Are Cyber Incident Reporting Rules Working?

Photo: аska/Adobe Stock
Interviews with over a dozen CISOs, lawyers, and government officials suggest that cyber incident reporting rules are leading to increased corporate cybersecurity governance. But there's no evidence, yet, that these rules are increasing corporate investment in cybersecurity or proactively warning organizations of vulnerabilities.
There are 52 cyber incident reporting requirements in effect or proposed across the U.S. federal government and 200 globally. In addition, all 50 states have some version of a data breach law that places certain obligations on companies after the improper exposure of data. That’s a lot of incident reporting rules. So, are they working?
To answer that question, I asked over a dozen cybersecurity professionals (CISOs, lawyers, academics, consultants, and government officials) three questions. First, have cyber incident reporting rules led to increased corporate investment in cybersecurity tools, governance, or compliance processes? Second, have the incident reports led a government agency to take action? Third, do the rules do what the government agencies say they will do?
This piece explores their answers to each of these questions and suggests a few tentative findings.
The Rules
The full list of 52 federal cyber incident reporting requirements can be found in the Department of Homeland Security’s September 2023 report, "Harmonization of Cyber Incident Reporting to the Federal Government,” and includes the Securities and Exchange Commission’s (SEC) 8-K disclosure requirements, the Federal Trade Commission’s (FTC) updated Safeguards Rule, and the DOD’s Safeguarding Covered Defense Information requirements. That list, however, does not contain broader compliance regimes with cyber incident reporting rules like the Federal Risk and Authorization Management Program (FedRAMP), and international laws like the EU’s GDPR and Digital Operational Resilience Act (DORA).
This article will focus on the SEC’s Cyber Disclosure Rule and the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) because they apply to a broad swath of companies and have garnered significant attention recently.
In September 2023, the SEC’s Cyber Disclosure rule came into effect and requires public companies to disclose specific information about material cybersecurity incidents under a new Item 1.05 of Form 8-K within 4 business days, subject to a narrow exception for disclosures that would pose a substantial risk to national security or public safety. It is important to note the breadth of the SEC’s definition of a reportable cybersecurity incident:
“[A]n unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
The SEC’s rule thus applies beyond malicious intrusions and could apply to disruptions such as those that occurred with CrowdStrike’s faulty software update in July 2024. The rule also requires companies to annually disclose how the board of directors manages cyber risk, including a description of the internal processes established to provide oversight. The SEC’s justification for this rule is straightforward: it provides investors with timely information about an important set of risks that can cause significant losses to public companies and their investors.
CIRCIA required the Cybersecurity and Infrastructure Security Agency (CISA) to develop regulations addressing cyber incident reporting, which published a notice of proposed rulemaking in March 2024. The proposed rule would apply to an extensive group of “covered entities” that must operate within one of the 16 critical infrastructure sectors. While the final regulations are not expected until 2025, the proposal is notable because it provides clarity around the new reporting thresholds for “substantial cyber incidents” and ransomware payments, describes the liability for noncompliance, and attempts to harmonize the federal government’s cyber reporting.
CISA Director Jen Easterly said, “CIRCIA is a game changer for the whole cybersecurity community, including everyone invested in protecting our nation’s critical infrastructure. It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats.”
#1: Have cyber incident reporting rules led to increased corporate investment in cybersecurity tools, governance, or compliance processes?
Every expert I talked to agreed that if the goal of cyber incident reporting rules like the SEC’s Cyber Disclosure Rule is to enhance corporate compliance processes and to emphasize cybersecurity to company boards, then the rules are working. At the very least, public companies that do not normally focus on cybersecurity are engaging outside counsel to specifically discuss these issues. However, there is no evidence, yet, that these rules are directly leading to corporate investment in security; an investment in compliance is not an investment in new tools or resources for cybersecurity. Although these trends are clearly not transformative for global cybersecurity, the experts I spoke with said that the SEC rule in particular has garnered significant corporate attention, which may alone be a net benefit.
Beyond assisting boards with filing Form 10-K’s for cybersecurity oversight required by the SEC, three of the lawyers I spoke with said more companies are hiring incident response experts to conduct hours-long tabletops at their annual board meetings. Before the SEC’s rule, these tabletops, if any, were usually short or held virtually.
Law firms are also distributing training materials to security teams on how to communicate about vulnerabilities in order to limit liability. That is because in the SEC’s lawsuit against the SolarWinds CISO, one of the few claims that the U.S. District Court allowed to proceed relates to the company’s “Security Statement,” which was published on its website and is alleged to have materially misled investors about the company’s cybersecurity controls. While that case started before the official rollout of the SEC’s Cyber Disclosure rule, each expert I talked to said the industry was watching the results carefully as it will likely determine the SEC’s playbook for future reporting violations.
Similarly, because of the threat of CISO liability and the regulatory focus on cybersecurity, CISOs can potentially leverage cyber incident reporting rules to request a larger budget, higher compensation, and Directors and Officers (D&O) insurance. One CISO I talked to said that they were granted all of these requests and used the SEC’s rule to educate the board on the security posture of their organization. This CISO confirmed that they have had more frequent contact with the board since the SEC rule was enacted.
#2: Have the incident reports led a government agency to take action?
In response to an incident report, a government agency may take action by deploying resources to assist the victims of a cyber intrusion, proactively warning other organizations of a potential exploit, or initiating an enforcement action.
Because CIRCIA has not been implemented yet and the SEC is not even a year old, there is not much evidence to answer this question. However, it is likely that several breaches were disclosed and received public attention because of the SEC’s Rule. That transparency alone may be beneficial, but it doesn’t suggest that government agencies are acting on their reporting rules.
Further, it remains unclear what government agencies will or are doing with the reports they receive. In a June 2024 update, the SEC simply said it’s “tracking how companies are navigating the disclosure requirements resulting from newly adopted rules.”
CISA is active with its Cybersecurity Alerts & Advisories, but one of the CISOs I talked to said many of the larger companies are aware of those vulnerabilities before they’re posted. The government’s ability to provide timely and actionable cybersecurity alerts to the private sector is a broader dilemma illustrated by previous issues with the National Vulnerability Database (NVD), which provides crucial information to security teams patching their networks against the latest threats. In April 2024, a group of cybersecurity professionals led by Chainguard CEO Dan Lorenc published an open letter to Congress calling for more funding for the NVD because of a major slowdown at the National Institute of Standards and Technology (NIST) that led to a backlog of thousands of Common Vulnerabilities and Exposures (CVEs). NIST has since entered a contract for additional processing support, but the episode shows how resource constraints could affect the usefulness of cyber incident reporting rules because a government agency is unable to act on the information it receives.
All of the experts I talked to were optimistic about CISA’s ability to weave public comments into an effective CIRCIA rule, but they agreed it will likely require substantial funding to analyze the incident reports it receives, deploy resources to help victims, and to share information on a timeline that benefits industry.
In addition, the proposed rule has the potential to attach significant liability for violations, which will require even more resources to enforce. CISA’s director may “refer information concerning a covered entity’s noncompliance with the reporting requirements” to the DOJ for “civil and criminal enforcement.” CISA can also issue administrative subpoenas for the production of information necessary to identify and notify an entity at risk. For CIRCIA to have its intended effect, CISA will need to act quickly and aggressively on its threat of liability and to develop the infrastructure to absorb and analyze all of this data. It can likely accomplish these goals due to its broad Congressional support, but it may take years to institutionalize.
#3: Does the rule do what the SEC says it will do?
For the SEC, that means the rule is providing investors the information they need to evaluate cyber and financial risk. This section focuses on the SEC rule because CIRCIA has not yet been implemented. The assumption here is that the SEC’s objective, beyond informing investors about cyber risk, is to enhance cybersecurity in some manner. That assumption is informed by the SEC’s willingness to aggressively pursue cyber-related enforcement actions, which often mention an organization’s inability to protect its critical assets from cyber intrusions.
Yet, the SEC rule may undermine security because resource-strapped security teams are forced to spend time on regulatory inquiries instead of network defense. One CISO I talked to said they have been inundated by questions from auditors, lawyers, the C-Suite, and the board since the SEC rule was implemented. This CISO said their company had fortunately not been impacted by a significant incident this year but that their security teams spent significant time responding to data requests from auditors, who delved deep into the smallest of security notices.
Similarly, some scholars argue that the rise of incident reporting regulations, and thus the demand for lawyers, further undermines cybersecurity. Even if attorney-client privilege and work product immunity arguments fail to protect their clients, lawyers can limit the availability of damaging information to plaintiffs’ attorneys by shaping breach disclosure and any subsequent reporting. There is, of course, also a substantial financial cost to the role of attorneys in incident reporting, which may divert resources that would otherwise be spent on actual security measures. This focus on confidentiality, some contend, undermines the long-term cybersecurity of both their clients and society more broadly. These arguments are certainly another reason why cyber incident reporting requirements are not working.
However, the lawyers I talked to said the rise of cyber incident reporting rules actually reverses the perceived negative impact of confidentiality by mandating transparency. During an incident, lawyers can focus on mitigating liability while security teams remediate the breach. In addition, one CISO I interviewed said the introduction of cyber incident reporting rules has strengthened their relationship with outside counsel due to more frequent communication, which frees their time to focus on their security environment instead of on regulatory requests.
Additionally, while the SEC has emphasized that the new Item 1.05 reporting requirement is rooted in traditional securities law concepts of materiality (i.e., is there a substantial likelihood that a reasonable investor would consider the information important in making an investment decision, applying those concepts in the context of a cybersecurity incident is not straightforward. The SEC rule cites the relevance of both quantitative and qualitative factors to cybersecurity materiality – including reputational and relationship harm, litigation, investigation or regulatory action risk, and the need to analyze “immediate fallout and any longer-term effects on … operations, finances, brand perception, [and] customer relationships.”
The CISOs I interviewed said the mandate on “real-time” materiality designations creates a fundamental issue: no one is comfortable providing a concrete definition, which has led to companies overreporting incidents and thus potentially confusing investors. CISOs do not want the SEC telling them what they think materiality means in their environment, nor do CISOs want to share their views with the SEC. Any concrete definition could create a situation in which a CISO could be held liable. Additionally, each CISOs definition of materiality will be different depending on their environment and industry. Consequently, when one company reports on materiality, the SEC may investigate and find another company did not consider similar circumstances to be material enough to report. This trend would clearly demonstrate that the SEC rule is not achieving its intended objective and is thus not working.
The obvious public policy benefit of incident reporting rules is transparency. We have no idea how much public companies spend on cybersecurity, but regulating for transparency is easier, lower cost, and more informative than regulating for security. Regulating for security is difficult because each company’s risk profile, IT environment, and security budget is different. Mandating minimum cybersecurity standards, for example, can create both a floor and ceiling for security, which may run counter to the government’s objectives; such requirements can also unduly burden small and medium-sized businesses with tighter budgets. When the focus is on transparency, agencies such as CISA can ideally assist organizations responding to a breach with existing and forthcoming funding, including $1.3 billion to support hospitals’ cybersecurity efforts.
There are certainly other factors that lead to transparency for cybersecurity: ransomware, a software update disrupting your network, internal company emails published on the Internet, or simply increased media attention. Incident reporting rules are thus just one facet of the broader pressures that lead to security investments or illuminate the existence of a breach. However, these rules may be more effective at driving transparency because they threaten liability.
Cyber incident reporting rules are also not solely responsible for any perceived benefit to cybersecurity, including investment in governance. The SEC’s lawsuit against SolarWinds, the increasing amount of ransomware, the fear of extortion, and downed networks, all increase transparency and potential investment in cybersecurity. But these rules have forced companies to evaluate their cybersecurity postures, work their incident response muscles, and provided CISOs with some leverage. That alone may be a benefit to cybersecurity and prove that these rules are working.
Nate Low is a J.D. candidate at Stanford Law School. He wrote this article during a summer internship with Chainguard and Chainguard Labs. Nate previously worked as Cyber Policy Advisor in the U.S. federal government. He holds a B.A. from Bowdoin College and M.P.A. from Columbia University’s School of International and Public Affairs (SIPA).