A Cybersecurity Dive article from Matt Kapko explored the intricacies of how companies describe cyber incidents in their Securities and Exchange Commission (SEC) filings. The recent implementation of SEC cyber disclosure rules demonstrates the nuanced language businesses use to communicate potential risks to regulators and investors.
Why Companies Favor “Incident” Over “Breach” in SEC Filings
Since the SEC’s cyber disclosure rules took effect in July 2023, companies have complied by issuing the required filings. A common theme across these filings is the use of the term “incident,” with most avoiding the legally charged terms “breach” or “data breach.”
Travis Brennan, a partner and chair of the Privacy and Data Security Practice at Stradling — a San Francisco law firm — explains, “Words like breach and data breach have very specific legal meanings and consequences …. It’s just become a very loaded term generally.”
The language used in these filings is not just about notifying regulators and investors; it also signals how a company manages cyberattacks. The SEC’s definition of a “cybersecurity incident” serves as an umbrella term for various types of cyberattacks, allowing companies some flexibility in their disclosures.
Transparency or Tactics? Detail vs. Risk in SEC Disclosures
Businesses often opt for mild language in their initial disclosures to limit doubts about their response capabilities and potential legal liabilities. However, some companies — like VF Corp., Hewlett Packard Enterprise, Microsoft, and UnitedHealth Group — choose to disclose additional details, such as the potential attack vector or the threat actor’s identity.
Andrew Heighington, CSO at EarthCam, notes that while the SEC requires disclosure of material incidents, it does not mandate the disclosure of specific or technical information that could impede the company’s response or remediation efforts. EarthCam is a New Jersey supplier of live webcams often used for security purposes.
The Risks and Benefits of Detailed Disclosure
Sharing detailed information about a cyber incident can have pros and cons. It can demonstrate an organization’s swift and effective response but also potentially expose it to copycat attacks. Attorney Brennan highlights that more detailed disclosures might occur when the attack vector used is a known or common one.
The Evolving Landscape of Cyber Incident Reporting
The SEC’s rules allow companies some flexibility in disclosing cyber incidents, with the expectation that they will provide additional details as more information becomes available.
Amy Chang, a senior fellow at Washington D.C. policy research think tank R Street Institute, suggests that early disclosures might be intentionally vague as companies continue to investigate incidents. She also notes that early oversharing could lead stakeholders to question the adequacy of the company’s security controls.
Balancing Disclosure in SEC Cyber Filings
The initial batch of SEC cyber incident disclosures underscores the challenges companies face in describing cyberattacks to discerning audiences.
The Cybersecurity Dive article’s author Matt Kapko concludes: “In the early days of complying with the SEC’s new cyber rules, we’re seeing companies wrestle with balancing the SEC’s material cyber incident disclosure requirements in the fog of an incident where there can be significant unknowns.”
