Significant Increase in Cybersecurity Disclosures to SEC Detected in New Study

December 19, 2024

A recent study by one of the top U.S. law firms specializing in finance and M&A activity has revealed a noticeable increase in cybersecurity incident disclosures by public companies. Since the implementation of new cybersecurity disclosure rules by the U.S. Securities and Exchange Commission in 2023, there has been a 60% surge in reported incidents, with 78% of disclosures made within eight days of discovering the issue.

These regulations mandate that public companies disclose material cybersecurity incidents within four business days of determining their significance. This is aimed at providing investors with timely and pertinent information that could impact their investment decisions. Despite the rise in disclosures, less than 10% of them provided details about the material impacts of these incidents, indicating a hesitancy or difficulty in swiftly assessing comprehensive impacts.

Companies often struggle to find a balance between detailed reporting and safeguarding sensitive operational information as the rules do not require the disclosure of specific technical details that could impede remediation efforts. Michelle Reed, co-chair of the data privacy and cybersecurity practice at Paul Hastings, suggests that companies may be hesitant to disclose detailed impacts quickly to avoid penalties from the SEC for delayed disclosure.

The upcoming year will be pivotal in determining how materiality in the cybersecurity realm unfolds. The assessment of materiality has resulted in varying outcomes among companies that have disclosed cybersecurity incidents. For instance, the ransomware attack on automotive software provider CDK Global in June led to different levels of materiality disclosures, with some companies stating the attack had no material impact despite paying a ransom.

Reed highlights the challenges companies face in determining the necessary depth of information for reporting while safeguarding sensitive security measures. The ambiguity around materiality is further exemplified by the prevalence of third-party breaches, accounting for 1 in 4 incidents. This type of cybersecurity incident creates dilemmas for companies concerning whether to disclose third-party breaches, especially when other companies might have disclosed a related incident.

Ultimately, materiality in cybersecurity disclosures is a nuanced and evolving concept, influenced by the size of the company, the effectiveness of their incident response, and the risk and likelihood of impact. Companies must navigate these complexities to provide transparent and meaningful disclosures to investors. You can access the full report on Paul Hastings’ website for more insights into this ongoing issue.