Study finds ‘significant uptick’ in cybersecurity disclosures to SEC
The introduction of new cybersecurity disclosure rules by the U.S. Securities and Exchange Commission has led to a significant uptick in the number of reported cybersecurity incidents from public companies, according to a leading U.S. law firm that specializes in finance and M&A activity.
Analysis by Paul Hastings LLP found that since the disclosure law went into effect in 2023, there has been a 60% increase in disclosures of cybersecurity incidents, and 78% of disclosures were made within eight days of discovery of the incident.
The regulations require public companies to disclose material cybersecurity incidents within four business days of determining their materiality, aiming to provide investors with timely and relevant information that could impact investment decisions.
Despite the increase in disclosures, less than 10% of disclosures detailed the material impacts of these incidents, revealing potential hesitancy or difficulty in assessing comprehensive impacts swiftly. Companies are often faced with the challenge of balancing detailed reporting with the protection of sensitive operation details, as the rules do not mandate disclosing specific technical details that could hinder remediation efforts.
Michelle Reed, co-chair of Paul Hastings’ data privacy and cybersecurity practice, said the hesitancy is likely because companies are disclosing very quickly, so as to not be penalized by the SEC for delayed disclosure.
“The coming year will be an interesting testing ground on how materiality in the cyber world ultimately shakes out,” Reed told CyberScoop.
The materiality clause has led to inconsistent outcomes among companies that have publicly disclosed a cybersecurity incident. For instance, the ransomware attack on automotive software provider CDK Global in June resulted in varying degrees of materiality disclosures. CDK’s parent company, Brookfield Business Partners, said in their July disclosure they did not “expect this incident to have a material impact” on their business despite paying a $25 million ransom.
Some other car dealerships also filed disclosures saying the attack on CDK negatively impacted their company, but stopped short of saying the incident caused a “material impact.”
Reed told CyberScoop these cases illuminate the ambiguity companies face in determining the depth of information necessary for reporting, while avoiding the disclosure of sensitive security measures that could exacerbate vulnerabilities and lead to lawsuits.
“Materiality is a sliding scale, weighing risk and likelihood of impact,” she said. “The exact same breach could happen to two different companies, and based on size of the company and effectiveness of their incident response, one may have to disclose and the other may not.”
An additional concern covered in the report is the prevalence of third-party breaches, which account for 1 in 4 incidents. The report points out this kind of cybersecurity incident leads to further dilemmas for companies on whether to disclose third-party breaches, particularly when other companies may have disclosed an incident related to the same breach.
You can read the full report on Paul Hastings’ website.
