How Federal Rules on Cybersecurity Breach Transparency for Businesses were Challenged in Court in 2024

In October, four companies collectively paid nearly $7 million as part of a settlement with the Securities and Exchange Commission for allegedly failing to properly inform investors of a cyberbreach affecting their companies, a liability American businesses have not previously faced.

The companies were compromised in a cyberattack targeting their IT software provider in 2019. The attackers could insert a backdoor into a software update, circumventing existing security measures like encryption and authentication. The update was pushed out to potentially tens of thousands of customers, giving the attackers access to information held by those customers, which included government agencies.

That hack will stand apart from the last decade of data breach incidents in more than just its scale—its aftermath created a sandbox of sorts for testing new rules aimed at companies and intended to protect investors. It was how the four companies acted in the aftermath of the attack that drew the attention of regulators keen to exercise new rules intended to force transparency from companies affected by breaches.

We examined the SEC's cybersecurity disclosure rules and the court cases that have tested the agency's authority over corporate cyber practices this year to compile the latest legal commentary and expectations for businesses going into 2025. Overall, the SEC's new cybersecurity rules are meant to increase transparency about these incidents from publicly traded companies and expedite its communication more broadly to the public. Though the onus of work is on companies, consumers stand to benefit. Information that is more transparent and readily available can help inform their investment decisions.

The Wide-Ranging Impact of a Breach

Cybersecurity breaches can affect businesses, their investors, and, of course, the privacy and security of consumers, who are often embroiled in cybercrimes whether they know it or not. A 2022 survey of 1,000 American adults by cybersecurity company Varonis found that over 3 in 5 Americans (64%) had never checked to see whether they'd been affected by a data breach.

One University of Maryland study found that cyberbreaches occur nearly constantly—every 39 seconds, on average. They're expensive to deal with too.

The average data breach costs a company $4.9 million in either lost business, ransom payment, or cleanup and mitigation, according to IBM's Cost of a Data Breach report for 2024. Too often, they aren't disclosed to the public, despite their potential for harm. Security software provider Arctic Wolf's 2023 annual report found that 7 in 10 companies (72%) that experienced a data breach did not disclose it.

The complexity of the 2019 breach, the time it took to identify, and the vulnerability it created for federal government agencies, including the Department of Homeland Security, only increased the pressure on officials to enforce existing regulations in court.

The SEC filed charges against SolarWinds and its chief information security officer, Timothy G. Brown, and several of the companies involved in its 2019 cyberbreach, applying those new rules to American companies for the first time. The case against SolarWinds alleged it misled investors about its cybersecurity practices in the years leading up to the attack.

In a statement accompanying the announcement of the new rules in early 2023, SEC chair Gary Gensler likened data breaches at publicly traded companies to a fire at a company-owned facility, arguing that these occurrences are consequential to investors and other stakeholders and thus deserve to be shared transparently through SEC filings.

"Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them," Gensler said.

Partners working in international law firm Holland & Knight's cybersecurity practice dubbed the charges against SolarWinds a "landmark" case that would test the SEC's power to impose rules that would "likely create significant compliance challenges as well as litigation and enforcement risks for public companies."

Although four of the charged companies settled with the agency, most filed by the SEC against SolarWinds and its executive under its new rules were dismissed in July, dealing a blow to the agency's ability to regulate corporate cybersecurity transparency, according to legal experts. It's just one of several instances where federal regulators have been stymied by courts in their attempts to expand their authority over major corporations.

Public Disclosure Requirements

The federal rules require companies to file several new disclosures in their reports to the SEC. One includes publicly sharing "material" cyber security incidents affecting the company. It requires the company to disclose when the incident happened and whether it is ongoing, a description of it, whether data was accessed or used for any "unauthorized purpose," the effect on operations, and the actions being taken to mitigate the breach.

Once a year, it also requires publicly traded companies to file their 10-K statement with the SEC, including an outline of their processes for assessing and managing any risk that might arise from a cybersecurity threat. The company must also disclose its board of directors' oversight of cybersecurity risks and management's role in assessing and managing them.

In pursuing charges against the four companies that settled, the SEC described those companies' disclosures as "generic" and "not tailored" to specific risks facing the company. Legal firm Davis Polk described the enforcement as "aggressive" and wrote in October that companies "should review their risk factors in light of recent experiences and consider whether updates are warranted." It also noted that media statements made by a company could lead to regulatory repercussions if incomplete or misleading.

In the aftermath of the dismissed charges against SolarWinds, Holland & Knight advised "companies should avoid warning about risks where the warned risk has already occurred" and not include so much specificity that it risks providing a roadmap for would-be attackers.