What communications leaders should be doing regardless of how regulations evolve
Last week, the public comment period closed on the U.S. Securities and Exchange Commission's sweeping review of Regulation S-K — the framework governing what public companies must disclose in annual reports, quarterly filings, and current reports. The SEC Chairman had asked the public to weigh in on how to streamline corporate disclosures so filings focus on information a reasonable investor would actually find material. Among all the items under review, the cybersecurity requirements generated some of the most pointed and contested comment letters.
At issue were the rules that the SEC implemented in December 2023 requiring public companies to (1) disclose material cybersecurity incidents within four business days on Form 8-K, and (2) describe how they manage cybersecurity risk in their 10-Q and 10-K filings. A coalition of major financial industry trade groups, including SIFMA, the American Bankers Association, the Bank Policy Institute, and others, filed a joint letter asking the SEC to rescind both requirements. The U.S. Chamber of Commerce filed separately with similar recommendations.
The SEC's inquiry is broad; and the agency may act on some items and not others. The range of possible outcomes is wide and the timeline is uncertain.
Three things companies should be doing now, regardless of how the rules change:
Build cyber communications into incident response planning now, and not after an incident strikes. Most incident response plans focus on technical containment and legal notification. The communications and reputation risk strategy — what to say, to whom, when, in what sequence, and in what tone — needs to be developed with the same rigor, before an incident occurs. Companies that improvise under pressure lose time and make avoidable mistakes that compound the original harm.
Run communications-focused tabletop exercises. Cyber tabletops that stop at the IT and legal layer expose a critical gap. Threat actors do more than lurk in the shadows of the dark web — they now brief journalists, challenge company statements publicly, maintain social media accounts, host faux cyber media sites, and in extreme cases contact customers, employees, and leadership directly to maximize disruption. Business leaders should bring together cross-functional groups, including management, to test the cyber communications plan against these scenarios builds the muscle memory that will be critical in an actual crisis, and surfaces gaps in existing plans before they are exposed under pressure.
Stay current on the evolving threat landscape and revise plans regularly. The threat environment today looks different from even two years ago. Ransomware groups are fragmenting and becoming less predictable. AI is compressing attack timelines and making adversary communications more sophisticated. Communications plans built on yesterday's threat assumptions will fail against today's incidents. Companies reviewing their cyber plans are now regularly adding deepfake scenarios that were not contemplated earlier in the decade.
The companies that emerge from a cyberattack with their reputations intact are not necessarily those with the best technical defenses. They are the ones that treated security posture, business resilience, and stakeholder communications as inseparable — and prepared accordingly.
Why this matters now
The threat environment is getting worse across every dimension. FGS Global and S-RM's Cyber Incident Insights Report 2026, drawing on data from over 800 incidents responded to globally in 2025, found that ransom payments rose sharply last year and, in 80% of ransomware cases, attackers exfiltrated data before or during the attack, enabling multiple rounds of extortion.
Threat actors are also growing more sophisticated in their use of media and public pressure — briefing journalists about stolen data, publicly challenging company statements they deem misleading, and directly contacting customers and employees to maximize disruption. In one case, a threat actor told the SEC that one of its victims had failed to disclose an attack; they released transcripts of ransom negotiations, often spilling embarrassing facts — and exaggerations — into public view.
Critical infrastructure also remains in the crosshairs of geopolitical conflicts. Iranian-affiliated cyber actors have significantly escalated attacks on U.S. energy, water, and government networks. On April 7, six federal agencies — including CISA, the FBI, and the NSA — issued a joint advisory confirming operational disruption and financial losses at victim organizations. A ceasefire has not stopped the activity; Iranian-linked actors have publicly vowed to continue.
AI is accelerating these threats. Federal Reserve Governor Michael Barr devoted an entire April 2025 speech to deepfakes and the AI arms race in bank cybersecurity, citing research showing deepfake fraud attempts had increased twentyfold over the prior three years. The FBI documented AI-enabled fraud — a broad category that includes but is not limited to deepfakes — topping $893 million in reported losses in 2025, with the agency noting the true toll is likely far higher given widespread underreporting.
Regulators may ultimately give companies more flexibility in how and when they disclose cyber incidents. But flexibility without preparation is not an advantage — it is a liability. The companies that use this moment to build stronger communications strategies will be better positioned when an attack comes. And it will come.
FGS Global advises companies on cybersecurity communications strategy, crisis preparedness, and reputational risk. Contact our cybersecurity practice at cybertaskforce@fgsglobal.com.