top of page

The latest SEC cybersecurity incident disclosures - what's the result so far?

What's the impact of cybersecurity incidents?
What's the impact of cybersecurity incidents?

Mandating transparent disclosure of cyber incidents - how is it working?

Since late December 2023, the U.S. Securities and Exchange Commission (SEC) has been mandating that publicly traded companies disclose material cybersecurity risks and incidents to investors. The goal here is to better inform investors and ultimately make the market work better.

Yet security practitioners were hoping the new rule would increase public awareness on the need to protect IT assets, when the costs and widespread impact of cyberattacks are laid open.

Recent SEC disclosures in so-called 8-K forms are disheartening: it appears companies are increasingly reporting no material impact, even in the wake of serious incidents.

Before the new rule took effect, we already had some indication on effects of ransomware attacks on operations and the financial bottom line (see here): these reports were converging on costs shaving about 10-20% off yearly net profits.

However, recent cybersecurity incident disclosures following the new rule enforcement do not show much financial or operational impact: from about 10 disclosures, only one is deemed to be material. 

That is the case for loanDepot Inc, a financial services company, which suffered a ransomware attack in January resulting in almost 17 million customer records exfiltrated, including sensitive personal information. The company recognized about 12-17M USD of direct costs, with material impact on the current quarter, but no overall impact on the entire 2024 fiscal year.

All the other disclosures we're seeing reported so far are routinely marked as "no material impact". For example:

  • In late February 2024 Microsoft updated its disclosure on the nation state sponsored attack which breached its systems in November 2023. Besides impacting employee emails, it's now clear the attackers had access to source code repositories and the attack appears still ongoing. Yet the company is claiming no material impact yet.

  • UnitedHealth Group ransomware attack paralyzed portions of U.S. health system and is still ongoing (see here Strangely enough, the company "has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations". The share price is down around 10% though, signaling there is more to the attack than the filing suggests.

  • a ransomware attack against VF Corp (the company behind brands such as Vans and North Face) disrupted its operations just before Christmas holidays, including interrupted replenishment of retail store inventory and delayed order fulfillment. Additionally, the threat actor stole personal data of approximately 35.5 million individual consumers. Although no material impact was reported, the share price took a beating (see here

As more details emerge throughout the year, comparing these preliminary materiality assessments and the true costs of cybersecurity incidents will be an interesting exercise. The results will provide stakeholders with a clearer understanding of the true impact of cybersecurity incidents, and also better inform regulators on the effectiveness of transparent disclosure rules.

But for now, companies seem to be shy.


Latest news

bottom of page