SEC requires publicly traded companies to disclose cyberattacks within four days

Despite significant criticism, the Securities and Exchange Commission’s new rules requiring rapid and detailed disclosure of material cyberattacks took effect this month. The new SEC rules require publicly traded companies to provide updated disclosures on Form 8-K describing a cyberattack that may cause a material effect on corporate profits. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, 17 CFR Parts 229, 232, 239, 240, and 249.

One of the most controversial elements of the new rules will push publicly traded companies to timely report cyberattacks in four days. The SEC noted that many cyberattacks are reported months later and 75% of ransomware attacks go unreported. When companies do report, they are often not timely, reported only once per year and well after public disclosures in press reports.

The catastrophic cyberattack on MGM Resorts in Las Vegas this month underscores the relevance of reporting. Although corporations are not required to submit Form 8-K with the new cyberattack reports until December, MGM Resorts filed a Form 8-K within one day. The cyberattack, which has been ongoing for eight days, shut down gambling machines, corporate email, restaurant reservation and hotel booking systems, disabled digital room keys and potentially exposed highly sensitive personal information (including social security numbers) of patrons.

MGM Resort’s response was dramatically different from prior high-profile cyberattacks. For example, T-Mobile suffered a data breach in August 2021 in which cyber criminals hacked and exfiltrated customers’ sensitive personal data – including names, addresses, birthdate, drivers’ license numbers and social security numbers. The criminals had enough time to begin offering the data for sale on the dark web because T-Mobile failed to disclose the breach for months. And when it did so, it sent a perfunctory text message to customers stating the existence of a breach, but not mentioning how sensitive the stolen data was. T-Mobile ended up paying a half billion dollars to settle a class action suit. In Re: T-Mobile Customer Data Security Breach Litigation, Master Case No. 4:21-MD-03019-BCW (W.D. Missouri 2021).

Marriott waited three months to disclose a 2018 cyberattack that exposed personal data, including social security numbers for 145 million people in the United States and a half billion customers worldwide. In 2017, hackers exploited a known flaw in Equifax’s software to steal 143 million U.S. consumers’ credit files. Equifax waited four months to disclose the attack. Perhaps one reason for the delay was that a patch existed for the flaw well before the attack, but Equifax hadn’t installed it.

The SEC justified the new reporting rules on the “substantial rise in the prevalence of cybersecurity incidents” and the associated costs to companies such as business interruption, lost revenue, ransom payments, remediation costs, liabilities to affected parties, cybersecurity protection costs, lost assets, litigation risks, and reputational damage. The MGM Resort cyberattack is reportedly costing $8.4 million per day, which could cause a 10%-20% drop in corporate revenue.

The SEC said the new cyberattack disclosure rules are intended not only to prompt rapid disclosure, but to address wide inconsistencies in companies’ reports. Some companies disclosed significant details, such as the estimated costs of an incident, engagement of cybersecurity professionals, and remedial steps taken to address cyberattacks. Ironically (but perhaps not surprisingly), the SEC noted that companies experiencing the most high-profile cybersecurity attacks often report the “least amount of information.”

Publicly traded corporations will now have to report when the cyberattack was discovered, whether it is ongoing, a brief description of the nature and scope of the attack, whether any data was stolen, altered, accessed or used for any other unauthorized purpose; the effect of the incident on the company’s operations, and whether the registrant has remediated or is currently remediating the incident. Interestingly, the new rules will require corporations to describe, on Form 20-F, its board’s oversight of risks from cybersecurity threats and management’s role in assessing and managing material risks from cybersecurity threats. Perhaps the specter of a lackluster report will push board members and management to prioritize cybersecurity.

The SEC’s reporting requirements are a good step in the right direction, but they do not require corporations to disclose their data retention policies. The cyberattacks on T-Mobile, Marriott, Equifax and MGM Resorts revealed that the corporations keep customer data for years. Retaining sensitive data for so long may be viewed as a great marketing tool, but it substantially increases the risk that a consumer’s private data could be stolen and exploited, and increasing shareholder risk of financial losses from the inevitable lawsuits that will follow.