TLDR:
- About a dozen companies have filed a Form 8-K reporting a material cybersecurity incident since the SEC Rule took effect.
- Companies are erring on the side of caution, providing only high-level information about the incidents.
Since the Securities and Exchange Commission’s Cybersecurity Incident Disclosure Rule (SEC Rule) took effect in December 2023, Jena M. Valdetero of Greenberg Traurig, LLP discusses the trends in how companies are disclosing material cybersecurity incidents. The SEC Rule requires companies to disclose the nature, scope, and timing of incidents within four business days of determining it is material. The key trends highlighted in the article include:
Key Trends:
- Companies are disclosing even if there was no material impact.
- Initial disclosures are brief and generic.
- Many disclosures read like high-level press releases.
- No companies have confirmed material impact on financials.
- About half of the companies have provided updated disclosures.
The article emphasizes that companies are cautious in their disclosures, focusing on containing and remediating the incidents. It also notes that no companies have confirmed a material impact on financials, indicating ongoing investigations. Overall, companies are following a trend of early disclosure and high-level information sharing in compliance with the SEC Rule.