Most publicly traded companies aren't sharing enough detail with investors about the cyber incidents that affect their business.

Why it matters: One year later, the Securities and Exchange Commission's cyber disclosure rules appear to be failing to solve the transparency problems they were supposed to fix.

By the numbers: Only 16.9% of public 8-K filings disclosing a cyber incident provided specific details about the material impact it had on the company's business, according to a report from BreachRx released today.

• The report, shared exclusively with Axios, also showed that only 48% of 8-K filings provided any specifics about how the organization was responding to an ongoing incident.
• The other 52% of filings shared only the same, vague boilerplate language about the incidents.
• BreachRx reviewed 71 8-K filings reporting cyber incidents from 47 companies filed in the last year — as well as 10-K annual reports from 154 companies that had filed as of Nov. 18, 2024.

What they're saying: The SEC was "very clear in all of their language around this rule: They wanted more transparency, they wanted more details, they didn't want boilerplate language, they didn't want just these generic statements," BreachRx CEO Andy Lunsford told Axios.

• "It's pretty clear that's not what the industry has done."

Catch up quick: New requirements for most public companies to disclose material cyber incidents within four business days went into effect Dec. 18, 2023.

• Companies also had to start disclosing details about their overall cybersecurity strategies in annual reports.
• At the time, companies were unclear on what was considered "material" or what specific information they needed to disclose about data breaches or cyberattacks.

Between the lines: The SEC hasn't shared a lot of prescriptive guidance on what cyber incident disclosures should look like — leaving room for interpretation.

• Corporate lawyers are also likely to push back on sharing many details about an active cyber incident for fear of future litigation, Lunsford said.
• This means some companies have opted for a limited interpretation of what "material" means that just focuses on an incident's impact on financials and business services — which excludes most customer data breaches.

Zoom in: The report also notes three companies that did file detailed reports, including Microsoft.

Yes, but: President-elect Trump plans to nominate crypto advocate Paul Atkins to lead the SEC.

• Current chair Gary Gensler has made cybersecurity a top priority during his tenure, but it's unclear whether Atkins would keep the same heavy hand.
• But Lunsford said it would take a lot of effort for new leadership to rescind the reporting rules.

What we're watching: It remains to be seen how strictly the SEC will enforce these rules now that they're in effect.

• Even if the new SEC chair chooses to take a more relaxed approach, future administrations could still retroactively levy actions against lax company approaches, Lunsford said.

Facebook parent Meta is launching a public awareness campaign today about the ways scammers are targeting users this holiday season.

Why it matters: Scammers are most successful when people are looking for deals, desperate to find certain merchandise, and busy.

Driving the news: Meta partnered with researchers at Graphika to track and remove scammers from the company's social media sites.

• Ethical hacker Rachel Tobac also released a new video detailing the ways scammers could lure victims.
• The video will be primarily shared on Meta's own platform and on Tobac's social media accounts.

Zoom in: Graphika released a report today detailing the ways scammers use popular sites, including Facebook, Instagram and WhatsApp, to convince people to share personal details about their lives or pay for fraudulent items.

• Many users have been tricked into buying bargain-priced Christmas trees and decorations that just never arrived, Jack Stubbs, chief intelligence officer at Graphika, told reporters during a briefing yesterday.
• Stubbs said they've also seen scammers operating across various online platforms, including those not owned by Meta, with the hopes of evading detection and disruption.

Between the lines: Educating users is one of the only solutions to stopping scammers, Tobac told reporters.

• Scammers are pushing the same tricks year after year, in part because they keep working.

The bottom line: Be suspicious of deals that are too good to be true, avoid sharing any personal information with online sellers, and turn on multifactor authentication, Tobac said.

• "People can't know and spot things if they've never heard of them before," she said.
• "Without that level of education, the platforms don't stand a chance because people won't even be able to recognize and understand the alerts when they see them."

Former intel officials Susan M. Gordon and Mike Studeman are now advising insider risk firm Dtex, the company first shared with Axios.

Why it matters: The two officials are highly respected in the cybersecurity industry, and they hope to bring more awareness to the risk that insiders can pose to a company's security.

The big picture: Dtex provides software tools to help companies manage who has access to their networks and to detect abnormal behavior.

• That behavior can look like an employee downloading a large number of files or logging into systems they don't normally access.
• It also accounts for malicious hackers posing as employees who might log in at weird hours to scope out the company's networks.

Between the lines: Insider threats have been on the rise for years, but they've yet to garner much attention beyond niche cybersecurity and legal circles.

• North Korean IT workers have adopted stealthier ways to nab remote U.S. jobs to help fund their regime's missile programs. Many have stolen legitimate U.S. identities and used AI to pass job interviews.

Zoom in: Gordon and Studeman are the first two members of Dtex's new advisory board.

• Gordon was the principal deputy director of national intelligence during the first Trump administration and served in the CIA for nearly 30 years before that.
• Studeman is a former commander of the Office of Naval Intelligence and current national security fellow at Mitre, a government-funded research organization.

What they're saying: "Not enough people understand truly what's at stake," Studeman told Axios. "I also want to help actually do something about the threats that I describe."

• In a statement to Axios, Gordon said she joined Dtex's advisory board because the company "has the potential to change the balance of power in this cat-and-mouse game" between attackers and cyber defenders.

What's next: Dtex CEO Marshall Heilman told Axios he isn't in a rush to expand the board anytime soon.

• Gordon and Studeman are likely to cover insider threats in their talks at conferences and will work with Heilman on issues facing the company.

@ D.C.

👀 Brian Harrell, a Department of Homeland Security official during Trump's first term, is among those invited to interview at Mar-a-Lago for a cyber role. (The Record)

🏛️ TikTok asked the U.S. Court of Appeals to halt the ban-or-divest law pending a Supreme Court review. (Axios Pro)

🫠 Brendan Carr, Trump's pick to run the FCC, told CNBC that the information he's learned about Salt Typhoon recently has made him want to "basically smash my phone." (Cybersecurity Dive)

@ Industry

🤖 OpenAI released its AI-generated video tool, Sora, to paying customers. (Axios)

🏃‍♂️ Google has released its new quantum chip, which the company says can perform calculations in five minutes that would take typical supercomputers 10 septillion years. (Axios)

@ Hackers and hacks

⚠️ Hackers are actively exploiting a security flaw in yet another company's popular file transfer tools, researchers warned. (TechCrunch)

⚡️ A top electricity distributor in Romania is fighting a ransomware attack, days after the country's top court annulled the presidential election results because of suspected Russian interference. (BleepingComputer)

🩺 U.S. medical device giant Artivion said in an SEC filing that hackers stole some of its files during a recent "cybersecurity incident." (TechCrunch)

👀 ICYMI: DDoSecrets now has a searchable database of more than 10 million files that have been hacked and leaked.