SEC's New Cybersecurity Rule Triggered on First Day
This week marked the enforcement of new SEC rules on cyber incident disclosure by companies listed on U.S. stock exchange (so called "cyber materiality" rule, see here).
The first day (Dec 18th) immediately saw a first disclosure from VF Corp., the company behind brands such as Vans and North Face.
The 8-K filing might not contain too much details on the attack, but it seems this was a standard double extorsion ransomware breach, where the attacker is both encrypting and exfiltrating data, threatening to publish it online.
The company says the attack has impacted its ability to fulfill customers orders, less than one week from Christmas Day. Share prices duly reacted on the news (see screenshot above).
Such cybersecurity filings in the future will certainly be regularly scrutinized by investors and cybersecurity experts, but also by threat actors hoping to extract some useful intelligence out of the reports.
An unintended consequence of the new transparency rule might in fact be another revenue stream for ransomware operators: profiting from short selling a company stock (anticipating a price drop as in this case occurred).