Security breaches & new SEC regulations

2023 was a great year to be invested in next-gen security, and had an especially strong finish. CrowdStrike ended the year at +142%, Palo Alto +111%, and Zscaler +98%. And as 2024 starts off, Crowdstrike now finds itself right at its all-time high, last seen in November 8, 2021. Overall, CrowdStrike is now up +430% since its IPO debut in mid-2019.

You need to understand the new SEC regulations around breaches, which is what likely propelled security names at the end of 2023.

I wrote a piece on the impacts, plus highlighted a number of gaffes from Okta as they bumbled from breach to breach (not directly within their security cloud platform, but ancillary systems in customer support). They were involved in a number of related major security breaches (MGM, Caesars) this past year.



to recap my take

I believe these newly required disclosures will spur further mgmt/board interest in modern next-gen security platforms around Zero Trust and security posture , like SSE and SASE for secure user access, XDR for endpoint posture, CNAPP for cloud & SaaS security posture, and EASM for overall outside-in exposure. Companies like CrowdStrike, Zscaler, Palo Alto, Cloudflare, and Okta should benefit from this increasing interest from large enterprises, as even the technology stragglers are being forced to look at the faultlines & gaps in their overall security & risk posture. I also think we’ll see a big rise in risk mgmt solutions in these same next-gen security platforms to give top mgmt and boards a measurable view of their security risk posture .

Zscaler has released Risk360, a new board/Csuite tool for overseeing and scoring risk across their platform.

CrowdStrike has released Exposure Mgmt as a SOC risk oversight tool (for the CISO and SOC), and I think they’ll follow Zscaler into a board-level tool too.


Actually that reminds me of a Rapid7 security roundtable I went to in Singapore end of last year. There are 2 upcoming regulations of which this is one. It was a very very important discussion which could have significant implications for:

  1. Cybersecurity in general
  2. Regulatory SEC compliance
  3. Liability

This SEC regulation represents a hard fought battle in the background. Effectively when regulators and law makers wanted to introduce this regulation it was considered another dogs dinner of an approach to lawmaking. Overly complicated and burdensome and potentially more harmful than beneficial. Effectively the risk here is that with an onus to report breaches or hacks within an almost realtime window, security weaknesses would be publicly exposed before any security remedial action could be undertaken thus increasing the breach potential to more and more hackers once this is known. I guess the battle ended up being over the 1 to 4 days reporting deadline.

The second regulation which appears to be originating more from Europe will be to address the end old issue of liability. In the tech and apps world, so much is dependent on the stack and so many tech companies complain that their tech and apps are held hostage to the base code or base application software used, (usually pointing to having to build on a dated and vulnerable Microsoft version of something etc). Well the regulations are about to change that, which would make the underlying software or application provider liable in the event of being the vulnerability source in a breach/hack/event.

These new regulations might well have a considerable impact on the cybersecurity industry, a gravy train for lawyers and plenty of unintended consequences I’m sure.