Cyber Breach Rule Confusing Firms: Feds Clarify

Companies are now complying with the Securities & Exchange Commission’s (SEC) cybersecurity breach rule. Or maybe over-complying would be the more apt term for it!

Microsoft (MS) is just one of a handful of companies that recently filed a Form 8-K after threat actors accessed its systems. The SEC now requires publicly traded companies to report “material” cyber breaches within four days of an attack.

The software giant noted that the breach could cause material risks or losses for customers and clients … at some point down the line .. maybe. So technically, the breach qualified as “immaterial,” but MS thought it was better to err on the side of caution and let the SEC know about it anyway.

MS and other companies have reported as-of-now-immaterial breaches under Item 1.05 of Form 8-K. The SEC wants companies to know this isn’t the way to do it. “If a company chooses to disclose a cybersecurity incident for which it has not yet made a materiality determination, or [a breach that wasn’t] material, the [SEC] encourages the company to disclose that cybersecurity incident under a different item of Form 8-K — for example, Item 8.01,” the SEC advises.

Bottom line: Item 1.05 is for known, material breaches only.

Is Cyber Breach Rule Regulatory Overreach?

The SEC promulgated the cyber breach reporting rule after multiple companies hid or sugar-coated significant cyber attacks from the public, customers and shareholders. A handful of breached companies waited years to disclose the incidents.

The cyber breach rule could end up being be amended by Congress at the urging of companies and investors who argue the SEC overreached. Businesses that are happy to comply say there’s a fine line between material and immaterial depending on how regulators view the damage.

For example, do compromised Social Security numbers qualify as a material breach? Many cybersecurity experts say nearly everyone’s SS number or credit card information is available in some corner of the Dark Web. Under the current final rule, the SEC has significant leeway to pursue an enforcement action if a company doesn’t file a Form 8-K following what regulators consider to be a material breach.