer data protected.”
Over the rest of 2024, Gauri and Seclore have a lot of exciting things in the pipeline.
“We’re receiving great feedback from customers and prospects about our approach to data-centric security as a way to protect their most sensitive assets — so we’ll continue to educate the market, further invest in product development and expand our footprint.” Additionally, Seclore continues to see significant demand and opportunities in the manufacturing sector and will continue to prioritise its work there.