TheCorporateCounsel.net

It’s been a little over a year since the SEC’s requirement to disclose material cybersecurity incidents on Form 8-K went into effect, and this Paul Hastings report provides some insight into how companies have responded. The report reviewed 75 disclosures from 48 public companies over the past year, and here are some of the key findings:

– Since the SEC rules became effective, there has been a 60% increase in the number of cyber incidents disclosed by public companies.

– Fewer than 10% of the disclosed incidents include a description of the material impact of the incident. 78% of disclosures were made within eight days of discovery of the incident, with 42% of companies providing an update by issuing an updated Form 8-K after the initial disclosure.

– Third-party breaches had the widest ranging impact for public companies, with one in four breaches stemming from a third-party incident.

This excerpt from the report notes that threat actors are apparently “blowing the whistle” on companies that have been the victims of a cyber attack, but haven’t reported it:

In an aggressive move to pressure victims into paying ransoms, some threat actors have filed whistleblower reports with the SEC, claiming that companies have failed to report active incidents on Form 8-K. The threat actor then makes its “whistleblower” report public, attempting to publicly shame victims and encourage payment. While such tactics have failed each time, they have generated significant media attention, with over 40 news articles published in publications such as The Wall Street Journal, Bloomberg, Security Week and others.

– John Jenkins