You know, because you read it here in the IOS blog, that in the US data breach reporting is not nearly as strict and comprehensive as in the EU. At the federal level, we have tough rules for reporting incidents involving medical data (HIPAA) and less tough ones for financial data (GLBA). At the state level, there is a patchwork of notification laws for the exposure of a select set of identifiers. And that’s it!
Well not quite.
Realizing that cyber incidents can have an impact on the corporate bottom line, the SEC released an official guidance a few years back on reporting cyber security events to investors. For all my financial accountant readers, this information can be found here.
Starting in 2012, publicly traded companies are supposed to acknowledge the consequence of cyber catastrophes in their SEC filings. In describing these incidents, they need to take into account both the indirect and direct costs involved in the cost of remediation, litigation, reputation damage, and lost revenues.
When, What, and Where to Report
In general, you’re supposed to report only incidents that will have a “material impact”. This is lawyer talk for eliminating simple hacks — a hacker got into a single email account — while covering news that a “reasonable” investor would want to know about: for example, 100 million social security numbers were taken take by a stealthy APT group.
However, there are exceptions.
If a cyber incident was widely reported in the news, then the company needs to file with the SEC regardless of the seriousness of the incident. Also any breaches that involved notifying a state or federal (HIPAA, GLBA, COPAA) regulator would require an SEC filing.
What information do you need to disclose?
You have some wiggle room. The SEC recognizes that too much detail might compromise an ongoing investigation. You should describe at a high level the nature of the breach, and in addition, an estimate of the number of people impacted, the categories of affected data, the remediation efforts that were taken, and the plans to prevent future incidents.
At a minimum, companies will need to report overall cyber risks they face in their annual 10-Ks. For a serious cyber incident, they should file it as an 8-K immediately — although there’s no specific time window — instead of waiting for the quarterly report.
Real-World 8-K Filing
Want to get inspired by an actual 8-K material filing for a cyber event?
Gaze on the screenshot below showing the beginning of an cyber incident description for a health company.
One last point about these filings. The SEC’s Edgar system, where all this information is reported and kept, in theory should be a source of information regarding breach incidents for public companies.
Useful to know! At least for security bloggers and other compliance wonks.