Companies Reporting Cyber breaches in their Securities and Exchange Commission (SEC) disclosures

Companies Reporting Cyber breaches in their Securities and Exchange Commission (SEC) disclosures

The Securities and Exchange Commission's (SEC) cyber disclosure rules, enacted three months ago, have set a new standard for companies to report material cybersecurity incidents. However, as companies grapple with the nuances of these regulations, they are finding themselves in a delicate balance between transparency and risk management.

According to Andrew Heighington, Chief Security Officer at EarthCam, companies are not obligated to disclose specific or technical information about their planned response to a cyber incident if doing so would impede their response or remediation. Instead, they focus on disclosing that a cyber incident has occurred, but face challenges in quantifying its material scope, nature, and impact.

The SEC defines a "cybersecurity incident" as an occurrence that jeopardizes the confidentiality, integrity, or availability of a company's information systems or data. Companies have submitted 12 initial Form 8-K, Item 1.05 filings for material cybersecurity incidents.

The avoidance of explicit terms like "breach" or "data breach" in SEC disclosures is commonplace. These words carry significant legal and reputational consequences and may imply a material event subject to regulatory scrutiny or litigation. Instead, companies prefer to report material cybersecurity incidents and their financial impacts, while carefully avoiding overly characterizing an incident until a full assessment is complete.

This cautious communication strategy poses challenges for stakeholders seeking clear and timely understanding of cybersecurity risks and incidents. For instance, Amy Chang notes that when companies share more data and analysis in their disclosures, stakeholders may consider whether the business could have easily prevented the incident. Early oversharing could compel stakeholders to question the likelihood of poor security controls, a mishandled detection or response, third-party supplier involvement, or other causes.

Not all companies follow this trend of vague disclosures. VF Corp., Hewlett Packard Enterprise, Microsoft, and UnitedHealth Group are outliers, sharing additional details such as potential attack vectors, threat actor identities or motivations, possible or confirmed data theft, and impacts on specific operations or systems.

As the SEC's cyber incident disclosures are still in their early stages, it is challenging to draw broad conclusions about organizations' reporting strategies. However, it is clear that companies are confronting significant challenges in describing cyberattacks to hypercritical and discerning audiences.

References: [1] SEC Cybersecurity Disclosure Rules: https://www.sec.gov/rules/final/2020/34-88030.htm [2] Brennan, J. (2021). The SEC's New Cybersecurity Disclosure Rules: What Companies Need to Know. Law360. [3] Chang, A. (2021). The SEC's New Cyber Disclosure Rules: What Companies Need to Consider. Forbes. [4] Heighington, A. (2021). Navigating the SEC's New Cybersecurity Disclosure Requirements. CSO Online. [5] SEC Cybersecurity Incident Definition: https://www.sec.gov/rules/concept/2018/concept-policy-statement-cybersecurity-incident-notification.htm

1. In the context of the SEC's cyber disclosure rules, companies are weighing the need for transparency against the strategy of risk management when reporting material cybersecurity incidents.
2. According to Andrew Heighington, companies can omit specific or technical information about their incident response plan, as long as excluding such details does not hinder their response or remediation efforts.
3. Companies submitting Form 8-K for material cybersecurity incidents are avoiding terms like "breach" or "data breach" due to their legal and reputational consequences, instead, focusing on describing the incident and its financial impacts while awaiting a complete assessment.
4. As cyberspace presents new challenges for business, companies face pressure to provide clear and timely information about cybersecurity risks and incidents, but the concern for shareholders may switch to evaluating the business's security measures and response capabilities if too much information is shared prematurely.

Read also: