How often do Cyberattacks happen to big companies? A recent report shows the number of filings the Securities and Exchange Commission (SEC) received about Cyberattacks in just 11 months from publicly traded companies.
These attacks can lead to stolen information, financial losses, and other serious problems.
Here’s the report about the filings and what cyber incident reporting rules can mean for your business.
SEC’s Cyber Incident Reporting A Year Later
A year ago, the SEC introduced new rules to support Cybersecurity transparency and accountability for publicly traded companies. These regulations mandate that businesses promptly disclose material Cybersecurity incidents and their risk management strategies.
The SEC’s rule, which took effect on December 18, 2023, requires companies to report significant cyber incidents within four days of determining their “materiality”.
Essentially, if a Cybersecurity incident has a considerable impact on the company’s financial performance, operations, or reputation, it is considered “material” and must be disclosed to the SEC.
Are Companies Living Up To The New Cybersecurity Standards?
As the first anniversary of these rules approaches, it’s time to assess their impact. Have companies embraced this new era of Cybersecurity transparency? Are they effectively managing cyber risks and protecting confidential information?
A recent report by BreachRx of 71 8-K filings and 400 10-K filings has revealed a mixed bag of compliance with the SEC’s new cyber incident reporting rules. While companies are filing reports, many are struggling to accurately determine materiality and provide meaningful details.
Key Findings From The Report Include:
- Confusion Over Materiality: Only 17% of 8-K filings explicitly specified material impact, and a mere 4% of initial 8-K filings disclosing a cyber incident did so.
- Lack Of Detail In Incident Response: Less than half of the filings provided specific insights into organizations’ incident response procedures.
- Generic 10-K Disclosures: Most 10-K filings offered generic descriptions of cyber risks and incident response procedures, lacking specific details.
- Weak Cybersecurity Leadership: Only 10% of companies have identified chief information security officers (CISOs) responsible for Cybersecurity.
These findings suggest that many companies are still wrestling with the SEC’s new rules and may be at risk of future enforcement actions.
A Surge In Cybersecurity Disclosures
The SEC’s cyber disclosure rule, while intended to improve transparency, has led to confusion.
Interestingly, while not explicitly required by the rules, several companies have opted to disclose incidents to the SEC soon after discovery. These initial disclosures often lack crucial details, which are then provided in succeeding amended filings or quarterly/annual reports.
For instance, Fidelity National Financial, after a November Cyberattack, initially disclosed the incident in an 8-K filing. Later, through amended filings and a virtual fireside chat, the company revealed more details, including the number of impacted customers. Hackers broke into the company’s systems and stole personal credentials. The infamous ALPHV/BlackCat Ransomware group claimed responsibility for the attack.
In the past, companies often hid Ransomware attacks to protect their reputation and avoid legal trouble. Now, many companies are more open about attacks, fearing the damage to their reputation from a poor response more than the attack itself.
While the SEC’s cyber incident reporting rule has been in effect, other similar regulations are also in the works. An example is the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which was enacted in March 2022 to bolster Cybersecurity across key sectors.
This act requires designated organizations, known as covered entities, to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within specified timeframes. The proposed rules under CIRCIA were published in April 2024 and are expected to take effect in October 2025, pending public comments and revisions.
What Does Cyber Incident Reporting Rules Mean For Your Business?
Cyber incident reporting rules, such as those enacted by the SEC and CIRCIA, mean that businesses need to be more aware and diligent about detecting, mitigating, and reporting cyber incidents.
Here’s what it means for your business:
- Increased Awareness – You need to be more attentive to cyber incidents and potential threats.
- Prompt Reporting – If your business is affected by a cyber incident, you must report it within the designated timeframe.
- Improved Security Measures – You may need to boost your Cybersecurity measures to comply with the reporting rules.
- Reputational Damage – Failure to comply with reporting rules could damage your business’s reputation and public trust.
- Legal Implications – Non-compliance could result in legal consequences, including fines and penalties.
- Incident Response Planning – Developing a comprehensive incident response plan can help your business respond quickly and effectively to cyber incidents.
- Cyber Insurance – Consider investing in cyber insurance to protect your business from potential financial losses resulting from cyber incidents.
Being aware and alert of cyber incident reporting rules and taking steps to protect your business can ensure that you remain compliant, mitigate potential damage, and maintain your reputation.
FAQ
Why Are Companies Required To Report Cyber Incidents To The SEC?
Companies are required to report cyber incidents to the SEC to inform investors about potential risks to their investments. These incidents can impact a company’s financial performance, operations, and reputation.
What Kinds Of Cyber Incidents Are Typically Reported To The SEC?
Common cyber incidents reported to the SEC include data breaches, Ransomware attacks, and hacking incidents that can lead to huge financial losses, working disruptions, or reputational damage.
What Does This Increase In Cyber Incident Reports Mean For Investors?
The rise in cyber incident reports indicates that cyber threats are becoming more frequent and sophisticated. Investors should be aware of these risks and consider how they may impact their investments. The 2Secure team encourages investors to remain informed about the Cybersecurity practices of the companies in which they invest and to diversify their portfolios to minimize risk.
