Whose data breach is it anyway?

A company experiencing a data breach or a successful phishing attempt already has a lot on its hands. But when it comes to cybersecurity preparedness, there’s another piece of the process that cyber execs should consider: the SEC’s material incident reporting rules. And unfortunately, it seems some companies aren’t really getting around to reporting much of anything material.

The SEC’s new disclosure rules, which apply to all SEC registrants reporting under the Securities Exchange Act of 1934, require that companies disclose information about “material” cyber incidents that went into effect on December 18, 2023. That requirement doesn’t seem to be encouraging a steady stream of filings, however. 

In a recent VikingCloud study polling 200 cybersecurity experts, 48% of cybersecurity leaders said they chose not to report at least one material incident to their leadership team within the year. 86% said they avoided reporting at least more than one breach. Upsides to filing include avoiding the appearance of insider trading, dodging fines from regulators and reputational protection.

Why the hesitation to file a timely report? The general consensus among IBM experts seems to revolve around the feeling of uncertainty when it comes to investigating incidents in the compressed timespan allotted by the SEC, along with potential personal liability.

In 2004, the SEC shortened the original 15-day filing time to four, while increasing the number of incident types requiring disclosure. Since then, according to SEC filing records, the annual number of SEC 8-K forms filed has fallen by nearly half.

Additionally, incorrect, late or deceptive filing can leave execs personally liable for any damages. One notable instance involves the former Uber CISO Joe Sullivan, who allegedly attempted to conceal a 2016 data breach while under investigation for one that happened in 2014. In October 2022, a jury found Sullivan guilty of obstructing an FTC investigation of Uber and failing to report a felony and sentenced him to three years of probation.

“Personal liability can for sure affect the likelihood of breach reporting,” said Nick Bradley, a Security Consultant who leads IBM X-Force Incident Command, in an interview with IBM Think. “I think high-profile cases like the Uber CISO conviction set a precedent. I 100% believe in personal liability and responsibility, but I think we need to be careful that we don’t just turn CISOs into scapegoats.” 

Larger organizations with global footprints, multiple divisions or international subsidiaries can also find it difficult to determine who is ultimately responsible for filing an 8-K form. “Let’s say the parent company is headquartered in the US, and this happened in Europe or in Asia; they’re going to have to wait quite a bit of time until the US gets into the office, finds out about it, starts reacting to it,” said Limor Kessem, Global Lead at IBM’s X-Force Cyber Crisis Management, in an interview with IBM Think. “And a lot of times, it creates problems and delays there.”

Filing an 8-K form, Bradley said, is useful for notifying affected individuals, companies and even law enforcement, depending on the nature and scale of the breach. “The disclosure should detail the incident’s nature, scope, potential impact, and steps taken for remediation and prevention of recurrence,” he said. The aim is to mitigate any legal, reputational and financial risks while being transparent with affected parties and regulators. 

Preparing your company for quick incident reporting requires preparedness, practice and transparency, IBM experts said. According to Dave Bales, X-Force Incident Command, it is a major challenge for a company to fully insulate itself from the effects of a data breach. “But they can prepare their post-breach action and make sure they have everything in place in case of a breach,”  Bales told IBM Think. “It’s critical to recovering from the breach, and then that gives them the opportunity to do their filing in a timely manner.”

Experts like Bradley suggest companies consider using AI to assist in the incident reporting process, especially as more AI tools are integrated into cybersecurity systems and workflows, to make filing more efficient.

“Depending on the maturity of the AI tools available and the skill level of the people using [them], they can help identify patterns, prioritize responses, and provide insights for crafting detailed and accurate disclosures,” Bradley said. “I am, however, going to mention the human element again here. Human oversight and judgment remain crucial for accuracy and compliance with legal requirements.”

Despite the potential ramifications that can come with filing, experts like Bradley insist that the risk is worth the reward. “Insufficient reporting or lack of transparency poses significant risks,” said Bradley. “Organizations need to prioritize transparency over fear of regulatory scrutiny.”

Experts propose that a third-party company can assist by providing incident response services, but it is the onus of the company to file an 8-K, as potential legal issues could arise if a third-party company files an erroneous 8-K form. 

Kessem suggests integrating a company’s legal playbook into its cybersecurity crisis plan. In addition, templates and other premade tools can cut down on precious filing time.

As a breach is unpredictable by nature, being prepared for the aftermath should be considered a critical element of every company’s cybersecurity strategy, according to Kessem. “Everything has to be on hand so that everything is quick.”