How federal rules on cybersecurity breach transparency for businesses were challenged in court in 2024

pDrata examined the SEC disclosure rules for public companies and what recent court cases have meant for businesses and investorsppIn October four companies collectively paid nearly 7 million as part of a settlement with the Securities and Exchange Commission for allegedly failing to properly inform investors of a cyberbreach affecting their companies a liability American businesses have not previously facedppThe companies were compromised in a cyberattack targeting their IT software provider in 2019 The attackers could insert a backdoor into a software update circumventing existing security measures like encryption and authentication The update was pushed out to potentially tens of thousands of customers giving the attackers access to information held by those customers which included government agenciesppThat hack will stand apart from the last decade of data breach incidents in more than just its scaleâits aftermath created a sandbox of sorts for testing new rules aimed at companies and intended to protect investors It was how the four companies acted in the aftermath of the attack that drew the attention of regulators keen to exercise new rules intended to force transparency from companies affected by breachesppDrata examined the SECs cybersecurity disclosure rules and the court cases that have tested the agencys authority over corporate cyber practices this year to compile the latest legal commentary and expectations for businesses going into 2025 Overall the SECs new cybersecurity rules are meant to increase transparency about these incidents from publicly traded companies and expedite its communication more broadly to the public Though the onus of work is on companies consumers stand to benefit Information that is more transparent and readily available can help inform their investment decisionsppppCybersecurity breaches can affect businesses their investors and of course the privacy and security of consumers who are often embroiled in cybercrimes whether they know it or not A 2022 survey of 1000 American adults by cybersecurity company Varonis found that over 3 in 5 Americans 64 had never checked to see whether theyd been affected by a data breachppOne University of Maryland study found that cyberbreaches occur nearly constantlyâevery 39 seconds on average Theyre expensive to deal with tooppThe average data breach costs a company 49 million in either lost business ransom payment or cleanup and mitigation according to IBMs Cost of a Data Breach report for 2024 Too often they arent disclosed to the public despite their potential for harm Security software provider Arctic Wolfs 2023 annual report found that 7 in 10 companies 72 that experienced a data breach did not disclose itppThe complexity of the 2019 breach the time it took to identify and the vulnerability it created for federal government agencies including the Department of Homeland Security only increased the pressure on officials to enforce existing regulations in courtppThe SEC filed charges against SolarWinds and its chief information security officer Timothy G Brown and several of the companies involved in its 2019 cyberbreach applying those new rules to American companies for the first time The case against SolarWinds alleged it misled investors about its cybersecurity practices in the years leading up to the attackppIn a statement accompanying the announcement of the new rules in early 2023 SEC chair Gary Gensler likened data breaches at publicly traded companies to a fire at a companyowned facility arguing that these occurrences are consequential to investors and other stakeholders and thus deserve to be shared transparently through SEC filingsppThrough helping to ensure that companies disclose material cybersecurity information todays rules will benefit investors companies and the markets connecting them Gensler saidppPartners working in international law firm Holland Knights cybersecurity practice dubbed the charges against SolarWinds a landmark case that would test the SECs power to impose rules that would likely create significant compliance challenges as well as litigation and enforcement risks for public companiesppAlthough four of the charged companies settled with the agency most filed by the SEC against SolarWinds and its executive under its new rules were dismissed in July dealing a blow to the agencys ability to regulate corporate cybersecurity transparency according to legal experts Its just one of several instances in the Biden administration where federal regulators have been stymied by courts in their attempts to expand their authority over major corporationsppCybersecurity breaches can affect businesses their investors and of course the privacy and security of consumers who are often embroiled in cybercrimes whether they know it or not A 2022 survey of 1000 American adults by cybersecurity company Varonis found that over 3 in 5 Americans 64 had never checked to see whether theyd been affected by a data breachppOne University of Maryland study found that cyberbreaches occur nearly constantlyâevery 39 seconds on average Theyre expensive to deal with tooppThe average data breach costs a company 49 million in either lost business ransom payment or cleanup and mitigation according to IBMs Cost of a Data Breach report for 2024 Too often they arent disclosed to the public despite their potential for harm Security software provider Arctic Wolfs 2023 annual report found that 7 in 10 companies 72 that experienced a data breach did not disclose itppThe complexity of the 2019 breach the time it took to identify and the vulnerability it created for federal government agencies including the Department of Homeland Security only increased the pressure on officials to enforce existing regulations in courtppThe SEC filed charges against SolarWinds and its chief information security officer Timothy G Brown and several of the companies involved in its 2019 cyberbreach applying those new rules to American companies for the first time The case against SolarWinds alleged it misled investors about its cybersecurity practices in the years leading up to the attackppIn a statement accompanying the announcement of the new rules in early 2023 SEC chair Gary Gensler likened data breaches at publicly traded companies to a fire at a companyowned facility arguing that these occurrences are consequential to investors and other stakeholders and thus deserve to be shared transparently through SEC filingsppThrough helping to ensure that companies disclose material cybersecurity information todays rules will benefit investors companies and the markets connecting them Gensler saidppPartners working in international law firm Holland Knights cybersecurity practice dubbed the charges against SolarWinds a landmark case that would test the SECs power to impose rules that would likely create significant compliance challenges as well as litigation and enforcement risks for public companiesppAlthough four of the charged companies settled with the agency most filed by the SEC against SolarWinds and its executive under its new rules were dismissed in July dealing a blow to the agencys ability to regulate corporate cybersecurity transparency according to legal experts Its just one of several instances in the Biden administration where federal regulators have been stymied by courts in their attempts to expand their authority over major corporationsppThe federal rules require companies to file several new disclosures in their reports to the SEC One includes publicly sharing material cyber security incidents affecting the company It requires the company to disclose when the incident happened and whether it is ongoing a description of it whether data was accessed or used for any unauthorized purpose the effect on operations and the actions being taken to mitigate the breachppOnce a year it also requires publicly traded companies to file their 10K statement with the SEC including an outline of their processes for assessing and managing any risk that might arise from a cybersecurity threat The company must also disclose its board of directors oversight of cybersecurity risks and managements role in assessing and managing themppIn pursuing charges against the four companies that settled the SEC described those companies disclosures as generic and not tailored to specific risks facing the company Legal firm Davis Polk described the enforcement as aggressive and wrote in October that companies should review their risk factors in light of recent experiences and consider whether updates are warranted It also noted that media statements made by a company could lead to regulatory repercussions if incomplete or misleadingppIn the aftermath of the dismissed charges against SolarWinds Holland Knight advised companies should avoid warning about risks where the warned risk has already occurred and not include so much specificity that it risks providing a roadmap for wouldbe attackersppThis story originally appeared on Drata and was produced and distributed in partnership with Stacker StudioppVivian Health compared data across all 50 states and the District of Columbia to perform a comprehensive analysis of where nursing shortages mppWealth Enhancement examined Brookings Institution pay data and analysis to determine why Americans feel their wages are not increasing with inppThe 74 reports on the state of paid apprenticeships and internships in US schools ppWealth Enhancement shares findings from survey research about Americans preparedness or lack thereof and excitement about retirement ppThe 74 reports on teen phone use in schools across the US revealing up to 90 minutes of usage daily ppAUX found that more than half of the Americans it polled indicated that while sustainability is a key consideration when researching home upgrppCheapInsurancecom used NOAA data to analyze the rising number of billiondollar disasters and their implications for the insurance marketplacppBrex dives into why a business bank account is not just a recommended option but a critical necessity for any serious entrepreneur ppThe construction industry faces no shortage of challenges in the years ahead from new import tariffs potentially increasing the costs of mateppDrata examined analyst reports and news reports to determine the cost of cyberattacks to companies and consumers around the world ppGet uptotheminute news sent straight to your deviceppSorry an error occurredppppAlready SubscribedppppppCancel anytimeppAccount processing issue the email address may already existppppThank you ppYour account has been registered and you are now logged inppCheck your email for detailsppInvalid password or account does not existppSubmitting this form below will send a message to your email with a link to change your passwordppAn email message containing instructions on how to reset your password has been sent to the email address listed on your accountppNo promotional rates foundpppppp
Secure Encryptedpp
Secure transaction
Secure transaction Cancel anytime
pppp
Thank you
pp
Your gift purchase was successful
Your purchase was successful and you are now logged in
ppA receipt was sent to your emailp