MSSP, Data Security, Government Regulations, Governance, Risk and Compliance

A Hit-and-Miss First Year for SEC’s Cyber-Incident Reporting Rules

The U.S. Securities and Exchange Commission seal

It’s been a year since the U.S. Securities and Exchange Commission (SEC) set in place its controversial cyberattack reporting rules, and the takeaway seems to be that companies need to be more complete when making their filings, that the rule helped accelerate the reporting of cybersecurity incidents, and that there is room for improvement. MSSPs are positioned to help public companies navigate these rules.

Yet it’s also unclear what will happen to the rules when the new presidential administration, which is aggressively anti-regulation, comes into power next month.

“While the rules have made strides in encouraging accountability, they should provide clearer guidelines on reporting ongoing threats – not just incidents after they occur – to give investors a more comprehensive understanding of risk,” Shai Mendel, co-founder and CTO of cybersecurity firm Nagomi Security, told MSSP Alert. “This will improve how organizations disclose the specific nature of cyber threats.”

That said, Andy Lunsford, founder and CEO of incident management and response company BreachRx, doesn’t believe the regulations are doing what the SEC intended.

“The SEC was hoping to provide more information for investors about cybersecurity incidents,” Lunsford told MSSP Alert. “Based on the volume of incidents that occur every year, the number reported – including those reported as non-material – seems woefully under the actual number of incidents occurring.”

MSSPs Feel the Effect

The regulations have rippled through MSSPs and MSPs as well, with a Deloitte study founding that 65% of executives at public companies who were surveyed said they planned to strengthen their security programs and 54% said they planned to push third parties to strengthen theirs.

BreachRX in a report this month found that small percentages of 8-K filings about cybersecurity incidents specified a material impact as required and fewer than half provided insights into the organizations’ incident response procedures. Also, the information that companies supplied about incidents and programs mostly followed “very boilerplate language” that wasn’t useful for investors as intended. Another analysis found a lack of information about CISOs and CSOs.

The BreachRX researchers noted that “reaction to the new measures was mixed, with proponents applauding the push for better security practices while others expressed concern about the additional compliance burden. This extra burden comes amidst budgets growing more slowly than enterprise attack surfaces, making this even more challenging.”

Keeping Investors Informed

The rules are designed to force publicly traded companies to disclose timely and relevant information about cyber incidents that could affect shareholders and other investors. They require such organizations to disclose attacks within four days of determining that the incident is materially impactful to the company, though many executives said they were unclear what constituted a “material impact.”

The companies also are required to disclose their incident response processes.

More Incident Reports

An analysis by law firm Paul Hastings of 75 disclosures issued by 48 public between December 2023 and 2024 found a 60% increase in the number of cyber incidents disclosed since the rules went into effect and that 78% of disclosures were made within eight days of the incident being discovered. However, fewer than 10% of the disclosed incidents included a description of the material impact of the attack.

An interesting side note in the Paul Hastings report was the fact that some bad actors used the SEC rules as added leverage in the extortion attempts of victim, with some going so far as to submit whistleblower reports to the agency noting a company’s failure to disclose and publish the attacks.

BreachRX’s Lunsford noted that the SEC has worked to clear up confusion about the rules’ requirements, though companies also have been hampered by the long-standing legal advice about incidents to only provide minimal information necessary, with the idea being that disclosing more information could create more liability for the company.

“This line of thinking is in direct conflict with the SEC's stated goal of companies providing ‘decision-useful’ information to investors,” he said. “Bare minimum, boilerplate language does not provide ‘decision-useful’ information for investors. It will be interesting to see if the SEC starts to penalize companies for taking the minimal approach.”

Clearer Guidance Needed

Nagomi Security’s Mendel said that clearer and more actionable SEC guidance could ensure organizations report incidents more accurately and in real-time.

“While the rules have made strides in encouraging accountability, they should provide clearer guidelines on reporting ongoing threats, not just incidents after they occur, to give investors a more comprehensive understanding of risk,” he said. “This will improve how organizations disclose the specific nature of cyberthreats. … There needs to be a stronger emphasis on proactive security measures and continuous monitoring, rather than just reporting post-incident information.”

Mendel also said organizations can take a more proactive approach, including continuously optimizing security defenses, identifying potential threats before they escalate, and enabling real-time communication regarding the threats.

An Unclear Future

However, how all this plays out when the Trump Administration takes office is unclear and Republicans control both chambers of Congress. That said, law firm Hunton Andrews Kurth wrote in The National Law Review this month that despite GOP skepticism about such regulations, the SEC rules may have some shelf life.

“The SEC’s cybersecurity rules likely will be a lower priority than other pressing matters, such as a revised approach to cryptocurrency regulation and repeal of the SEC’s climate disclosure rules,” the law firm wrote. “Accordingly, it is likely the current cybersecurity reporting regime will remain in place for some time.”

You can skip this ad in 5 seconds