SEC disclosure rules baffle companies, one year later
Add Axios as your preferred source to
see more of our stories on Google.
Photo illustration: Megan Robinson/Axios; Photo: Andrew Harrer/Bloomberg via Getty Images
Most publicly traded companies aren't sharing enough detail with investors about the cyber incidents that affect their business.
Why it matters: One year later, the Securities and Exchange Commission's cyber disclosure rules appear to be failing to solve the transparency problems they were supposed to fix.
By the numbers: Only 16.9% of public 8-K filings disclosing a cyber incident provided specific details about the material impact it had on the company's business, according to a report from BreachRx released Tuesday.
- The report, shared exclusively with Axios, also showed that only 48% of 8-K filings provided any specifics about how the organization was responding to an ongoing incident.
- The other 52% of filings shared only the same, vague boilerplate language about the incidents.
- BreachRx reviewed 71 8-K filings reporting cyber incidents from 47 companies filed in the last year — as well as 10-K annual reports from 154 companies that had filed as of Nov. 18, 2024.
What they're saying: The SEC was "very clear in all of their language around this rule: They wanted more transparency, they wanted more details, they didn't want boilerplate language, they didn't want just these generic statements," BreachRx CEO Andy Lunsford told Axios.
- "It's pretty clear that's not what the industry has done."
Catch up quick: New requirements for most public companies to disclose material cyber incidents within four business days went into effect Dec. 18, 2023.
- Companies also had to start disclosing details about their overall cybersecurity strategies in annual reports.
- At the time, companies were unclear on what was considered "material" or what specific information they needed to disclose about data breaches or cyberattacks.
Between the lines: The SEC hasn't shared a lot of prescriptive guidance on what cyber incident disclosures should look like — leaving room for interpretation.
- Corporate lawyers are also likely to push back on sharing many details about an active cyber incident for fear of future litigation, Lunsford said.
- This means some companies have opted for a limited interpretation of what "material" means that just focuses on an incident's impact on financials and business services — which excludes most customer data breaches.
Zoom in: The report also notes three companies that did file detailed reports, including Microsoft.
Yes, but: President-elect Trump plans to nominate crypto advocate Paul Atkins to lead the SEC.
- Current chair Gary Gensler has made cybersecurity a top priority during his tenure, but it's unclear whether Atkins would keep the same heavy hand.
- But Lunsford said it would take a lot of effort for new leadership to rescind the reporting rules.
What we're watching: It remains to be seen how strictly the SEC will enforce these rules now that they're in effect.
- Even if the new SEC chair chooses to take a more relaxed approach, future administrations could still retroactively levy actions against lax company approaches, Lunsford said.
