Brennan Quoted in Cybersecurity Dive on Cyber Incidents in SEC Filings

Stradling Partner Travis Brennan was featured in the article, “How companies describe cyber incidents in SEC filings,” featured in Cybersecurity Dive discussing the significance of the language used by companies in their SEC filings to describe cyber incidents. The language used not only informs regulators and investors about potential risks but also indicates the company's approach to detecting, mitigating, containing, and recovering from cyberattacks. 

In a recent Form 8-K filing with the SEC, VF Corp. disclosed a cyberattack, coinciding with the implementation of the agency's new cyber disclosure rules. Brennan highlighted the careful language used in such filings to signal the company's response to cyber incidents, emphasizing that terms like "breach and data breach have very specific legal meanings and consequences, and they also have a particular meaning within what I’ll call the public consciousness. . . once there has been a breach, as opposed to merely an incident, that suggests that the risk of harm has just gone up a few notches.”

Brennan also cautioned about the potential risks of oversharing detailed information, as it could attract copycat attacks, stating that "in instances where we see relatively more details sooner rather than later, it might be because the particular attack vector used is a known one, or a common one.” Companies need to balance transparency with safeguarding against further vulnerabilities. As companies navigate these reporting requirements under the SEC rules, stakeholders should assess the organization's cybersecurity preparedness and response mechanisms amid evolving threats and regulatory expectations.