Cyber Disclosure Rules Yet to Cause Market Declines Once Feared

Despite long-simmering dread that the Securities and Exchange Commission’s cybersecurity disclosure rules would cause share prices to plunge, research indicates companies realized only minimal losses after reporting cyber-related incidents.

The SEC’s new rules, which went into effect in December 2023, require publicly traded companies to disclose “material” cybersecurity incidents to the agency on a Form 8-K within four business days. The disclosures should include a “description of the incident’s nature, scope and timing” and how the incident could affect the company’s “financial conditions and operations.”

Business and trade groups feared the rules would spark calamity and place companies at “heightened risk.” But recent findings from communications advisory firm FGS Global show that from December 2023 to September 2024, just 43 companies filed a Form 8-K disclosing a cyber incident. Not one of them disclosed a new cyber incident in the month of September, according to the firm.

FGS Global’s research also found the share prices of most of the companies that disclosed cyber-related incidents “remained virtually unchanged or posted only modest drops.” In the first trading day after disclosure, share prices fell 0.7% on average. After the first week of trading, share prices were down only 2.1% on average. Share prices at 16 of the companies rose more than 0.5%.

“Nine months after the rules took effect, the impact of these requirements has been far less significant than the business community feared,” FGS Global said. “The volume of these disclosures has amounted to a trickle, not the flood of 8-K filings many expected.”

The SEC first proposed the rules in March 2022 to address companies’ inconsistent disclosure practices as cybersecurity risks were increasing in number and severity.  The agency said at the time it was placing particular emphasis on the need for more “timely and reliable” cybersecurity information for several reasons. Chief among them was to help safeguard worldwide economic activity, which relies on electronic systems that, if disrupted, can cause cascading effects.

FGS Global’s new findings run counter to conventional wisdom that cyber disclosures could crater stock prices, which continued to prevail even after the rules went into effect. For example, VF Corp., parent company to big-name apparel brands such as The North Face and Vans, in December 2023 disclosed it was investigating unauthorized activity on its computer systems. The company said the cyberattack disrupted its ability to fulfill e-commerce orders, but it was too early to determine whether the company’s finances would be affected. The announcement coincided with the last shopping week before Christmas, and law firm Patterson Belknap recounted that investors “fled at the opening bell, pushing VF Corp.’s stock price lower by $1.55 per share, for a loss of more than 7.78 percent that day.”

Of course, cyber disclosures may not be affecting markets because they lack major details of the incidents. In some cases, it is possible companies are disclosing nonmaterial cybersecurity breaches out of an abundance of caution.

Whatever the case, bear in mind that we’re still in the early days of cybersecurity disclosure. Skepticism that the rules are producing the desired consistency in disclosures now seems fair, but they may still evolve into a more useful type of reporting in the future.