A little over six months ago, the U.S Securities and Exchange Commission established their Form 8-K cybersecurity reporting rules, making the SEC a key player in cybersecurity. This is a good time to review how effective these rules are. In this issue, we discussed how these rules are a new trend, making the SEC a key player in cybersecurity. The Form 8-K rules require companies to report major cybersecurity incidents within four business days. The goal is to make cyber-attacks and data exposure more transparent. If done right, this rule will help protect the public and keep them informed when their information is compromised.
According to the SEC, there are two key components to the new rules: first, companies must disclose “any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope and timing.” This means each company must also explain what constitutes this material impact. Second, these companies must describe their processes “for assessing, identifying and managing material risks from cybersecurity threats.” This tells us that the SEC is not only concerned with the reporting of cybercrimes but that they also recognize that many companies do not have processes in place for responding to attacks once they occur.
Since the SEC’s rules came into effect, companies like Microsoft, Hewlett Packard, UnitedHealth Group, and Prudential Financial have reported cybersecurity incidents. The problem is that these reports don’t follow SEC guidelines. Instead of reporting material losses from attacks, these companies report qualitative losses. This is allowed because the SEC’s rules are vague, letting companies look better to their investors.
Broadly, the companies that have filed in this calendar year center around two types of industries—technology and financial services. As experts have written[JT1] , these qualitative losses are a bit strange: “companies have made materiality determinations in the past on the basis of non-financial qualitative factors… but these situations are more the exception than the rule.” Ultimately, for this process to be truly beneficial for consumers, the SEC will need to get much more specific about reporting requirements; otherwise, companies will continue to report the bare minimum.