After successful installation of the IIS Authentication Agent on an IIS Server, It's seen on the RSA Agent Login Page that the rsa-csrf cookie is not marked as secure, and after the successful authentication we will see also the rsa-csrf in addition to the rsa-local cookies both not marked as secure:
This is seen as a security risk because this means that the cookie could potentially be stolen by an attacker who can successfully intercept and decrypt the traffic, or following a successful man-in-the-middle attack (unlikely since HSTS is enabled).
This is not a vulnerability, it is just some configurations that can be changed to mark these two cookies as Secure.
From the IIS Manager on the Web Agent machine, in the Connections pane, double-click server_name, and click Sites-> Default Web Site.
In the Default Web Site Home pane, double-click RSA SecurID.
Enable below option: Require Secure Connection to Access Protected Pages.