Corporate Disclosures of Cybersecurity Incidents in Securities and Exchange Commission Reports
In the world of corporate cybersecurity, the term "breach" or "data breach" is often avoided in disclosures to the Securities and Exchange Commission (SEC). This careful choice of language is primarily driven by the need to manage legal risk and disclosure obligations under the SEC's evolving regulatory framework.
The SEC requires the disclosure of material cybersecurity incidents rather than mandating specific terminology. Companies must make nuanced assessments about materiality and impact when reporting incidents, leading to more cautious and precise language. This approach avoids definitive terms like "breach" that could imply certain legal or reputational consequences.
One of the key reasons for this cautious language is the complex and subjective nature of the materiality assessment. The SEC's 2023 rules require disclosure of material incidents within four days, but do not precisely define what constitutes a "breach." Companies must evaluate both qualitative and quantitative factors to judge materiality, such as financial impact, operational disruption, data sensitivity, and regulatory thresholds.
Another reason is the desire to avoid premature admission or legal exposure. Using definite terms like "breach" can increase legal liability risks, including potential enforcement actions and shareholder claims. The SEC has shown a willingness to pursue enforcement when companies misstate or inadequately disclose cybersecurity issues, but courts sometimes push back on overly broad claims by the SEC.
The regulatory and litigation uncertainty also plays a role in the choice of language. Terms like "substantial harm" and "material cybersecurity incident" are deliberately broad and undefined, leaving companies to tailor disclosures carefully. This cautious approach mitigates the risk of triggering unwarranted litigation, penalties, or reputational damage before facts are confirmed.
The standardized disclosure language is also evolving. The SEC's new cyber disclosure rules focus on presenting incidents' nature, scope, timing, and potential financial impact rather than using specific labels. This encourages precision and fact-based narrative over strong characterizations such as "data breach."
In summary, companies avoid saying "breach" or "data breach" in SEC disclosures to navigate complex materiality standards, minimize legal risks, and comply with evolving SEC requirements that emphasize detailed factual disclosure rather than triggering terms that imply definite harm or loss. This cautious language reflects ongoing uncertainties in cybersecurity incident reporting regulation and enforcement.
The SEC's definition of a cybersecurity incident serves as an umbrella for all types of cyberattacks. Companies may choose to reveal as little detail as possible, or because it is a way to broadly classify the incident as they're continuing to uncover more details about it. So far, companies have submitted 12 initial Form 8-K, Item 1.05 filings for material cybersecurity incidents since the SEC's cyber disclosure rules took effect three months ago.
However, the SEC cyber incident disclosures to date do not provide enough information to draw broad conclusions about organizations' reporting strategies. Businesses often use mild language to limit doubts about their ability to respond and potential legal liabilities. The SEC allows companies to disclose a cyber incident with a few details, with the expectation of follow-up disclosures as more information is gathered.
Some companies, such as VF Corp., Hewlett Packard Enterprise, Microsoft, and UnitedHealth Group, have disclosed additional details beyond what's mandated. Yet, none of the businesses described the incident as a breach or data breach in the SEC filing. Five of the companies that disclosed security incidents also revealed data theft or exfiltration, providing information about the potential attack vector, the threat actor's likely identity or motivations, possible or confirmed data theft, and impacts on specific operations or systems.
In instances where more details about a cyber incident are shared sooner rather than later, it might be because the particular attack vector used is a known one, or a common one. The SEC's new cyber rules are causing companies to grapple with disclosure requirements in the midst of an incident, where there can be significant unknowns. Companies are struggling to balance the SEC's material cyber incident disclosure requirements in the early stages of an incident, where there can be significant unknowns. They are having challenges quantifying the material scope, nature, and impact of the cyber incident on the business, vendors, reputation, and customers.
As the landscape of cybersecurity continues to evolve, so too will the strategies companies employ in their SEC disclosures. The cautious use of language in these disclosures reflects a desire to navigate complex legal and regulatory landscapes while maintaining transparency with shareholders and affected parties. The SEC's evolving cyber disclosure rules will continue to shape this landscape in the coming years.
- Companies in the business world carefully avoid using the term "breach" or "data breach" in disclosures to the Securities and Exchange Commission (SEC) due to the need to manage legal risks and disclosure obligations under the SEC's evolving regulatory framework.
- The SEC requires the disclosure of material cybersecurity incidents but does not mandate specific terminology, necessitating nuanced assessments about materiality and impact by reporting companies.
- The SEC's 2023 rules require disclosure of material incidents within four days, but do not define what constitutes a "breach," leaving companies to assess both qualitative and quantitative factors like financial impact, operational disruption, data sensitivity, and regulatory thresholds to judge materiality.
- Using definite terms like "breach" can increase legal liability risks for companies, including potential enforcement actions and shareholder claims, so they opt for cautious language to minimize such risks.
