You're listening to the Cyberwire Network, powered by N2K.

In July 2023, the Securities and Exchange Commission imposed new cybersecurity reporting requirements

on publicly traded companies in the United States.

Concern that companies might be under-emphasizing the impact of cyber incidents,

to the potential detriment of investors, the SEC required companies to report material security incidents

within four business days of determining materiality.

Materiality was defined as, quote, a substantial likelihood that a reasonable investor would

consider the information important for investor decisions. Close quote.

Sounds reasonable at first blush, doesn't it?

Contextually, though, this change set a ripple of fear through companies.

The SEC was in the midst of investigating the Solar Woods breach, and for the first time in history,

had announced its intention to pursue charges directly against a CISO, Tim Brown.

This, combined with the vague phrase, reasonable investor,

pushed many companies into a better safe than sorry approach to incident reporting to the SEC.

If a company felt that an incident might even potentially be material, they sent notifications to

the regulatory body.

I heard better to create processes and generate paperwork than become the next solar winds

time and time again from leadership from various companies.

The end result?

As of February 2025, only 14% of all 8K filings for security incidents actually had declared

a material impact.

Laws and regulations are often kept specifically vague in order to account for both innovation within the tech stack and the evolution of public policy.

...