A couple of new pieces provide some interesting insights into cyber risk and the effect of the new SEC cyber disclosure rules.
Matt Kelly, formerly of Compliance Week and now the editor of Radical Compliance, shares the news with us each week. One topic he covered at the end of August was A Look at Actual Cyber Disclosures.
He tells us:
…the most contentious part of the SEC’s new cyber disclosure rule is the section requiring companies to disclose “material cybersecurity incidents” within four days of deciding that the incident is material. If we examine what companies have already been disclosing, that might give us all a better sense of the challenges ahead to meet those new and expanded disclosure details.
To answer that question I skimmed through the most recent quarterly filings of S&P 500 firms, looking for any reference to “cybersecurity incident” or “cybersecurity event.” I did indeed find several, so let’s take a look.
The first was:
AmerisourceBergen, the pharmaceutical giant with $238.6 billion in annual sales. Tucked away in the Management Discussion & Analysis of its quarterly report, the company said it suffered a cybersecurity incident at a foreign subsidiary in March 2023. The incident struck a legacy IT platform and disrupted the foreign unit’s operations for roughly two…
