In the past year, the cybersecurity landscape involving risk assessment and incident response has undergone a fundamental shift due to the SEC’s final cybersecurity disclosure rules. While organizations have always had to manage cyber risks, the new regulations have introduced both clarity and complexity into how companies assess materiality, report incidents, and integrate threat intelligence (TI) into their broader risk management frameworks.
The SEC’s mandated reporting has forced organizations to refine their risk assessment processes, but many are still struggling with key challenges. Companies are being penalized for both over-reporting and under-reporting incidents, highlighting the ongoing challenge of determining materiality. In addition, legal teams play a significant role in shaping disclosures, often leading to varying levels of detail in public reports. This inconsistency not only affects regulatory compliance but also has broader implications—threat actors are scrutinizing these filings for exploitable insights.
The Role of Threat Intelligence in Materiality Determination
Threat intelligence is a critical component in assessing materiality under the SEC rules. It provides organizations with the contextual awareness necessary to determine whether an incident has a material impact on business operations, financial standing, or investor confidence. Without a well-integrated TI function, companies may struggle to distinguish between incidents that warrant disclosure and those that do not. The ability to track adversary behaviors, emerging threats, and industry-wide trends allows organizations to make informed materiality assessments and avoid unnecessary or incomplete disclosures.
However, the adversarial landscape has evolved alongside regulatory changes. We have observed cases where threat actors exploit the SEC disclosure framework to pressure victims, including cyber extortionists threatening to report breaches to the SEC to increase leverage against companies. This underscores the need for organizations to not only use TI for compliance but also to proactively mitigate adversarial tactics.
Integrating Threat Intelligence into Incident Response
Beyond compliance, effective incident response hinges on the integration of real-time threat intelligence. Organizations that embed TI into their security operations can better detect, respond to and recover from cyber incidents. Best practices for integrating TI into incident response include:
- Pre-Incident Preparation: Establishing a robust TI function that contextualizes threats relevant to the organization’s industry and digital footprint. This helps prioritize vulnerabilities and identify high-risk adversaries before they strike.
- Real-Time Response: Leveraging TI during active incidents to distinguish between opportunistic attacks and targeted intrusions. This can accelerate containment efforts and reduce the risk of overreaction or under-reporting.
- Post-Incident Analysis: Using TI to assess broader implications, refine security controls, and anticipate potential follow-on attacks. Organizations that fail to do so risk falling into a reactive cycle where threat actors continuously exploit their vulnerabilities.
Overcoming Common Challenges in Threat Intelligence Utilization
Despite the clear value of TI, many organizations struggle with its implementation. One major issue is the siloed nature of TI functions. In many cases, TI exists as a disjointed or isolated component, with lost opportunities to integrate across cybersecurity, enterprise intelligence, fraud, and brand protection teams. Without a centralized or holistic approach, organizations risk losing valuable insights and failing to apply intelligence effectively across their enterprise.
Broadly, these functions are often pressured to validate their return on investment (ROI). Without clear benchmarks or success metrics demonstrating how an organization benefits from TI and other defensive measures, decision-makers may be tempted to reduce investment in these areas. The challenge is that calculating ROI for something intangible—like preventing an issue—is inherently complex. To address this challenge, organizations should set the expectation that TI is an investment, much like an insurance policy, in strengthening their wider defensive strategies. TI helps position a company’s defenses to be more proactive, responsive, and informed—not only in addressing incidents but also in embedding practices that, over time, prevent more issues from occurring. By viewing TI as a strategic enabler rather than a cost center, organizations can enhance resilience and ensure long-term security effectiveness. Organizations that fail to invest adequately in TI often find themselves reacting to cyber incidents rather than proactively mitigating risks, ultimately facing higher costs and reputational damage in the long run.
Adding to the challenge is the misconception that TI is solely about technical indicators and vulnerability data. While technical intelligence is essential, the true value of TI lies in its ability to contextualize cyber threats within broader business and geopolitical trends. For example, threat intelligence should not only inform IT security teams but also support legal, risk management, and investor relations teams in understanding how cyber incidents might impact business operations and market confidence.
Emerging Threat Trends and Their Impact on Risk Assessment
As organizations adapt to regulatory changes, they must also stay ahead of emerging threats that influence risk assessment and incident response. Several key trends are shaping the cyber threat landscape:
- Ransomware Evolution: Despite law enforcement efforts, ransomware attacks continue to rise, with new actors emerging rapidly due to the proliferation of leaked codebases. Organizations should integrate TI to track shifting ransomware tactics and commonalities across threat actors to proactively defend against them.
- Vulnerability Exploitation: Adversaries, particularly those engaged in espionage and crime, are increasingly exploiting known, n-day, and zero-day vulnerabilities. TI teams should monitor exploit disclosures and proofs of concept, have a prioritization system for vulnerability management, and assess their potential impact on the organization.
- Weaponization of Disclosures: Threat actors are actively monitoring public SEC filings and similar disclosures for insights into an organization’s cybersecurity posture and potential vulnerabilities. This trend necessitates a careful approach to disclosure language and reinforces the importance of TI in informing reporting strategies.
- Generative AI in Cyber Threats: The rise of generative AI (GenAI) is expanding the attack surface, with adversaries leveraging AI-driven techniques to enhance phishing, automate hacking, and craft more convincing social engineering campaigns – to include the use of deepfakes in their schemes. Organizations need to understand how AI-driven threats impact their risk profile and adjust their defenses accordingly.
The Future of Threat Intelligence in Regulatory Compliance
As regulatory frameworks evolve, the role of threat intelligence will become even more integral to risk management and incident response. Future SEC rule updates could further clarify materiality thresholds, introduce new reporting obligations, or mandate more structured TI integration. Organizations that proactively mature their TI capabilities will be better positioned to navigate these changes while minimizing regulatory and cyber risks.
Ultimately, threat intelligence is no longer just a security function—it is a business imperative. In the era of regulatory scrutiny, investor expectations, and sophisticated adversaries, organizations must embrace TI as a strategic asset to enhance resilience, ensure compliance, and safeguard their future.
Allison Wikoff is PwC’s Global Threat Intelligence – Americas Lead
