While companies have responded to the new SEC rules by disclosing incidents promptly, many of the reports don’t meet the SEC’s “material” standard.
The new cybersecurity disclosure rules introduced by the US Securities and Exchange Commission (SEC) last year have resulted in a significant increase of incident reports from public companies, but most of the reports do not include the material impact of those incidents, according to a law firm specializing in finance and M&A activity.
Analysis by Paul Hastings LLP found cybersecurity incident reports have increased by 60% since the disclosure rule went into effect in 2023. The SEC regulation requires public companies to disclose material cybersecurity incidents within four business days of determining materiality. Material, in this instance, means that the incident can impact someone’s decision on whether to invest in the company. Determining materiality involves considering the immediate fallout and any longer-term effects on a company’s operations, customer relationships, financial impact, reputational or brand perception, and the potential for litigation or regulatory action.
As the chart above shows, the impact of the regulation spans numerous industries. While the financial services sector accounted for the largest number of disclosure reports, industrials and healthcare were also heavily impacted. Automotive retail and retail entities were also hit by cyberattacks and had to report those incidents.
Less than 10% of the disclosures detailed the material impacts of the incidents, suggesting that companies are having difficulty balancing detailed reporting with protecting the details of internal operations. The report included examples of what was considered material, such as Basset Furniture Industries noting that business operations are materially impacted until recovery efforts are completed, or First American Financial disclosing adjusted earning per share for the fourth quarter financial results and quantifying the losses in the company’s SEC filings.
Some companies (13%) opted to provide a press release or a reference to a blog post to provide more details about the incident.
Third-Party Breach Impact
One in four incidents in the report were third-party breaches. Companies are struggling to figure out whether to disclose third-party breaches, especially if other victims have disclosed the incidents. The automotive retail sector was affected primarily by the ransomware attack on automotive software provider CDK Global in June. The company paid a $25 million ransom. CDK’s parent company, Brookfield Business Partners, said in its July disclosure that the company did not “expect this incident to have a material impact.” Many of the smaller automotive companies claimed material impact as a result of CDK’s incident.
The SEC recently announced enforcement settlements with four SolarWinds customers for allegedly making misleading disclosures related to how they were impacted by the cyberattack. Two of the four publicly disclosed the incidents but did not disclose all material facts known at the time, such as the name of the threat actor, nature of information stolen, and number of accounts accessed. The other two did not disclose the incidents, and the SEC said they should have disclosed the impact.
Speed or More Details?
More than three-quarters (78%) of disclosures were made within eight days of discovery of the incident. The SEC specified that the deadline to disclose is not four business days after discovering the incident but rather when materiality has been determined, but most companies opted to act quickly. A third (32%) filed within four days of discovery. This suggests that companies are reporting quickly to avoid being fined by the SEC for delayed disclosure but too quickly because they have not yet determined the full implications of the incident. This may be why 42% of the companies wound up filing multiple reports for the same incident, each time providing more details, such as quantifiable loss, impact to customer personal data, and notification to individuals and regulators.
“Companies should continue to evaluate disclosure controls and engage in tabletop exercises to practice the decision-making required to makes such materiality decisions in the event of a cyber incident,” the report’s authors said.
