New cyberattack disclosure rules make companies anxious

The SEC's new cyber disclosure rules don't go into effect until December, but many publicly traded companies are complying already, reporting cyberattacks months ahead of schedule.

Why it matters: The early disclosures are giving other businesses a preview of what to expect from regulators, shareholders and consumers when they report their own material cyber incidents.

Catch up quick: The SEC enacted new rules in July requiring public companies to disclose cyber incidents that have a material impact within four business days via a publicly available 8-K filing.

• Under the rules, companies will also need to disclose more details about their internal cybersecurity programs in annual reports.

The big picture: The new rules have triggered pushback and anxiety among corporations worried about the implications of public incident disclosures.

• Some chief information security officers are worried the SEC will use their 8-K filings to hold them liable for incidents, Nick Sanna, president of Safe Security and co-founder of the FAIR Institute, told Axios.
• Companies also aren't sure how consumers and shareholders will respond to reports of new material cyberattacks, noted Lisa Plaggemier, executive director of the National Cybersecurity Alliance.
• And having to disclose an incident in the middle of an active attack could give hackers move leverage to do damage, Lesley Ritter, senior vice president of Moody's cyber risk group, told Axios.

What they're saying: "There was a time just four or five years ago that companies were even afraid to talk about cybersecurity to their customers because it had so many negative connotations," Plaggemier told Axios.

Details: Most public companies don't need to start reporting material cyber incidents until Dec. 18, but many are already abiding by the rules to show the SEC how responsible they are, Sanna said.

• For instance, Caesars Entertainment first acknowledged reports of a cyberattack on its networks last month via an 8-K.
• "You're going to see companies that are going to be forthcoming, and companies that are less as forthcoming, and in the end, the shareholders will judge who is doing a better job of managing cyber risk," Sanna said.

Between the lines: Consumer and investor response to disclosed cyberattacks depends on the circumstances of the incident.

• When Okta reported a security breach last week, its stock tumbled 12% on the news. Since then, the company's share price has struggled to recover from the drop.
• Meanwhile, Caesars' stock price was unaffected the day it reported its cyber incident — likely because it faced little to no business disruptions after allegedly paying a ransom to get its networks back up and running.

Zoom in: Another source of anxiety lies in the question of how to determine if a cyberattack will have a material business impact, Sanna said.

• His organization has created a tool that attempts to measure the business impact of a breach, including estimates on how much business interruptions, ransom payments and network security upgrades will cost.

Yes, but: Most 8-K filings don't stray much from how companies were already publicly discussing incidents — sticking to a short statement that says they're facing an incident and will return with more information at a later date.

• MGM Resorts took this approach one step further during its cyberattack last month and simply copy and pasted its social media statements into its 8-K report. (The original social media posts have since been deleted from X, formerly known as Twitter.)

Be smart: Experts recommend companies start shoring up their internal cybersecurity programs now, before the SEC reporting rules kick in.

• Organizations should consider running tabletop exercises, establishing a crisis communications plan, and providing cyber training to board members, Plaggemier said.

Sign up for Axios' cybersecurity newsletter Codebook here.