R Street Institute
In the News

How companies describe cyber incidents in SEC filings

by Amy Chang
March 19, 2024
Print
issues: Cyber Threats, Cybersecurity Policy, Data Security and Data Privacy, Federal Government Affairs
originally published in CybersecurityDive

Disclosures in dribs and drabs

The SEC rules leave some wiggle room for companies to disclose a cyber incident with a few details, so long as businesses follow up with additional disclosures as more information is gathered.

When companies share more data and analysis in these SEC disclosures, shareholders and affected parties are likely to consider if the business could have easily prevented the incident altogether, according to Amy Chang, senior fellow of cybersecurity and emerging threats at R Street Institute.

Early oversharing compels stakeholders to consider the likelihood of potential poor security controls, a mishandled detection or response, third-party supplier involvement or some other cause, Chang said.

“It is possible that the companies may want to reveal as little detail as possible, or because it is a way to broadly classify the incident as they’re continuing to uncover more details about it,” Chang said via email.