By Mia MacGregor

March 4 - (The Insurer) - Only 46 registrants have made disclosures under the SEC's cybersecurity incident reporting rule, while just six reported a material impact, suggesting that companies are generally taking a cautious approach, according to Cooley LLP partner David Navetta.

Navetta was speaking at the 2025 PLUS D&O Symposium during panel reviewing the first year of the SEC’s Item 1.05 of Form 8-K, which requires public companies to disclose material cybersecurity incidents within four business days. Disclosures must include details about the nature, scope, timing and impact of the incident.

“From about mid-December 2023 to mid-December 2024, the first year of the rule, there have been 46 registrants that have filed a case around cybersecurity incidents, but there have actually been 63 cases filed by those 46 registrants, which indicates that some of the registrants are actually filing multiple,” Navetta explained.

Of those 46 registrants, only six reported a material impact. Thirty-three either stated that the breach was not material or they had yet to determine materiality, and seven registrants failed to address materiality in their filings altogether.

“When we talk about thousands of data breaches and security incidents happening every day, and then we look at 46 registrants filing over a year-long period, ultimately, only six of them specified some sort of material impact. That’s an even smaller slice of the data security breach world,” Navetta said.

Navetta noted that some companies may be disclosing incidents before materiality has been determined, seemingly as a precautionary measure or to get ahead of potential publicity.

“I think there’s often a pressure to get ahead of the news, right? If you want to be able to report something before, say, a threat actor releases the data on the internet or before customers recognise their services are unavailable,” he said.

Navetta explained that when a breach is detected, victims don’t know what is going to happen or how material or impactful it will be.

“So I think there’s a knee-jerk reaction to put out these early reports – to at least get on the record, get ahead of bad publicity. And almost as a fallback, in case it does become a material incident, you can point to an early report. Many companies are taking that position.”

Navetta also noted that the depth of reporting can vary significantly, with some companies providing extensive details about the nature of attacks and their containment strategies, while others offer high-level, formulaic responses.

Another key trend Navetta highlighted was the growing involvement of directors and officers in cybersecurity matters.

“Directors and officers are much more cognisant and concerned about security because of these reporting requirements. I’ve seen much more board involvement – top-down questions being asked around security,” he said.

“And because CISOs are sometimes being personally brought into this, they’re much more engaged, wanting more resources, or making more noise about security than they had before. Perhaps it’s because of this new rule – and also their potential liability.”

REGULATORY OUTLOOK UNDER TRUMP

Cassandra Shivers, Arthur J Gallagher’s national leader for executive risk and cyber claims, discussed the potential regulatory shifts under the Trump administration.

“Historically, Republican-led SECs have emphasised reducing compliance costs for public companies and adopting a more streamlined enforcement approach. The new Trump administration seems to be shifting towards a more business-friendly regulatory environment,” she said.

Notably, the Trump administration has not yet publicly addressed the cybersecurity reporting requirement, according to Shivers.

Shivers also highlighted the administration’s creation of the Cyber and Emerging Technologies Unit, which aims to combat cyber-related misconduct and protect retail investors from bad actors in the emerging technologies space.

“The comments on the new unit suggest it will focus on fraudulent disclosures related to cybersecurity,” she explained.

Observers have noted that this emphasis on fraudulent disclosures marks a shift from the Biden administration’s more aggressive enforcement approach, which actively pursued companies for negligence, according to Shivers.

Additionally, Shivers pointed out that the new administration has reportedly dismissed members of the Cyber Safety Review Board, which was tasked with investigating significant cybersecurity incidents.

“The dissolution could impact the federal government’s capacity to respond to cybersecurity incidents,” she said.

Furthermore, she highlighted a Reuters report which found that SEC lawyers have been advised to seek permission from politically appointed leaders for all formal orders of investigation – a shift from previous practices where lower-level staff had more authority, subject to the SEC’s oversight.