When the Security and Exchange Commission (SEC) first announced its new cyber rules promoting increased transparency around cybersecurity incidents last summer, many organizations responded with concern around how they would effectively comply with the new rules — specifically, around the requirement to disclose any material cybersecurity incident within four days of discovery.
Determining materiality presents a tough task. Thresholds can vary greatly from company to company, and in many cases, a company facing a cybersecurity event won’t know the extent of their material damages until long after the incident occurred – and well past the stipulated four-day reporting period.
The SEC cyber rules went into effect on Dec. 18, 2023, which means the cybersecurity industry has been living with the reality of these requirements for more than two months now. How are organizations navigating these rules to date, and what can we learn from those who have already filed disclosures?
Two months may not seem like very long, but we’ve already seen around a dozen filings of Form 8-K for reporting material cybersecurity incidents, including from large and multinational corporations such as First American Financial, loanDepot, Microsoft, Hewlett Packard Enterprise, Willis Lease Finance, SouthState, and Prudential Financial.
Across these filings, companies tend to err on the side of reporting, even if there’s no immediate material impact on their operations, revenue, or stock price. Most of these filings so far offer rather generic assessments of the incident without many noteworthy details — understandably, items like attacker attribution or long term impacts are often challenging to identify in the short timeframes required by the SEC.
The risks of filing prematurely
While there are some cybersecurity professionals who advocate for swift reporting even without substantial materiality, there are a few cautions to rushing an 8-K filing.
For one, disclosing an incident without taking the time to understand its full scope can create a more cumbersome reporting process. First American Financial had to file two additional updated disclosures following its initial filing, as more information emerged about its incident.
Without any clear guidelines from the SEC about what specific details should get disclosed in these filings, the rules run the risk of generating highly generic blanket disclosures: “Organization X was breached, there has been no material impact, and we are working with a third-party to investigate the incident.” Boilerplate responses like these, which lack transparency around in-depth details of the incident, fail to reassure the company’s customers and shareholders, defeating the entire intent of the cyber rules.
Ultimately, organizations need to strike a balance between timely and thorough incident reporting. We need to optimize incident response processes so that security teams can rapidly contain threats, quickly classify the material extent of the incident, and inform affected entities accordingly. While this process should happen swiftly, it should not be at the expense of a complete and thorough investigation. Companies don’t want to amend a disclosure because they didn’t have accurate information upon the initial report.
The SEC cyber rules stipulate that companies should file an incident disclosure if they determine the breach caused material damage to the company's finances or operations. Rather than file a disclosure right away like we’ve seen many organizations do so far, I encourage security teams to start the clock on their four-day reporting period only after they have completed an initial investigation and have determined that the incident was material enough to impact investor decisions.
Ideally, we’ll see stronger guidance from the SEC on this, perhaps even through a standard form that requests information such as: the type of attack, the date of the incident/discovery, what systems were impacted, and an indication of the magnitude of impact, such as the number of records accessed. Organizations could check a box to confirm whether they have leveraged a third party, contacted law enforcement, or contacted other applicable regulators.
While this level of detail has not been required yet by the SEC, we should take it as a best practice guideline for creating comprehensive, accurate, and transparent disclosure reports. I also encourage organizations to issue a post-mortem report 6-12 months following the disclosure of an incident, sharing any new details about the root cause of the attack and what controls have been put in place to prevent similar attacks from happening in the future.
If there’s one point the SEC rules got right, it’s a motivation to create greater transparency around incidents that could affect a company’s stakeholders. Regardless of how prescriptive the SEC’s rules are, we should always make promoting transparency an important objective for cybersecurity leaders.
It’s still the early days for the SEC cyber rules. But given the continued complexity and uncertainty around the best way to comply with them, it’s not too early to start preparing.
Mike Britton, chief information security officer, Abnormal Security