Recent filings from corporations under new SEC cyber-disclosure regulations have provided some noteworthy insights – even if they remain somewhat sparse on details. Among the 13 companies that opted for early adoption of this regulation and disclosed “material” breaches to their systems, the predominant trend has been that of reporting incidents quickly but providing relatively scant specifics.
Referring to these initial filings, Ben Pedersen, a partner at Debevoise & Plimpton, has addressed the lack of rich factual detail, opining that the SEC may dispute the compliance of companies based on the thin nature of their disclosures. Pedersen’s observations have spotlighted the somewhat nebulous area surrounding what exactly constitutes a “material” cyber breach and how companies interpret and act on this guideline.
The newly introduced SEC cyber-disclosure rules are expected to increase transparency into the cyber risks corporations are facing, aiding investors in making more informed decisions. However, these initial filings suggest that there will be a degree of growing pains associated with achieving this goal, as companies navigate the balance between sufficient disclosure and protecting sensitive information.
Looking forward, it will be of significant interest to monitor how companies embellish upon their security incident reporting under these guidelines, and how this improves overall cybersecurity transparency in the sector.