Cyber Incident Disclosures in Securities and Exchange Commission Reports

Cyber Incident Disclosures in Securities and Exchange Commission Reports

In the ever-evolving landscape of cybersecurity, companies are treading carefully when disclosing incidents to the Securities and Exchange Commission (SEC). The SEC's broad definition of a "cybersecurity incident" as an occurrence that jeopardizes the confidentiality, integrity, or availability of a company's information systems or data serves as an umbrella for various cyberattacks.

Companies are strategically avoiding explicit terms like "breach" or "data breach" in their SEC disclosures. This approach allows them to manage legal risks, focus on materiality, and control the narrative around the incident. The SEC's new cybersecurity disclosure rules require companies to disclose material cybersecurity incidents within four business days of determining materiality, based on impact, not specific labels.

The materiality focus is a key reason for this avoidance. The SEC mandates disclosure only when an incident is materially impactful to a company's financial condition, operations, or business. Using ambiguous terms like "incident" allows companies to emphasize materiality and avoid prematurely labeling events as breaches before a full assessment.

Legal risk management is another significant factor. Using the term "breach" could trigger heightened legal liability, regulatory scrutiny, or class-action lawsuits. Companies prefer less definitive language to maintain flexibility and protect against claims tied to data breaches specifically.

Regulatory guidance also plays a role. The SEC rules define cybersecurity incidents broadly as “unauthorized occurrences,” without requiring the term "breach." This encourages companies to describe the nature, scope, and impact rather than apply potentially inflammatory labels.

Reputation management is another consideration. Avoiding the term "breach" can reduce reputational damage with investors, customers, and partners. It allows companies to provide required disclosures while minimizing alarm or negative market reactions.

Operational considerations are also at play. Companies are advised not to disclose highly technical or detailed response plans that could hinder remediation efforts. The choice of language reflects a balance between transparency and operational security.

Sharing too much detail in a cyber incident disclosure can potentially put a company at risk of a copycat attack. Companies may want to reveal as little detail as possible or broadly classify the incident as they continue to uncover more details about it.

Not all companies follow this trend. Outliers like VF Corp., Hewlett Packard Enterprise, Microsoft, and UnitedHealth Group have disclosed additional details beyond what's mandated. Five of these companies mentioned data theft or exfiltration in their disclosures.

The Securities and Exchange Commission's cyber disclosure rules took effect three months ago. Companies are still grappling with balancing the SEC's material cyber incident disclosure requirements in the fog of an incident where there can be significant unknowns. They are weighing the risk of sharing too much detail against the potential confidence they can channel by describing their incident response or cybersecurity risk management process in a positive manner.

Andrew Heighington, CSO at EarthCam, noted that companies are not required to disclose specific or technical details about their response to a cyber incident if it would impede the company's response or remediation. Amy Chang, senior fellow of cybersecurity and emerging threats at R Street Institute, cautioned that early oversharing of a cyber incident can compel stakeholders to consider the likelihood of potential poor security controls, a mishandled detection or response, third-party supplier involvement, or other causes.

In conclusion, companies are navigating a delicate balance in their cybersecurity incident disclosures. They are using terms like "cybersecurity incident" or "material cybersecurity event" to comply with SEC rules while minimizing potential adverse consequences in litigation, investor relations, and public perception.

1. Companies are strategically using terms like 'cybersecurity incident' or 'material cybersecurity event' in their SEC disclosures to manage legal risks, focus on materiality, and control the narrative around an incident, as required by the SEC's broad definition of a cybersecurity incident.
2. The new SEC cybersecurity disclosure rules mandate companies to disclose material cybersecurity incidents within four business days of determining materiality based on impact, not specific labels, which allows companies to emphasize materiality and avoid prematurely labeling events as breaches.
3. Using ambiguous terms like "incident" allows companies to protect against claims tied to data breaches specifically, as the term 'breach' could trigger heightened legal liability, regulatory scrutiny, or class-action lawsuits.
4. In the ever-evolving landscape of cybersecurity, companies are weighing the risk of sharing too much detail against the potential confidence they can channel by describing their incident response or cybersecurity risk management process in a positive manner, while at the same time avoiding explicit terms like 'breach' or 'data breach'.

Read also: