Among other things, the guidelines mandate that a "material" cybersecurity event be reported to the SEC within four days of its classification as such. The SEC states that they were meant to give investors timely and “decision-useful” cybersecurity information; nevertheless, experts point out that several of the early disclosures only included rudimentary breach details, raising significant concerns that remain unaddressed.

According to Scott Kimpel, a partner at Hunton Andrews Kurth, "Some of these disclosures, I think, are question-begging." "They just provide us with superficial, newsworthy details about the occurrence.

SEC disclosure for companies: What does it mean?

Companies must assess an incident's materiality "without unreasonable delay following discovery and, if the incident is determined material, file an Item 1.05 Form 8-K generally within four business days of such determination," according to SEC regulations.

The incident's "material impact or reasonably likely material impact," as well as its material features of nature, scope, and chronology, must all be disclosed.

"Norms have not yet been established because we're early in the process," stated Richard Marcus, head of information security at cloud-based risk management startup AuditBoard. Therefore, Companies ask themselves, "How much can I get away with here? What exactly are my stockholders hoping to get? I believe that businesses are benchmarking against each other quite a bit."

Without mentioning any particular businesses, Kimpel claimed that some have submitted puzzling incident disclosures, in which they discuss a breach that hasn't yet had a major impact on their business operations and might or might not ultimately have a material impact on their financial situation. 

According to Kimpel, one argument is that these businesses might be disclosing a breach that they considered significant from a "qualitative" as opposed to a "quantitative" standpoint. Financial injury is one type of qualitative material impact, he said, while reputational harm and the possibility of future legal or regulatory problems are among the "almost endless list of possibilities" that make up quantitative material consequences.

Small companies exempted

Except for smaller reporting companies, all covered firms had to abide by the revised breach disclosure requirements as of December 18. As of June 5, smaller reporting organizations will have to comply with them.

Microsoft revealed in an Item 1.05 Form 8-K filing in January that a "nation-state associated threat actor" had obtained access to and exfiltrated data from a "very small percentage" of employee email accounts, comprising staff members in the company's legal, cybersecurity, and senior leadership teams, among other departments.

Among the businesses that have used similar language in breach disclosures submitted to the SEC following the new cybersecurity regulations are HP Enterprise and Prudential Financial.

What next?

As the Wall Street Journal reported in January, Microsoft notified the SEC of the breach even though, at the time of its regulatory filing, the company's investigation had not revealed any consequences that would have exceeded the agency's material damage criteria. The corporation stated, "But because the law is so new, we wanted to make sure we honor the spirit of the law," as stated in the Journal article.

According to Kimpel, SEC filings may create investor confusion when businesses disclose breaches that don't seem to be as serious as they claim, sometimes without explaining their actions.