It’s been more than a year since the U.S. Securities and Exchange Commission adopted new rules to enhance the annual reporting of cybersecurity measures practiced by SEC registrants. These requirements are in addition to those about the timely disclosure of material cybersecurity incidents that these companies experience. This tougher stance from the SEC has prompted executives and boards of directors to look at cybersecurity, not as an afterthought, but as a business-critical priority. The SEC’s new rules also hold these leaders and their companies legally accountable should they not follow the agency's cybersecurity rules — putting chief information security officers in the hot seat.
In the first year of the program, more than 20 cybersecurity incidents were disclosed to the commission via corporations' filings of Form 8-K. Listed below in chronological order are those 22 filings, including details such as the filing date, the target of the incident, and the impact that the incident had on the business.
While the SEC’s cybersecurity-incident disclosure rules are generally positive for the betterment of cybersecurity, readers who follow the links for each filing will see that the vast majority of these disclosures don’t yield much information beyond what we describe below. Details missing from the forms include the type of attack, the identity of the attack’s perpetrators, and how the perpetrators were able to breach the company’s systems in the first place. This is because the SEC’s rules for Form 8-K only ask registrants to disclose “The material aspects of the nature, scope, and timing of the incident; and the material impact or reasonably likely material impact on the registrant, including on the registrant’s financial condition and results of operations.”
The commission also clearly stated in its announcement of the new rules last year that it doesn’t require registrants “to disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail that would impede its response or remediation of the incident.”
What this means is that these 8-K disclosure rules do not provide the attack transparency that the cybersecurity community could use to bolster critical systems against similar incidents, bestowing instead only higher-level benefits to key market players, who will become more aware of registrants’ cybersecurity practices, and to registrants, who hopefully will take their cybersecurity efforts more seriously.
Of course, some of the 8-K filings concern attacks previously reported in the media, and so we know something about the type of attack in those cases. Here are some of the trends that can be gleaned from that information.
[ Learn more: SEC action raises the bar on software transparency | See Special Report ]
Ransomware outperforms yet again
Media reports helped label at least eight of the 22 incidents as ransomware attacks, with some publications even reporting which ransomware group was responsible – or claimed to be responsible. Some of the criminal groups identified as being behind the past year’s incidents have long-standing track records, some are offshoots of legacy gangs, and some have since become defunct.
In several cases, information was sparse immediately after an attack was discovered but became more complete with time. For example, in Prudential Financial’s initial February 2024 filing to the SEC, the company disclosed that a cybercrime group had accessed company data, but at the time the company was unaware of what material impact the incident would have. Later, Prudential amended its filing to the SEC, stating that information on more than 2.5 million people potentially had been leaked in the initial incident. The Record then reported that the attack was believed to have been carried out by the AlphV ransomware group, a now-defunct gang that was taken down by the FBI in December 2023.
Similarly, the attack that hit Key Tronic, a technology manufacturer, was labeled as a “cybersecurity incident” in the company’s SEC filing, but Security Week and other media outlets eventually identified the incident as a ransomware attack, noting that Black Basta, a legacy ransomware gang that has impacted over 500 organizations globally, claimed responsibility for the incident and stole over 500GB of data. The attack forced the company to close down business operations in the United States and Mexico for two weeks, causing a total revenue loss of $17 million.
Despite ransomware being one of the oldest forms of cybercrime, gangs clearly pursued these attacks in 2024 – and they will continue to do so in 2025. The incidents listed below that are labeled as ransomware suggest that it remains one of the most popular forms of cybercrime. Still, it must be noted that in most cases, the nature of the attack is unknown, making it unclear what other attack types may be increasing.
Still in the cards: Nation-state-backed cyber-espionage
Two major incidents of the past year, aimed at Microsoft and Hewlett Packard Enterprise, that earned a great deal of media attention involved cyber-espionage backed by a nation-state. Despite the fact that the cybercriminals’ espionage activities did not materially impact either Microsoft or HPE, both companies submitted Form 8-K to disclose these incidents.
In both cases, Midnight Blizzard (a.k.a. Nobelium, APT29, or Cozy Bear), a Russian state-sponsored cybercrime group, infiltrated the companies’ systems with the intention of exfiltrating the email data of certain employees. Microsoft said in its filing that the cybercriminals were trying to find information about the Midnight Blizzard cybercrime group itself. HPE, however, did not offer information on why Midnight Blizzard targeted its cloud-based email system or how the perpetrators accessed its systems.
While no other filings can be labeled as cyber-espionage attacks, it’s clear that this form of cybercrime remains a sophisticated, stealthy, and pointed threat that major corporations need to take seriously. And despite the lack of significant material impact in all the filings, they demonstrate that corporations must disclose any kind of incident in the wake of the SEC’s new cybersecurity rules.
What do these filings mean for cybersecurity?
Although these 8-K filings may not offer clear takeaways about how and why ransomware is still a persistent problem, how susceptible major corporations are to cyber-espionage, or what other kinds of cyberattacks criminals are favoring, the SEC’s rules on material-incident disclosure are still a step in the right direction. The cybersecurity industry and major corporations can reap benefits from these rules at a high level. The SEC's new stance means CISOs now have pressure to persuade their company’s board to care about their internal cybersecurity measures and how the company responds in times of cyber-crisis.
