Three Lessons from Early Disclosures of Cybersecurity Incidents

Many health care providers have gone through a rough stretch in recent weeks following a cyberattack on a unit of UnitedHealth Group. According to the New York Times, “hundreds, if not thousands,” of care providers couldn’t get insurance approval for run-of-the-mill medical services like drug prescriptions when hackers shut down parts of Change Healthcare’s electronic system. The gang believed to have orchestrated the attack, ALPHV, apparently scored a $22 million ransomware payment as a result.

This seems like a perfect test case for the Securities and Exchange Commission’s new cybersecurity disclosure rules. The new guidelines call for publicly traded companies to disclose material incidents within four days of their occurrence, and UnitedHealth Group filed a Form 8-K in the required window of time regarding “a suspected nation-state associated cybersecurity threat actor” infiltrating Change Healthcare’s information technology system.” The filing doesn’t go into much detail about what happened, though.

Should end-users expect most cybersecurity disclosures to be similarly vague? It’s too early to say, but we can learn a few lessons from the first batch of reports that are popping up. Here are three observations that caught our attention.

Lesson 1: Don’t let a crisis go to waste.

So, hackers just breached your information network? Join the party. Cybercrimes and ransomware attacks are happening frequently enough in commercial and public spheres that companies are turning them into opportunities to tout their incident response readiness.

One analysis of 10-K filings from this year found some companies are using their cybersecurity programs as proof of sound risk management. Telling the world about the effective way you handled an online attack fits the same rationale. UnitedHealth Group, for example, said it “proactively isolated the impacted systems from other connecting systems in the interest of protecting our partners and patients” during its recent hack.

Lesson 2: “Materiality” remains a slippery construct.

The concept of material information for investors in financial reporting is one of the ultimate examples of “knowing it when you see it.” But when it comes to cybersecurity, issuers’ understandings of material incidents clearly come in a variety of shapes and sizes.

Take Hewlett Packard Enterprise Co., which had this to say in a filing on a breach of its cloud-based email platform: “As of the date of this filing, the incident has not had a material impact on the Company’s operations, and the Company has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.” If it’s not material, why disclose it? Is it simply a matter of “better safe than sorry?”

In January, First American Financial Corp.’s IT systems were breached. In its filing, the company discussed why it believes the incident would have a material impact on its results from the final quarter of 2023, laying out how its operations were delayed. First American noted, however, that it does not expect the incident will have any long-term effects.

Lesson 3: Expect to hear from the SEC.

In December, Colorado-based V.F. Corporation garnered the distinction of being the first company to file an 8-K under the new cybersecurity disclosure rules, reporting that it had “detected unauthorized occurrences on a portion of its information technology systems” and that the perpetrator had stolen data from the company.

V.F. Corporation commented in its disclosure that “the full scope, nature and impact of the incident are not yet known.” Now, the SEC is making sure that V.F. Corporation follows up on that claim, in accordance with its duty to file an amended 8-K once that information is ascertained. V.F. Corporation acknowledged the reminder and said its amended 8-K would provide the necessary info.

If there is a common takeaway from these examples, perhaps it’s that the SEC’s disclosure guidelines are still new enough that we are witnessing a feeling-out period among companies unfortunate enough to be hit by a data breach. That goes for the SEC as well, which might eventually elect to clarify its guidance in response to the cyber-related 8-Ks that cross its desk.