New reports show that most companies who disclosed a cyber incident to the SEC last year were tight-lipped when it came to specific details.
It has been a little more than a year since the SEC’s controversial cybersecurity incident disclosure rule went into effect. The rule, which requires public companies to disclose a cybersecurity incident to the SEC within four days after it is deemed material, was intended to boost disclosure consistency and transparency among investors. However, while more companies disclosed cyber incidents after the rule was enforced, the details provided in the filings were limited.
Living in a not-so material world. According to a 2024 Paul Hastings report that examined 75 disclosures from 48 public companies between December 2023 and October 2024, there was a 60% uptick in the number of cyber incidents disclosed after the SEC’s cyber disclosure rule was enforced. However, less than 10% of the disclosed incidents had a description of the material impact of the incident. Michelle A. Reed, a lead author of the report and co-chair of Paul Hasting’s data privacy and cybersecurity practice, told IT Brew that the findings reflect companies’ concerns around SEC enforcement related to failing to disclose given the “squishiness” around materiality.
“Materiality isn’t just a quantitative measure, it’s a qualitative measure,” Reed said. “I think that part of the reason you see such increased disclosures and you may not see the description of specifically what the material impact was is because people are really looking at it on a qualitative basis and trying to avoid non-disclosure claims by the SEC.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
En vague. Findings from a BreachRx report further showed that less than half (48%) of the 8-K filings laid out specific details on an organization’s incident response procedures. Anderson Lunsford, co-founder and CEO of BreachRx, told IT Brew that the vague approach most companies are taking is not meeting the SEC policy’s goals.
“The actual information that’s being provided about the incidents is so generic,” Lunsford said. “It’s not actually giving what the SEC was asking for, which was decision-useful information for the investment community.”
What’s ahead? While Chair Gary Gensler is slated to step down from his position at the SEC later in the month, both Reed and Lunsford told IT Brew that it is unlikely the rule will be impacted under a new administration.
“I don’t see a big step back happening on the regulatory front like that,” Lunsford said. “I think it would be foolish to believe that they’re going to overturn the cybersecurity rules or change them.”
Anna Rudawski, partner at A&O Shearman, told us that companies can continue to best prepare themselves in the case that they do need to disclose by understanding what will “trigger materiality for them.”
“I think the worst place to be for a company is to not have any idea of what the materiality threshold looks like for you,” Rudawski said.
Lunsford added that companies who do encounter a cyber incident should keep documentation of their incident response activities.
“That’s so vitally important for proving you took all the right actions at the right time to the SEC,” Lunsford said.