A new report from BreachRx reveals that most publicly traded companies are not providing adequate details about cyber incidents impacting their business despite new disclosure rules from the Securities and Exchange Commission. One year after the implementation of these rules, only about 17 percent of public filings disclosed specific details about the material impact of such incidents. Additionally, nearly half of the filings failed to provide information on how companies responded to ongoing issues, instead relying on vague language. The SEC aimed to enhance transparency and detail in disclosures, but the findings suggest that many companies are still not meeting these expectations. The dealine to comply with the requirement to report material cyber incidents within four business days was December 18, 2023. Yet, clarity on what constitutes “material” remains an issue, leading to concerns about potential legal repercussions for sharing too much information.
Why do we care?
The SEC’s rules were designed to increase transparency, but vague definitions of “material impact” and concerns over legal liability have created a significant compliance gap.
As we transition administrations, it will be notable to see if this is clarified… or loosened. Companies still don’t want to discuss their security issues, and I don’t see that improving. Many organizations view cybersecurity incidents as sensitive business intelligence. Disclosing too much can expose vulnerabilities to competitors and attackers, making full compliance with transparency rules unlikely.
