Companies Grapple with Appropriate Disclosures for Cybersecurity

You could make a strong case for the SolarWinds hack of 2020 as the most significant cybersecurity event in history to date. Russian hackers launched a massive online attack through the software company’s information technology platform to infiltrate the networks of government agencies and roughly 100 companies. Executives’ responsibilities in responding to the breach included determining the proper disclosures to make to the public regarding the incident.

The result was an 8-K filing with the Securities and Exchange Commission in December 2020 offering vague details regarding the hack. The document included a 10,000-foot view of the incident, including light information about the software involved and the mechanics of the attack.

“At this time, SolarWinds is unable to predict any potential financial, legal or reputational consequences to the Company resulting from this incident, including costs related thereto. So as not to compromise the integrity of any investigations, SolarWinds is unable to share additional information at this time,” the filing concluded.

To be fair, companies like SolarWinds have reasons to be cagey about the details of an attack that go beyond damage control and reputation management. For example, too much transparency could reveal vulnerabilities in their systems to other would-be hackers.

So, did SolarWinds’ disclosure about the hack satisfy its burden of responsibility? Nearly three years later, we can’t say for certain. In a quarterly report filed this year, the company laid out the ongoing legal battles and government investigations it continues to face three years later. The company noted it still lacks clarity about its financial exposure from the event: “While we believe it is reasonably possible that we could incur losses associated with these proceedings and investigations, other than with respect to the securities class action settlement, it is not possible to estimate the amount of any loss or range of possible loss that might result from adverse judgments, settlements, penalties or other resolutions of such proceedings and investigations based on the fact that alleged damages have not been specified and the lack of resolution on significant factual and legal issues.”

Recent actions by the SEC might offer more clarity regarding post-cyberattack disclosures. The agency appears to be nearing the end of an effort to modernize its cybersecurity rules. The proposed rules emphasize the element of timeliness in disclosing what are deemed to be material events, along with guidelines for how companies should update the public on prior cyberattacks. The commission is also asking for publicly traded companies to provide more information about factors such as mitigation strategies and governance related to cybersecurity.

It would seem wise for companies to look beyond the most immediate concerns that arise in the event of a hack. Clearly, doing triage on the damage is a must, but they should also make communications an integral part of their crisis preparations.

Latest Articles

Accounting Errors Dim Holiday Outlook for Macy’s, Other Companies

From jolly television personality Al Roker cruising around New York City during the retailer’s annual Thanksgiving Day Parade to the Christmas classic Miracle on 34th Street, few b...

Read More

Crypto Lobby Boosts GOP Effort to Secure Sole Control of SEC

With the waning days of the current congress upon them, Senate Democrats appear to be fighting an uphill battle to secure the renomination of Caroline A. Crenshaw as a commissioner...

Read More

Trump Makes Conventional Pick to Helm SEC in Crypto Champion Atkins

President-elect Donald J. Trump has picked a familiar face to lead the Securities and Exchange Commission, tabbing 66-year-old Paul Atkins to return to the agency where he served a...

Read More