Tech, Media and Telecom Firms' Cybersecurity Disclosures Run a Gamut

The rules leave companies room for interpretation of how much detail to provide, said Daniel Shin, William & Mary Law School cybersecurity researcher. The SEC didn't want the disclosure rules to drive companies to a specific cybersecurity standard, affecting their cyber posture, he added.

While the disclosure requirements are investor-oriented -- not all incidents must be disclosed, the test being whether the event was material or whether a reasonable investor would consider it significant -- whether the disclosures are providing investors with useful information remains to be seen, Shin said. Most companies have had only one cycle of annual reports so far, he said. That the SEC hasn't announced investigations or penalties concerning disclosures seems to indicate the agency is satisfied with compliance, he said.

The government's cybersecurity processes disclosure reporting generally hasn’t represented a large burden on companies, said Kevin LaCroix, executive vice president at RT ProExec, a management liability insurance intermediary. However, there have been greater objections concerning reporting requirements after cyber-incidents occur, such as filing an 8-K disclosure with the SEC within four days of determining a material cyber incident happened, LaCroix said. That incident reporting requirement is considered more burdensome and challenging, he said. For example, a company might know something material has occurred, but lack details within the 4-day period. As such, companies worry they could be subject to later criticism that they issued information piecemeal, he said.

Alternately, a company might think nothing material occurred, but if it has, the concern is that it allegedly soft-pedaled the incident. Some cybersecurity lawyers say companies are overreporting cyber incidents out of fear of running afoul of reporting rules (see 2412160040).

LaCroix said the investor community seems appreciative of cybersecurity processes and governance insights. For instance, having a single federal standard for disclosure documents helps investors compare company practices, he said. The future of cyber incident reporting requirements is unclear, as some expect the incoming Trump administration may walk them back or not enforce them.

Numerous companies, including Verizon, Nexstar, Warner Bros. Discovery (WBD), T-Mobile and TDS said their cybersecurity regimen is based on the National Institute of Standards and Technology (NIST) cybersecurity framework. The blueprint "outlines core components and responsibilities necessary to sustain a healthy and well-balanced cybersecurity program," Verizon said.

AT&T said its network and information security program "is reasonably designed to protect our information, and that of our customers, from unauthorized risks to their confidentiality, integrity, or availability." It uses continuous and near-real-time security monitoring for investigation of responses to network security events.

WBD said it hires outside firms for annual internal and external penetration testing and assessments of its cybersecurity risk management practices. In addition, it said it invests in cybersecurity incident detection and response and participates in cyber information sharing with the government and industry partners.

Charter Communications said cyberthreats it faces include "a wide variety of perpetrators aiming for political, personal or financial gain, utilizing a broad set of tactics including ransomware, advanced malware, [distributed denial-of-service attacks], account takeover, phishing/SMSing and social engineering, among others." It responds with network segmentation, enhanced detection tools, and monitoring compliance with security standards.

Lumen said it views "cybersecurity risk as one of our principal enterprise-wide risks, subject to control and monitoring at various levels of management." It puts "significant resources towards programs designed to identify, assess, manage, mitigate and respond to cybersecurity threats." Lumen said it's particularly susceptible to cyber issues because of its material reliance on owned and leased networks to conduct operations, its transmission of large amounts of data and its processing and storage of sensitive customer data.

"We have experienced, and will continue to experience, cyber incidents in the normal course of our business," Altice USA said. Despite cybersecurity risk management efforts such as risk assessments, penetration tests and data restoration testing, "we may not be successful in preventing or mitigating a cybersecurity incident that could have a significant adverse impact on our business and reputation."

Shentel said it identifies cybersecurity risks through regular security assessments, external and internal penetration testing, data privacy assessments, external security evaluations, "and continuing education and awareness of existing and new threat vectors, industry trends, changes in the environment and changes in the overall technology landscape." However, it said, no program, "no matter how well designed and implemented, can prevent all potential cybersecurity risks and that the benefits of any potential controls or mitigations should be considered in relation to their costs."

Before the SEC's cybersecurity requirement, many TMT companies were discussing cyber risks with investors. For instance, in its 2023 annual report, Charter described how it used the NIST framework as guidance for identifying and mitigating cybersecurity risks. In its 2023 annual report, AT&T mentioned cyberattacks as a risk factor but didn't provide details about prevention, response planning and oversight.