The SEC announced on July 26, 2023, that all public companies reporting under its regulations must now report any cyber incidents they consider material within four business days of making that determination by issuing an 8K.

Cyber risks are unlike other risks. Most other risks – such as financial or physical may well be highly catastrophic but their cause, source, and damage are usually clearly identifiable in a short time frame. Consider this example: The CEO is in her office and thinks she may be able to get home a little earlier as it is a quiet afternoon. Then the CFO comes in and reports that the Federal Reserve has increased its rate by 100 basis points. No problem, although it is a big number, the Fed’s intentions have been signaled for weeks and the company has hedged and done interest rate swaps. Next, the Head of Property Management comes in, the roof of the company’s property on Fifth Street has just collapsed. However, after three hours of investigation, the CEO knows no one has been hurt, she knows the cause was a badly installed air conditioning unit, she knows the installer’s liability, how long the repair will take, loss of rent, insurance proceeds, and many other issues. The property is secured and closed for repairs. Although the event itself was quite catastrophic the damage has been identified and confined. Then as she is about to leave the office, the Head of Technology comes in and says “We have been hacked!” She asks By who? He answers I don’t know. What is the damage? I don’t know. How long has it been on our system? I don’t know. Who did it? I don’t know. Has it spread? I don’t know. Can we contain it? I don’t know. This example demonstrates how cyber incident risk is different, a company can experience a cyber incident but may not know who caused it, why, the full damage, and how long it has been active. In view of this, the new SEC regulations may cause some difficulties for companies to report.

The average time it took to identify a cyber incident according to IBM’s 2022 data was 280 days or nearly 9 months. Some incidents, such as ransom wear demands, are obviously identifiable more quickly, although even with ransom demands, the exact information taken may not be known or whether any other exploit was inserted into the company’s systems. However, more sophisticated and insidious malware, known as an Advanced Persistent Threat, copies or corrupts data and systems and adapts to the defenders’ attempts to resist it. The NIST definition describes how sophisticated these adversaries are. They can use physical and deception vectors as well. Their objective is to infiltrate the company’s technology infrastructure to exfiltrate information or corrupt data and operations, now or at a given time in the future. These adversaries will adapt to the company’s efforts to resist and can subvert warning systems and data. Given the sophistication of some of these adversaries, it can be very difficult to identify the threat and decide how material an incident is.

Also, what is meant by “identification” of an incident? The more advanced cyber intrusions can come in three stages, like physical missiles, they have a delivery mechanism, a payload, and an execution. Expert decoders may be able to identify an intrusion, even a highly sophisticated one that plants a rootkit deep in the system but may not immediately, or for a considerable time, be able to understand what the payload is. What was the virus or worm supposed to do once it found its way into the system and how does it release its payload? Zero Day exploits, which are malicious code programmed to take place at a future date or a future event, make it even more difficult to decipher what the payload is or what damage it has been designed to cause. Some viruses are very sophisticated and send out a decoy for the decoders to “find” and stop looking for the real payload that has yet to activate. Again, how would a reporting company comply with the SEC’s requirements if all it could report was an incident without knowing what damage it was supposed to do, when, to whom and how much, and for how long? The SEC is also aggregating “ a series of unauthorized occurrences” that may be material when aggregated.

How would a reporting company comply?

If a reporting company finds out it has an intrusion that has been on its systems and networks, it has to determine how material it is and then, if it considers it material, it has four business days to file its 8K explaining what it knows and just as importantly what it might not know and how the intrusion was eventually found. Given the nature of Advanced Persistent Threats, it might be wise to consider most incidents as material, even if the initial 8K filing is not very detailed, detail, as it is known, can be reported.

The SEC will permit a delay in the 8K filing if the U.S. Attorney General determines that releasing the information could endanger national security or public safety, also companies subject to the FCC’s rule for notification can also delay their filing. There are sure to be some gray areas here in assessing what is material and how business damage could be assessed especially if the company has learned very little about it. The SEC has reiterated that it expects companies to apply the “reasonable investor” standard when determining materiality but again it would be difficult to apply if not much information is available on the incident. The lack of knowledge and implications of the incident could affect market pricing as investors speculate.

What may have not been considered immaterial when the incident was first discovered may subsequently become material as more is learned about it. The SEC is also not limiting itself to the company’s systems but is including those of third-party providers. Although the SEC recognizes a company may know even less about the third-party provider’s systems than its own, but it must still file an 8K if decides the event is material. Imagine if a provider like Amazon Cloud Services had to report an incident, then under the Regulations, every public US company that used ACS would have to file an 8K, which would likely be many, many thousands of 8Ks.

Hopefully, the SEC will understand these situations and distinguish between a fairly straightforward ransom demand and an Advanced Persistent Threat. Not penalizing a company that is working in good faith to comply but has not been able to provide details in those four days of the incident, how far it has spread, and whether it can be eradicated or at least contained. No doubt, now the Regulations have been finally adopted, there will be a significant number of 8Ks reported and the SEC may be able to offer further guidance on the reporting issues, especially those relating to Advanced Persistent Threats, timing, and materiality. 

In situations where the knowledge of the intrusion takes time to discover, the company should update its 8K filings with material information as it is discovered. Some viruses can self-replicate themselves and re-infect even after they have apparently been eliminated. Others can lie dormant waiting for an event or trigger. One of the golden rules of crisis management is not to overpromise or state something that has not yet been determined. Once a virus has been identified it is difficult to prove that it has been totally eliminated. The suggestion with cyber incidents is to update frequently but be careful about stating the problem as solved, concluded, or even contained.