NOWSECURE UNVEILS FIRST AUTOMATED OWASP MASVS V2.1 MOBILE APP SECURITY AND NEW PRIVACY TESTING

The depth and scope of NowSecure Platform testing gives customers assurance that their mobile AppSec programs meet the highest industry standard.

Media Announcement
NOWSECURE UNVEILS FIRST AUTOMATED OWASP MASVS V2.1 MOBILE APP SECURITY AND NEW PRIVACY TESTING NOWSECURE UNVEILS FIRST AUTOMATED OWASP MASVS V2.1 MOBILE APP SECURITY AND NEW PRIVACY TESTING Show More
magnifying glass icon

How New SEC Regulations Impact Mobile App Security and What Businesses Need to Know

Posted by

Amy Schurr

Content Marketing Director
Amy Schurr is content marketing director for NowSecure. A former B2B journalist, she has spent her career covering technology and how it enables organizations.

New U.S. Securities and Exchange Commission (SEC) regulations for cybersecurity disclosures will reshape how companies report on risk management strategies and disclose and manage security incidents. Changes to the federal government agency’s reporting requirements took effect in December 2023.

Experts expect the mandatory enhanced cybersecurity disclosures to compel companies to enhance proactive protection measures to better manage risk. NowSecure Founder Andrew Hoog recently shed light on the intersection of mobile app security and regulatory disclosures in a NowSecure Connect 2024 virtual conference session, “Analyzing the Impact of the SEC’s New Cybersecurity Rules.” Here’s a deep dive into what security, privacy and compliance managers and executives need to know about these new requirements and the implications for mobile app risk.

Why Focus on Cybersecurity Risk?

Security practitioners often face the challenge of translating technical issues into business terms. Hoog pointed out that security teams often receive pushback from the C-suite executives because they talk at a highly technical level that business leaders don’t understand. 

“Risk is the language of business,” said Hoog. Speaking in this universal language of business enables clearer communication with executives and board members. Understanding and articulating security and privacy issues in terms of business risk makes it easier to secure the necessary resources and support.

In addition, mastering the language of risk can aid career advancement particularly for those who aspire to senior security roles such as Vice President of Application Security or Chief Information Security Officer (CISO). It positions security professionals as strategic partners in the business rather than simply technical experts. “The more you have the ability to translate technical language into business language, the better positioned you’ll be to move into those roles,” advised Hoog.

Viewing security through the lens of risk helps in understanding the broader impact of security incidents. High-profile breaches in healthcare, for instance, can disrupt entire regions and services, illustrating the far-reaching consequences of cybersecurity failures.

“Risk is the language of business.” – NowSecure Founder Andrew Hoog

The SEC Mission and Cybersecurity

The U.S. Securities and Exchange Commission (SEC) oversees more than $100 trillion in securities trading in U.S. equity markets annually. The SEC mission regulates the securities industry to protect investors; maintain fair, orderly and efficient markets; and facilitate capital formation. The agency enforces laws requiring public companies to disclose meaningful financial information and other information to the public to ensure investors have access to the facts they need to make informed investment decisions.

New SEC rules took effect in December 2023 requiring companies to address cybersecurity risk management, strategy and governance in annual reporting and  disclose cybersecurity risks and incidents when they occur. These rules aim to provide investors with better information to assess the cybersecurity posture of companies. Security leaders should know about two key SEC documents for reporting on cybersecurity: Form 10-K and Form 8-K.

  • Form 10-K: As of Dec. 15, 2023, companies must include a section on cybersecurity risk management, strategy, and governance in their annual 10-K filings. This disclosure helps investors understand how a company addresses cybersecurity risks.

  • Form 8-K: For material cybersecurity incidents, companies must file an 8-K within four business days of determining the incident’s materiality. This rapid disclosure ensures that investors are promptly informed of significant cybersecurity events.

Materiality in Cybersecurity

Materiality refers to the significance of an incident in affecting a company’s financial condition, operations, reputation, or legal standing. The SEC’s focus on materiality ensures that only significant incidents are reported, avoiding the noise of minor events.

“The SEC isn’t looking for if you had your website scanned or had a little blip here,” said Hoog. “They’re talking about an incident that will materially affect the business in which the average investor would say, ‘I need to know about that attack to be able to determine whether or not it’s going to impact that particular company.’ “

Mobile App Risk Underrepresented

The SEC maintains an online database called EDGAR (Electronic Data Gathering, Analysis and Retrieval) that provides access to corporate filing submissions. The publicly accessible resource offers an API and publishes data in XBRL format for developers to integrate into their systems.

Hoog parsed and analyzed the SEC data to explore the Form 8-K and Form 10-K disclosures for companies. Watch the NowSecure Connect 2024 session replay to view his analysis and see up-to-date information in his Cybersecurity Incident Tracker and Cybersecurity 10-K Tracker tools.

Not surprisingly, most of the incident disclosures came from financial companies but also saw cyberattacks against healthcare, industrial and technology companies. Most disclosures attributed the attacks to criminal organizations but nation-state attacks are on the rise and accounted for a few of them.

Mobile apps power customer engagement and revenue generation. For example, Starbucks reports that more than 33% of its revenue flows through its mobile app. But despite the prevalence and importance of mobile apps in driving business value, they are conspicuously absent in most companies’ cybersecurity disclosures. 

Only 0.4% of some 3,600 analyzed 10-K filings mention mobile app security, a glaring oversight given that mobile apps account for approximately 70% of Internet traffic. “Companies either drive revenue with their mobile applications or drive customer loyalty, and they’ve probably done it in a way in which they’ve reduced operational costs and increased efficiency,” said Hoog. 

Mobile application security risks abound and NowSecure benchmark testing finds that 95% of mobile apps contain at least one security vulnerability. Failing to address mobile AppSec leaves companies open to significant brand damage and compliance penalties

“Companies seem to be overlooking the reputational and legal impacts [of mobile apps in their SEC disclosures],” Hoog cautions. “Are you tying mobile risks to your cybersecurity strategy all the way through to revenue or retention in your business?,” he asked. I think that companies that do are going to be in the best position to be able to respond to an incident when it occurs.”

Strategic Recommendations for CISOs

  • Enhance Cybersecurity Disclosure Practices CISOs should ensure that mobile app security is explicitly addressed in cybersecurity risk disclosures. This transparency not only complies with SEC requirements but also builds investor confidence.
  • Integrate Mobile App Security in Risk Management Companies must integrate mobile app security into their broader cybersecurity strategy, aligning it with business goals and risk management frameworks. This proactive approach helps in mitigating potential threats and safeguarding critical business operations.
  • Educate and Align Security Teams Train security teams to translate technical findings into business risk language. This alignment ensures that security measures are understood and valued at the executive level, facilitating better decision-making and resource allocation.

Conclusion

The SEC’s new cybersecurity disclosure requirements mark a significant shift in how companies must manage and report their cybersecurity risks. For security leaders and executives, understanding these requirements and the critical role of mobile app security in risk management is essential. 

By enhancing disclosure practices and integrating mobile app security into the broader risk management strategy, companies can better protect their assets, ensure regulatory compliance and build investor trust. As the landscape continues to evolve, staying ahead of these changes will be key to protecting your business from mobile app security, privacy and compliance risks and complying with SEC regulations.

Watch the 2024 NowSecure Connect session on SEC cybersecurity disclosures to learn more about SEC cybersecurity disclosures and visit the NowSecureMobileRiskTracker to get a snapshot into the risk posture of thousands of mobile apps in key industries.