Confusion around when and how to report cybersecurity breaches continues to plague companies a year after revised US Securities and Exchange Commission (SEC) cybersecurity breach reporting rules came into effect, experts say.
As the agency that regulates and enforces federal US securities laws continues to flex its enforcement muscles against organizations that violate the strict rules, which impose a tight reporting deadline for the disclosure of cybersecurity incidents, CISOs and other senior executives are under increasing pressure to quickly assess and report breaches judged to be material — a challenging determination given their complexity.
Companies get into problems with the SEC when disclosures are either not forthcoming or not timely enough, according to Joe Shusko, a partner with global accountancy firm Baker Tilly’s cybersecurity practice. Consequently, they are finding it necessary to develop new strategies to maintain compliance with the rules, the interpretation and application of which aren’t always clear and vary according to specific situations.
“Determination of materiality isn’t straightforward and shouldn’t be made in isolation — senior security staff should work with their business operations colleagues, legal counsel, external forensics as part of a disclosure committee,” Shusko told CSO.
The SEC’s enforcement isn’t slowing down
The SEC has taken more than 200 enforcement actions since it gained the power to do so in 2015, with a quarter of those involving cybersecurity incidents. A growing list of charges has been filed against companies it deems to have misled investors about incidents that it considers to be material to stakeholders.
In December 2024, filed settled charges against “for making materially misleading statements regarding a cybersecurity attack on Flagstar’s network in late 2021” also known as the Citrix Bleed for $3.55 million. The SEC found that while the company did report the breach, it failed to disclose that sensitive customer data of about 1.5 million people had been exposed.
A few months earlier, the SEC fined four companies $7 million for “misleading cyber disclosures” related to the SolarWinds hack. The quartet — Avaya, Check Point, Mimecast, and Unisys — were faulted for misleading disclosures about the impact of the 2020 software breach on their individual businesses that left investors and other stakeholders in the dark.
The four tech firms each agreed to settle the dispute over its disclosures by paying a fine but without making any admission of wrongdoing. Unisys, which was also charged with security controls violations, agreed to pay a $4-million fine while the other vendors each stumped up around $1 million.
CISOs still grappling with fears over a lack of clarity
Former Uber CSO Joe Sullivan, a security expert convicted for obstruction in the reporting of the 2016 Uber privacy breach, contends that despite the rising number of examples of enforcement, there are still many uncertainties over exactly how companies can achieve compliance.
“There is so much fear out there right now because there is a lack of clarity,” Sullivan told CSO. “The government is regulating through enforcement actions, and we get incomplete information about each case, which leads to rampant speculation.”
Based on its history, the SEC may issue clearer and more detailed guidance on the disclosure rules in the future, Shusko says. However, it is unlikely to make allowances for organizations that fall afoul of the rules even pending future clarification.
The SEC did not immediately respond to inquiries by CSO as to whether any supplementary guidance about its revised reporting rules was in the pipeline. Although the incoming Trump administration has promised to slash business regulations in general, whether cyber incident disclosure rules might be modified — much less when — remains unclear.
Companies should err on the side of transparency
As things stand, CISOs and their colleagues must chart a tricky course in meeting reporting requirements in the event of a cyber security incident or breach, Shusko says. That means anticipating the need to deal with reporting requirements by making compliance preparation part of any incident response plan, Shusko says.
If they must make a cyber incident disclosure, companies should attempt to be compliant and forthcoming while seeking to avoid releasing information that could inadvertently point towards unresolved security shortcomings that future attackers might be able to exploit.
“Organisations should err on the side of transparency,” Shusko says.
Edwards continued: “Get the processes in place, including knowing where to find the form to submit to the SEC and maybe even pre-populate it with as much information as possible. Then, when the unthinkable happens, there’s less chance to panic and make mistakes.”
Recent fines have also laid the groundwork for the SEC to enact enforcement actions against other non-compliant organizations — although the SEC disclosure rules are primarily targeted against publicly traded companies a far greater range of organisations might feel their effects.
Given that clarity around disclosure isn’t always straightforward, there is no real substitute for preparedness, and that makes it essential to practise situations that would require disclosure through tabletops and other exercises, according to Simon Edwards, chief exec of security testing firm SE Labs. “Speaking as someone who is invested heavily in the security of my company, I’d say that the most obvious and valuable thing a CISO can do is roleplay through an incident.”
Company supply chains can also impact breach reporting
“The disclosure rules are targeted towards publicly traded organizations, but that doesn’t necessarily mean non-publicly traded organizations are excluded,” Shusko says. “Public companies will likely expect their business partners to disclose and communicate any cyberattacks that might impact their organizations and as a result their customers. Organisations need to understand their supply chains.”
Baker Tilly’s advice on how companies can mitigate their key IT compliance risks and meet the SEC’s cyber disclosure rules can be found here.
Disclosure rules that are open to interpretation mean that some companies will feel obliged to disclose less-serious security incidents. For example, Shusko says, even though a recent cyberattack against American Water had no material impact the utility, it still disclosed the attack in order to keep its stakeholders informed.
“There is a lack of clarity about where enforcement actions might start,” Sullivan says.
Senior security professionals and their colleagues face a particular challenge in determining if a security incident is material, and therefore something they are obliged to disclose, or something less serious that can be handled in-house.
“[There’s] confusion about what meets the threshold of ‘material’ — companies are all over the place on their disclosures, and the guidance from the SEC has been confusing at best,” Sullivan says.
