Skip to main content
close search
site logo

New SEC cyber rules draw ‘question-begging’ breach disclosures

Filers may be opening the door to investor confusion by reporting breaches that don’t appear to be “material” as described, without explaining why they’re doing so.

Published March 12, 2024
Alexei Alexis's headshot
Reporter
Securities and Exchange Commission, SEC, Building in Washington DC
qingwa via Getty Images

Cybersecurity rules that recently went into effect at the Securities and Exchange Commission have so far resulted in several breach disclosures from publicly traded companies, including Microsoft and Hewlett Packard Enterprise.

The rules require a “material” cybersecurity incident to be disclosed to the SEC within four days of a determination that it is material, among other provisions. They were intended to provide investors with timely and “decision-useful” cybersecurity information, according to the SEC, but experts say some of the early filings contain minimal breach details, leaving key questions unanswered.

“Some of these disclosures, I think, are question begging,” Scott Kimpel, a partner at Hunton Andrews Kurth, said in an interview. “They don’t tell us much about the incident beyond high-level headline-type details.”

Under the SEC rules, companies must determine the materiality of an incident “without unreasonable delay following discovery and, if the incident is determined material, file an Item 1.05 Form 8-K generally within four business days of such determination.”

The disclosure must describe the material aspects of the nature, scope and timing of the incident, as well as its “material impact or reasonably likely material impact.”

“Because we’re early in the process, norms have not yet been established,” said Richard Marcus, head of information security at AuditBoard, a cloud-based risk management company. “And so, companies are wondering: ‘How much can I get away with here? How much are my shareholders really expecting?’ I think there’s a lot of benchmarking going on — companies looking at their peers.”

Without naming any specific companies, Kimpel said some have filed head-scratching incident disclosures, in which they report a breach that hasn’t yet materially impacted their operations and may or may not end up materially impacting their financial condition. 

One explanation is that such companies could be reporting a breach they deemed material from a “qualitative,” rather than “quantitative,” perspective, according to Kimpel. Quantitative material impacts can include financial harm, while qualitative impacts can involve “an almost endless list of possibilities,” including reputational harm or the risk of future regulatory or legal issues, he said.

As of Dec. 18, all covered entities other than smaller reporting businesses were required to comply with the new breach disclosure mandates. Smaller reporting companies will be subject to them as of June 5.

In January, Microsoft disclosed in an Item 1.05 Form 8-K filing that a “nation-state associated threat actor” had gained access to and exfiltrated information from a “very small percentage” of employee email accounts including members of the company’s senior leadership team and employees in its cybersecurity, legal, and other functions.

“As of the date of this filing, the incident has not had a material impact on the Company’s operations,” the Redmond, Washington-based tech giant said in the disclosure. “The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.”

HP Enterprise and Prudential Financial are among companies that have used similar language in breach disclosures filed with the SEC under the new cybersecurity rules.

Microsoft reported its breach to the SEC even though the company’s investigation didn’t — as of the time of its regulatory filing — uncover fallout that met the agency’s material impact threshold, the Wall Street Journal reported in January. “But because the law is so new, we wanted to make sure we honor the spirit of the law,” the company said, according to the Journal report.

The SEC filings themselves are potentially opening the door to investor confusion, as companies report breaches that don’t appear to be material as described, without explaining why they thought it was important to do so, according to Kimpel.

“If the SEC’s objective here was to shine more light on these incidents, and to provide investors with additional information about the cybersecurity positions of companies they invest in, a lot of these filings haven’t done that,” Kimpel said. “They raise more questions than they answer.”

For now, companies have no clear guidance from the SEC as to how much information needs to be disclosed, Marcus said, adding that it’s currently open to interpretation.

“I would assume that, right now, because it’s a new rule, there’s probably going to be a lot of flexibility,” he said. “But I would imagine that that grace period expires at some point, and the SEC will start to be more explicit about what they expect and will bring enforcement actions against companies that are not complying.”

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Cybrid Responds to Market Demand for Stable, Efficient Cross-Border Payments with Enhanced Sta…
From Cybrid
November 20, 2024
Legion Technologies Partners with Vail Resorts to Expand Workforce Management Across 37 Resort…
From Legion Technologies
November 19, 2024

Want to share a company announcement with your peers?

Get started

Editors' picks
Latest in Compliance
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell