We’ve reported extensively on the SEC cyber disclosure rule that requires public companies to submit 8-K filings when they’re hit with cyber attacks. For some reason, the rule has attracted criticism from several media outlets in recent days. Earlier this week Bloomberg Law provided a critical review (under paywall) of how companies have responded to the disclosure rule, released in 2023: “Since then, there have been far fewer new filings than might have been expected given the increased risk of ransomware and cyberattacks in recent years. The few filings on record show that companies are quick to report an incident, yet fail to provide more than the bare minimum in the way of details.” Bloomberg calls the rule “form over substance.”
Information Week agrees with Bloomberg’s critique, but predicts the regulation will not be dumped by the Trump Administration, at least this year.
The National Law Review does see some positive developments: “Recent cybersecurity incident disclosures contain more detailed information about affected systems and compromised data, particularly in Item 1.05 filings (mandatory reports for incidents creating a “material” impact on the company), than the more general disclosures filed right after the rule became effective.”
A useful summary of 2024 reports pursuant to the rule was released on LinkedIn by the Field CISO at Hyperproof, who counted 54 companies reporting a total of 55 incidents, most reported to law enforcement. “Something that didn’t happen in 2024 was massive shareholder lawsuits or related legal actions against CISOs, as previously predicted.”
For additional statistics on these reports, check out this recent JD Supra analysis.
Background on the SEC Rule
You can find our roundup of legal analysis on the rule (SECURITIES AND EXCHANGE COMMISSION 17 CFR Parts 229, 232, 239, 240, and 249) when it came out in 2023, along with the full text of the regulation.
Other News: SEC Reveals Its Cyber Reporting Rule, Scrambling and Confusion Sure to Follow (Opens in a new browser tab).