2024 SEC 8-K Cybersecurity Incident Disclosure Timeline
In the last year, the U.S. Securities and Exchange Commission implemented new rules to improve the reporting of cybersecurity practices by SEC registrants. These rules require companies to promptly disclose any significant cybersecurity incidents they experience. This shift has pushed company executives and boards to prioritize cybersecurity as a critical aspect of their business operations. Failure to comply with these rules can lead to legal consequences for both leaders and their organizations, putting chief information security officers on high alert.
During the first year of this program, over 20 cybersecurity incidents were disclosed to the SEC through Form 8-K filings by corporations. Below, you’ll find a list of these 22 filings, outlining the incident’s target, impact on the business, and filing date.
While the SEC’s cybersecurity disclosure rules are a step forward for cybersecurity, most of these filings lack specific details, such as the type of attack or perpetrators’ identities. The commission’s guidelines for Form 8-K filings only require companies to disclose essential aspects of the incident and its impact on the business.
What this means is that while these rules provide transparency to key market players and encourage companies to take cybersecurity seriously, they don’t offer detailed insights that the cybersecurity community could use to strengthen systems against similar attacks.
Of the disclosed incidents, media reports identified eight as ransomware attacks. Some incidents initially lacked details but were gradually clarified over time. For example, Prudential Financial’s initial filing mentioned a cybercrime group accessing company data without knowing the full impact. Eventually, it was revealed that over 2.5 million people’s information might have been compromised, with the AlphV ransomware group allegedly responsible.
Another incident involving Key Tronic, a technology manufacturer, was initially labeled a “cybersecurity incident.” However, further investigation revealed it was a ransomware attack conducted by the Black Basta ransomware gang, leading to extensive data theft and significant revenue loss.
In 2024, ransomware attacks persist as a popular cybercrime method, despite being one of the oldest forms of cyber threats. Additionally, some high-profile incidents targeted Microsoft and Hewlett Packard Enterprise with nation-state-backed cyber-espionage tactics. Although these attacks didn’t have a material impact, both companies disclosed the incidents in their Form 8-K filings.
The incidents detailed above underscore the importance of cybersecurity diligence in today’s threat landscape and emphasize the need for robust security measures to protect organizations from increasingly sophisticated cyber threats.
