Skip to main content
close search
site logo
Dive Brief

SEC cyber incident reporting rule generates 71 filings in 11 months

Most companies that disclosed cyber incidents to the agency did not describe materiality or other useful information, a BreachRx report found.

Published Dec. 11, 2024
Matt Kapko's headshot
Senior Reporter
Photo illustration of a VF Corp. SEC filing.
A composite of VF Corp.'s Form 8-K, Item 1.05 filing with the Securities and Exchange Commission on Dec. 18, 2023.

Photo illustration: Industry Dive; US Securities and Exchange Commission

Dive Brief:

  • Publicly-traded companies disclosed a collective 71 cybersecurity incidents in regulatory filings during the first 11 months of the Securities and Exchange Commission’s cyber incident reporting rule, BreachRx said in a Tuesday report. The SEC rule requiring companies to report an incident within four days of determining materiality went into effect Dec. 18, 2023.
  • Less than 1 in 5 of those 8-K filings, which came from 47 companies — multiple companies filed updates with the SEC as they learned more — specified a material impact, according to BreachRx’s research. On average, companies disclosed cyber incidents roughly nine days after detection.
  • “Given the volume of impactful incidents that companies face on a day-to-day basis, the volume of SEC notifications seems incredibly low, particularly if we examine state data breach sites that detail incidents reported to them,” BreachRx CEO Andy Lunsford said via email.

Dive Insight:

The SEC’s cyber disclosure rule continues to confound companies, resulting in a lack of compliance and insufficient details, analysis of the past year’s filings shows.

Business leaders’ concerns about sharing too much information is causing a sustained variance in the timing and fullness of cyber incident filings, Lunsford said.

“The biggest gap is that companies are not providing decision-useful information. Almost all filings to date have used very generic boilerplate language,” Lunsford said. “The SEC, like many other regulators, is seeking more transparency from companies when it comes to reporting incidents and cybersecurity risk.”

A separate SEC rule requiring publicly-traded companies to report cyber risk management and governance strategies in annual filings elicited 154 such filings as of Nov. 18, the report found. The majority of those filings described cyber risks in “nearly identical and generic terms,” BreachRx said.

Editors' picks

Company Announcements

View all | Post a press release
Only Cynet Delivers 100% Protection and 100% Detection Visibility in the 2024 MITRE ATT&CK Eva…
From Cynet Security
December 11, 2024
Rumpke Data Breach Investigation
From Migliaccio and Rathod
December 11, 2024
Why Cybersecurity Leaders Trust the MITRE ATT&CK Evaluations
From Cynet Security
December 05, 2024
Whalebone Ranks Third Straight Year Among Central Europe’s 50 Fastest-Growing Companies
From Whalebone
November 25, 2024
Editors' picks
Latest in Cyberattacks
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.