Companies Grapple with Appropriate Disclosures for Cybersecurity

You could make a strong case for the SolarWinds hack of 2020 as the most significant cybersecurity event in history to date. Russian hackers launched a massive online attack through the software company’s information technology platform to infiltrate the networks of government agencies and roughly 100 companies. Executives’ responsibilities in responding to the breach included determining the proper disclosures to make to the public regarding the incident.

The result was an 8-K filing with the Securities and Exchange Commission in December 2020 offering vague details regarding the hack. The document included a 10,000-foot view of the incident, including light information about the software involved and the mechanics of the attack.

“At this time, SolarWinds is unable to predict any potential financial, legal or reputational consequences to the Company resulting from this incident, including costs related thereto. So as not to compromise the integrity of any investigations, SolarWinds is unable to share additional information at this time,” the filing concluded.

To be fair, companies like SolarWinds have reasons to be cagey about the details of an attack that go beyond damage control and reputation management. For example, too much transparency could reveal vulnerabilities in their systems to other would-be hackers.

So, did SolarWinds’ disclosure about the hack satisfy its burden of responsibility? Nearly three years later, we can’t say for certain. In a quarterly report filed this year, the company laid out the ongoing legal battles and government investigations it continues to face three years later. The company noted it still lacks clarity about its financial exposure from the event: “While we believe it is reasonably possible that we could incur losses associated with these proceedings and investigations, other than with respect to the securities class action settlement, it is not possible to estimate the amount of any loss or range of possible loss that might result from adverse judgments, settlements, penalties or other resolutions of such proceedings and investigations based on the fact that alleged damages have not been specified and the lack of resolution on significant factual and legal issues.”

Recent actions by the SEC might offer more clarity regarding post-cyberattack disclosures. The agency appears to be nearing the end of an effort to modernize its cybersecurity rules. The proposed rules emphasize the element of timeliness in disclosing what are deemed to be material events, along with guidelines for how companies should update the public on prior cyberattacks. The commission is also asking for publicly traded companies to provide more information about factors such as mitigation strategies and governance related to cybersecurity.

It would seem wise for companies to look beyond the most immediate concerns that arise in the event of a hack. Clearly, doing triage on the damage is a must, but they should also make communications an integral part of their crisis preparations.