Cyber Rules & Regulations Research Report (CRRR)

One year ago, the Securities and Exchange Commission (SEC) adopted cyber incident reporting rules to enhance cybersecurity transparency and accountability for publicly traded companies.

These regulations require businesses to promptly report cybersecurity incidents with material impact and disclose their cybersecurity risk management practices.

As the anniversary of the rules nears, BreachRx set out to determine how much this intent has been realized.

Through an analysis of more than 70 8-K filings and 400 10-K filings, BreachRx found confusion and caution on whether and when to file and a general failure to provide enough information that could effectively protect companies from future SEC enforcement actions.

Among the key findings:

• 17% of 8-K filings specified material impact
• 4% of 8-K filings disclosing a cyber incident for the first time specified material impact
• Less than half of filings provide specific insights into organizations’ incident response procedures
• Most 10-K filings describe companies’ cyber risks and incident response and disclosure procedures in nearly identical and generic terms
• 10% of companies specify CISOs as individuals responsible for cybersecurity, while 18% state VPs and below as leaders

Download the research to learn more and what they reveal about the new era of transparency.