Scott Lindlaw is a Partner and Jim Finkle a Managing Director at FGS Global. They are leaders of FGS Global’s Cybersecurity and Data Privacy team. Team members Scott Peltomaa, Gabriela Penido, Ellie Schroeder and Sloane Valen contributed to this research.
For more on our findings, please see this WSJ analysis.
After years of rulemaking and rancorous debate in Washington, new SEC cybersecurity disclosure rules that went into effect at the end of last year have surprisingly been met with a yawn.
In 2023, the U.S. Securities and Exchange Commission finalized an extended rulemaking process by announcing it would take steps to tame inconsistent cybersecurity communications by establishing a much tighter regulatory framework for disclosing such events to investors. Beginning December 18th, 2023, the SEC required public companies to file an 8-K reporting incidents within four days of identifying “material” impact. Publicly held companies that once had flexibility regarding whether, how and when to disclose cybersecurity incidents are now required to make public disclosures to regulators much earlier.
The business community had warned the new rules would unleash chaos. The U.S. Chamber of Commerce joined more than 30 other trade groups in signing a June 2022 letter warning that “The proposed rules go too far and would place companies at heightened risk by compelling them to prematurely disclose increased amounts of cybersecurity incident information.”
The FGS Global Cybersecurity and Data Privacy team has closely tracked how 43 companies reported under the rule from the day it went into effect through September 30, 2024. Nine months after the rules took effect, the impact of these requirement has been far less significant than the business community feared.
The volume of these disclosures has amounted to a trickle, not the flood of 8-K filings many expected. One CISO had predicted to the Wall Street Journal in September 2023 that “A stream of 8-Ks will be the new norm.” This was not a controversial view, given that cyberattacks remain so common – 2,200 per day, by one estimate, and hundreds reported each year to state authorities.
But as of September 30, just 43 companies had filed 8-Ks disclosing cyber incidents. Not a single company disclosed a new cyber incident in the month of September by filing an 8-K. (The high-water mark for those disclosures was June, when just seven companies made such disclosures.)
Investors have for the most part shrugged off these 8-Ks. Share prices of the vast majority of companies that disclosed these incidents remained virtually unchanged or posted only modest drops.
In the first trading day after disclosure, share prices on average fell 0.7 percent
17 dropped more than 0.5 percent
18 rose more than 0.5 percent
8 were virtually unchanged
After the first week of trading, share prices on average were down 2.1 percent
23 dropped more than 0.5 percent
16 rose more than 0.5 percent
4 were virtually unchanged
In short, companies need not worry that disclosing a cyber incident via a public SEC filing will immediately tank their stock – though some have seen long-term drops as they later disclosed significant cyber-related remediation, customer impacts and litigation costs.
One potential reason for the small number of disclosures under the new rules could be that the U.S. government has asked certain companies to hold off on cyber disclosures based on national security concerns.
To date, only one company, AT&T, has said it delayed disclosure of a cyber incident at the request of law enforcement. While the company first learned of the matter in April, it held off on disclosure until July as the Justice Department determined that delays were warranted, in line with a national security provision in the new SEC rule. Of course, it’s impossible to know how many incidents remain undisclosed under this national security exception.
Approaches to communicating the details of incidents vary widely. Some businesses have proactively shared bare-bones information about events before they had made a clear determination about materiality.
Example of an 8-K that does not disclose any material impact: Radiant Logistics, Inc.’s March 20 8-K reported, “ … While the investigation is ongoing, as of the date of this filing, the incident has not had a material impact on the Company’s overall operations, and the Company has not determined the incident is reasonably likely to materially impact the Company's financial conditions or results of operations.”
Some companies filed multiple 8-Ks providing amendments to update disclosures on an incident, while others issued just one filing. Two companies filed three 8-Ks total on a single incident.
The SEC seems to understand that companies are struggling with the updated rule. On May 21, 2024, the SEC’s Director of the Division of Corporation Finance issued a clarification on what type of 8-K filings companies should use when disclosing cyber incidents to ensure that investors are not confused about whether an incident is material. On June 24, the Commission provided updated guidance to address frequently asked questions on ransom payments and materiality.
Only one thing will bring dramatically greater certainty to a skittish marketplace: The SEC’s first enforcement action stemming from the new rule, which will finally show companies and their securities lawyers where the commission’s red lines are.
FGS’s take: Company disclosures on cybersecurity incidents are under unprecedented scrutiny, with reputations in the balance. In fact, the new SEC rules expressly encourage companies to factor “reputational damage” into the materiality analysis. Communications professionals, alongside legal counsel, are often best positioned to advise on this issue. They should be at the table from the earliest moments of an incident for that analysis – and throughout the life cycle of the crisis. Cyber disclosures such as these 8-Ks – which are de facto press releases – have potential to gin up news cycles and broad, anxious chatter across all stakeholders. We typically see spikes in negative social mentions after disclosure of a cyber incident. It is critical to actively monitor social traffic to identify trends that threaten to harm corporate reputations. It is more important than ever for businesses to prepare detailed communications plans for responding to cyber incidents, then test them and update them as needed.
+++
The FGS Global Cybersecurity and Data Privacy team specializes in helping businesses prepare for incidents and managing the ever-changing regulatory environment. A key part of that process has been creating crisis communications plans for a variety of cyber incident scenarios, then testing them in exercises simulating the new disclosure-rules environment to help crisis working groups build muscle memory they can use in an actual incident.
Such preparations can replace confusion with confidence, accelerate response time, and help preserve credibility and reputation with key constituencies, including customers, investors, employees and media.
The FGS Global Cybersecurity and Data Privacy team can be reached at cybertaskforce@fgsglobal.com.