Photo credit: www.darkreading.com
The recently implemented cybersecurity disclosure regulations by the U.S. Securities and Exchange Commission (SEC) have led to a marked rise in incident reports from publicly traded companies. However, an analysis by a law firm with expertise in finance and mergers and acquisitions reveals that many of these reports lack detail concerning the material impacts of the incidents.
According to research by Paul Hastings LLP, the volume of cybersecurity incident reports surged by 60% following the enforcement of the new disclosure rule in 2023. This SEC regulation mandates that public companies inform shareholders of material cybersecurity incidents within four business days once they ascertain the event’s materiality. Materiality pertains to incidents that could influence an investor’s decision-making regarding the company’s stock. Assessing materiality requires consideration of immediate consequences and potential long-term ramifications on operational functions, customer relations, financial status, brand reputation, and possible legal or regulatory actions.
The repercussions of these new rules have been felt across various industry sectors. While the financial services sector reported the highest number of disclosures, industries such as healthcare, industrials, and retail also reported significant incidents, highlighting the widespread threat posed by cyberattacks.
Despite the increase in disclosures, fewer than 10% of these reports provided comprehensive insights into the material impact of the episodes. This finding suggests that businesses struggle to strike a balance between offering sufficient detail while safeguarding sensitive internal information. Some companies exemplified material disclosures; for instance, Basset Furniture Industries indicated that its operations remained significantly disrupted until restoration efforts were complete. Likewise, First American Financial quantified its losses by adjusting its earnings per share in filings submitted to the SEC.
Interestingly, about 13% of the reporting companies chose to issue press releases or direct readers to blog posts to elaborate on their incidents.
Third-Party Breach Impact
Notably, 25% of the reported incidents were categorized as breaches linked to third parties. Companies face challenges in deciding whether to disclose these breaches, particularly when other victims have already made announcements. A case in point is the ransomware attack on automotive software provider CDK Global, which resulted in its parent company, Brookfield Business Partners, paying a $25 million ransom. While Brookfield argued that the incident would not have a material impact, several smaller automotive firms reported significant repercussions stemming from the attack.
In a recent enforcement action, the SEC settled cases against four companies that used SolarWinds software for allegedly issuing misleading disclosures about their experiences during a cyberattack. Of these, two firms disclosed the incidents but omitted critical details like the identity of the perpetrator, the type of information compromised, and the number of accounts affected. The other two, who did not disclose, were deemed liable for their lack of transparency regarding the incident’s impact.
Speed or More Details?
A significant majority, approximately 78%, of incident disclosures were made within eight days of the discovery of the event. The SEC clarified that the four-business-day deadline pertains to when materiality is determined, not merely upon the incident’s discovery. Nonetheless, many companies opted for rapid reporting, with one-third submitting disclosures within four days of identifying the incident. This haste may be a response to avoid potential fines from the SEC for late disclosures, although it raises concerns about whether companies have fully assessed the implications of these incidents. Consequently, 42% of firms ultimately filed multiple reports about the same incident, providing additional details over time such as quantitative losses, effects on customer data privacy, and notifications to individuals and regulators.
The authors of the report emphasized the importance for companies to continually assess their disclosure protocols and engage in training exercises designed to improve decision-making related to materiality during cybersecurity incidents.
Source
www.darkreading.com