National Cyber Warfare Foundation (NCWF)

8-K cybersecurity-incident disclosures to the SEC: A 2024 timeline
0 user ratings		2025-01-03 01:10:07
milo
Blue Team (CND)
 - archive -- 

The SEC’s 8-K cybersecurity incident disclosures for 2024: A timeline

It’s been more than a year since the U.S. Securities and Exchange Commission adopted new rules to enhance the annual reporting of cybersecurity measures practiced by SEC registrants. These requirements are in addition to those about the timely disclosure of material cybersecurity incidents that these companies experience. This tougher stance from the SEC has prompted executives and boards of directors to look at cybersecurity, not as an afterthought, but as a business-critical priority. The SEC’s new rules also hold these leaders and their companies legally accountable should they not follow the agency's cybersecurity rules — putting chief information security officers in the hot seat. 


In the first year of the program, more than 20 cybersecurity incidents were disclosed to the commission via corporations' filings of Form 8-K. Listed below in chronological order are those 22 filings, including details such as the filing date, the target of the incident, and the impact that the incident had on the business.


While the SEC’s cybersecurity-incident disclosure rules are generally positive for the betterment of cybersecurity, readers who follow the links for each filing will see that the vast majority of these disclosures don’t yield much information beyond what we describe below. Details missing from the forms include the type of attack, the identity of the attack’s perpetrators, and how the perpetrators were able to breach the company’s systems in the first place. This is because the SEC’s rules for Form 8-K only ask registrants to disclose “The material aspects of the nature, scope, and timing of the incident; and the material impact or reasonably likely material impact on the registrant, including on the registrant’s financial condition and results of operations.” 


The commission also clearly stated in its announcement of the new rules last year that it doesn’t require registrants “to disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail that would impede its response or remediation of the incident.”


What this means is that these 8-K disclosure rules do not provide the attack transparency that the cybersecurity community could use to bolster critical systems against similar incidents, bestowing instead only higher-level benefits to key market players, who will become more aware of registrants’ cybersecurity practices, and to registrants, who hopefully will take their cybersecurity efforts more seriously. 


Of course, some of the 8-K filings concern attacks previously reported in the media, and so we know something about the type of attack in those cases. Here are some of the trends that can be gleaned from that information.


The post 8-K cybersecurity-incident disclosures to the SEC: A 2024 timeline appeared first on Security Boulevard.



ReversingLabs

Source: Security Boulevard
Source Link: https://securityboulevard.com/2025/01/8-k-cybersecurity-incident-disclosures-to-the-sec-a-2024-timeline/

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Blue Team (CND)


Copyright 2012 through 2025 - National Cyber Warfare Foundation - All rights reserved worldwide.