How companies describe cyber incidents in SEC filings
It’s been three months since the Securities and Exchange Commission’s cyber disclosure rules took effect and rather than creating a deluge of incident revelations, only a trickle has emerged. Companies have submitted 12 initial Form 8-K, Item 1.05 filings, the form the SEC began requiring businesses to file for material cybersecurity incidents on Dec. 18. Each of these filings mention an “incident,” and all but two said the activity or access was “unauthorized.” While the language businesses use in Item 1.05 filings are ultimately crafted to notify regulators and investors of potential risks, these words also signal how a company detects, mitigates, contains and recovers from cyberattacks. Across the filings Cybersecurity Dive analyzed, none of the businesses described the incident as a breach or data breach in the filing with the SEC — and that was likely by design.
“Words like ‘breach’ and ‘data breach’ have very specific legal meanings and consequences, and they also have a particular meaning within what I’ll call the public consciousness,” said Travis Brennan, partner and chair of the privacy and data security practice at Stradling. “It’s just become a very loaded term, generally, and I think it’s one that companies in these disclosures will studiously avoid using in most cases,” Brennan said. “Once there has been a breach, as opposed to merely an incident, that suggests that the risk of harm has just gone up a few notches.”
Cybersecurity Dive 03/19/2024