Companies' Accounts of Cyber Incidents in Securities and Exchange Commission (SEC) Documents
In the three months since the Securities and Exchange Commission (SEC) implemented its new cyber disclosure rules, 12 initial Form 8-K, Item 1.05 filings have been submitted by companies reporting material cybersecurity incidents. However, these disclosures have been carefully crafted, with companies choosing to reveal as little detail as possible due to ongoing investigations or broadly classifying the incident.
The SEC mandates the disclosure of material cybersecurity incidents, defined as those likely to have a substantial impact on a company's financial condition or operations. The rules require companies to determine materiality with both quantitative and qualitative factors, including the likelihood that a reasonable investor would find the information important.
Companies aim to comply in good faith by reporting essential information on the nature, timing, and impact of incidents without necessarily using charged terms like "breach," which might carry stronger legal or reputational consequences. Disclosure instructions advise companies not to provide overly technical or granular details that could hinder remediation efforts, so disclosures often focus on the broad incident description rather than invoking specific terminology.
Avoiding the term "breach" may also be a legal or strategic choice to reduce litigation risk or reputational damage, especially if the company believes the incident was contained or had limited effects. VF Corp., Hewlett Packard Enterprise, Microsoft, and UnitedHealth Group are outliers among the companies that disclosed security incidents and opted to disclose additional details.
Early disclosures can provide insights into the challenges businesses face and the decisions they make in describing cyberattacks. Amy Chang, senior fellow of cybersecurity and emerging threats at R Street Institute, suggests that these early disclosures can help stakeholders understand potential poor security controls, mishandled detection or response, third-party supplier involvement, or other causes.
The SEC describes a "cybersecurity incident" as an unauthorized occurrence that jeopardizes the confidentiality, integrity, or availability of a company's information systems or data. The SEC allows companies to disclose a cyber incident with a few details, with the expectation of follow-up disclosures as more information is gathered.
Andrew Heighington, CSO at EarthCam, notes that companies are wrestling with balancing the SEC's material cyber incident disclosure requirements in the fog of an incident. Businesses often use mild language to limit doubts about their ability to respond and potential legal liabilities, at least early on in the investigation.
The dozen SEC cyber incident disclosures to date are not voluminous enough to draw broad conclusions about organizations' reporting strategies. However, it is clear that companies are carefully calibrating their disclosures to reflect the materiality and impact of incidents, choosing language that fulfils regulatory requirements while managing legal and business risks associated with labeling an event explicitly as a "data breach."
- To manage potential legal and reputational risks, companies often avoid using the term "breach" when disclosing material cybersecurity incidents, instead employing mild language that fulfills regulatory requirements.
- The SEC's definition of a cybersecurity incident encompasses any unauthorized occurrence that endangers the confidentiality, integrity, or availability of a company's information systems or data, significantly impacting its financial condition or operations.
- In the aftermath of a cyber incident, companies aim to maintain a balance between the SEC's material disclosure requirements and the need to protect their response efforts by not providing overly technical or granular details, focusing on broad incident descriptions.
%20Documents){kind=link}