The SEC’s new rule on cybersecurity has finally been issued. As I sit here pondering what it means, I keep reflecting on a conversation a colleague and I once had about Microsoft. The final decision to disclose cybersecurity breaches will all come down to materiality. But the thought of Microsoft, a company with ~1.4 billion users worldwide and a cloud-based platform, Microsoft 365 1, used in over a million businesses, may be filing daily 8K’s on cyber incidents had us laughing hysterically.
I assume they will soon be adding an entirely new department that dedicates 100% of its time to reviewing their cyber incidents to decide whether they meet the threshold of materiality. Imagine what the board of directors need to review to meet the requirements of risk management. The review process would take days.
Historical SEC Cysecurity Guidance
Then, when I look at our data on Microsoft, I begin to think I must be terribly wrong in my musings. In the past 12 years, Microsoft reported only 11 incidents, none of them initially disclosed in an SEC filing. Despite the new rule, these disclosures are not a new requirement. In 2018, the SEC released interpretative guidance on this matter stating: 2
“The Commission encourages companies to continue to use Form 8-K or Form 6-K to disclose material information promptly, including disclosure pertaining to cybersecurity matters. This practice reduces the risk of selective disclosure, as well as the risk that trading in their securities on the basis of material non-public information may occur. In addition to the information expressly required by Commission regulation, a company is required to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading.” The Commission considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.”
Given that the new SEC requirements on cyber incidents are essentially no different from what has been necessary all along, will we now see a surge of companies filing 8K’s to inform the public investor?
In our 2022 Ideagen Audit Analytics Cybersecurity Report we only found ~43 public companies that initially disclosed their cyber incident in a filing with the SEC in 2022. These disclosures represented only 34% of all disclosures that year. Our database includes only 125 reported incidents in 2022 for public companies. This is despite our analysts’ manual review of State Attorney’s General sites, news sources and technology websites, as well as SEC filings throughout the year.
We should expect some pressure on public company reporting of cybersecurity risks as a result of SEC actions such as the October 30, 2023 charges filed against SolarWinds Corporation and its chief information security officer for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. The SEC’s complaint alleges that, while it was the target of a massive, nearly two-year long cyberattack, dubbed “SUNBURST,” SolarWinds and Brown defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks. 3
Who will be filing these cybersecurity incident disclosures? Recent research conducted by Cyentia Institute and SecurityScorecard found: “98.3% of organizations have a relationship with at least one third party that has experienced a breach in the last two years. What’s more, “50% of organizations have indirect relationships with at least 200 fourth parties that have had breaches in the last two years.” 4 The SEC quoted this statistic in their final rule. As well as “recent developments in artificial intelligence may exacerbate cybersecurity threats, as researchers have shown that artificial intelligence systems can be leveraged to create code used in cyberattacks, including by actors not versed in programming.” The same cyber incident could result in numerous filings. This possible deluge could happen even if only a fraction of the cyberattacks are considered material.
According to the same report, third party providers dominate the Information Technology Sector. Additionally, the top technologies include offerings from Google, AWS, and Microsoft, amongst others. Which brings me back to my original thought. What is going to happen if/when there’s a big cybersecurity breach at one of these omnipresent vendors?
The Future of Cybersecurity Disclosure
My theory is, since the SEC allows for a delayed disclosure if the United States Attorney General determines “immediate disclosure would pose a substantial risk to national security or public safety,” we will see many such delays. I’m picturing a Bat phone between Microsoft and the Attorney General’s office, staffed 24 hours a day by lawyers, making these determinations.
Since the SEC rules require the 8-K filings to begin December 18, 2023, it won’t be long before we see the impacts of this newly codified requirement. I am hopeful that we will see an explosion of filings, keeping our analysts at Ideagen Audit Analytics busier than ever and hopefully no longer having to search the web for stealth cybersecurity disclosures.
Interested in our content? Be sure to subscribe!