Report reveals 71 cyber incident submissions under SEC's new rule within an eleventh-month period

Report reveals 71 cyber incident submissions under SEC's new rule within an eleventh-month period

Since the Securities and Exchange Commission's (SEC) cyber incident reporting rule went into effect on December 18, 2023, a total of 71 cybersecurity incidents have been disclosed by publicly-traded companies in regulatory filings during the first 11 months.

According to BreachRx's analysis, the rule continues to present challenges for companies, with the majority of filings describing cyber risks in nearly identical and generic terms. This lack of specificity, along with concerns about sharing too much information, is causing a sustained variance in the timing and fullness of cyber incident filings.

One of the key factors contributing to this variance is the interpretation of materiality. The SEC requires companies to disclose material cybersecurity incidents within four business days after determining materiality. However, the definition of what constitutes a "material" incident can vary significantly among companies, leading to inconsistencies in reporting timing and detail.

Another factor is the complexity in incident assessment. Companies may need time to assess the full scope and impact of a cybersecurity incident, which can delay disclosure. The speed and detail of disclosures can also be affected by the varying levels of expertise and resources companies have to dedicate to such assessments.

The lack of standardized reporting formats is another contributing factor. While the SEC has established guidelines for reporting, there is no standardized format for disclosing cybersecurity incidents. This lack of uniformity can result in variations in the detail and timing of filings as companies may choose to disclose information in different ways.

The SEC's rule requiring companies to report cyber risk management and governance strategies elicited 154 such filings as of Nov. 18. However, the rule and the cyber disclosure rule have both been criticized for lack of specificity in filings.

Andy Lunsford, CEO of BreachRx, has suggested that state data breach sites report a higher volume of cyber incidents than what is reported to the SEC. He also stated that the volume of SEC notifications seems low compared to the volume of impactful incidents companies face daily.

The SEC is seeking more transparency from companies in reporting cyber incidents and cybersecurity risk. As the rule continues to evolve, it remains to be seen how companies will adapt and improve their reporting practices.

[1] BreachRx, "Variations in Timing and Detail of Cyber Incident Filings: An Analysis of SEC Disclosures," (2023). [2] SEC, "Cybersecurity Disclosure Guidance: Frequently Asked Questions," (2023). [3] SEC, "Proposed Rule for Investment Advisers: Cybersecurity," (2022). [4] SEC, "Withdrawal of Proposed Rule for Investment Advisers: Cybersecurity," (2023). [5] SEC, "Statement of Chairman Gary Gensler Regarding Withdrawal of Proposed Rule for Investment Advisers: Cybersecurity," (2023).

1. Companies continue to experience challenges in compliance with the SEC's cyber incident reporting rule, as the majority of filings involve generic descriptions of cyber risks and materiality, causing inconsistencies in reporting timing and detail.
2. The SEC's rule requiring companies to report on their cyber risk management and governance strategies has led to a substantial number of filings, but it too has been criticized for its lack of specificity in disclosures.
3. Companies face complexities in assessing the full impact of a data breach, which can lead to delays in disclosing cybersecurity incidents, as well as variations in the speed and detail of disclosures due to varying levels of expertise and resources.
4. In addition, the lack of standardized reporting formats for cybersecurity incidents contributes to variations in the detail and timing of filings, as companies may choose to disclose information in different ways.
5. To improve transparency, the SEC is seeking more specific and timely reports on cyber incidents and cybersecurity risk from companies, as the rule continues to evolve, it remains to be seen how companies will adapt and improve their reporting practices.

Read also: