In today’s digital age, the intersection of cybersecurity and securities law has become increasingly significant. The rise in cybersecurity-related securities class actions reflects a growing awareness among investors of the risks posed by cyber threats and the impact these threats can have on a company’s financial health and stock performance as well as corporate governance frameworks and investor proection.

Cybersecurity-related securities class actions arise when shareholders believe that a company has failed to disclose material information regarding its cybersecurity practices, breaches, or vulnerabilities, leading to financial losses. These securities class actions are predicated on the idea that investors are entitled to complete transparency about the cybersecurity measures a company has in place, as well as any breaches that have occurred.

One of the pivotal aspects of cybersecurity-related securities class actions is the disclosure obligations that companies face. Publicly traded companies are required by law to provide accurate and timely information about their operations, including any significant cybersecurity incidents that could affect their financial status.

Failure to do so can result in substantial legal repercussions, including class action lawsuits from disgruntled shareholders who may argue that they were misled or inadequately informed. The ramifications of these lawsuits are profound, not only in terms of potential financial penalties but also in terms of reputational damage and loss of investor confidence.

As we look towards 2026, it is anticipated that the frequency and complexity of cybersecurity-related securities class actions will continue to grow. This is due in part to the increasing sophistication of cyber attacks and the evolving regulatory landscape that demands greater transparency and accountability from corporations.

Companies must be proactive in their cybersecurity strategies, ensuring robust defenses against cyber threats by enhancing corporage governane frameworks and clear communication with stakeholders about their cybersecurity posture. This includes regular updates on any breaches and the measures taken to mitigate such incidents.

In conclusion, cybersecurity-related securities class actions represent a critical area of concern for modern businesses. Companies must navigate the delicate balance between safeguarding sensitive information and maintaining transparency with their investors. As cyber threats become more prevalent and sophisticated, the importance of robust cybersecurity practices and clear, honest communication cannot be overstated.

By prioritizing these elements, companies can better protect themselves against potential legal actions and preserve investor trust in an increasingly complex digital landscape.

What must be disclosed

Materiality determination

Takeaways from a Year of Cybersecurity Incident Reporting on Form 8-K

• Initial confusion Early filings under Item 1.05 often expressed uncertainty about the materiality of the reported incidents, or stated they did not expect a material financial impact, despite disclosing operational disruptions. This led to inconsistent disclosures and confusion for investors.
• SEC guidance and comment letters In response, the SEC issued guidance in May 2024 clarifying that Item 1.05 is specifically for incidents determined to be material. The regulator also issued comment letters to companies, pushing for more detailed disclosures about material impacts beyond just financial conditions, such as effects on reputation, operations, and customer relationships. This guidance helped shape more meaningful disclosures later in the year.
• A “Goldilocks” approach Companies must take care not to disclose too early or too late. The filing deadline is four business days after a materiality determination is made, not upon initial detection. This allows time for a reasonable investigation to make an informed decision, though some incidents with immediate public ramifications may warrant quicker disclosure.

Trends in Cybersecurity Disclosures

• Shift from Item 1.05 to Item 8.01 After the May 2024 SEC guidance, companies began shifting towards voluntary disclosure under Item 8.01 for incidents whose materiality was not yet determined or was deemed not material. This has resulted in a marked increase in Item 8.01 filings relative to Item 1.05 filings.
• Focus on operational impact While financial impacts are often still under investigation at the time of initial disclosure, many companies immediately report operational disruptions. These can include ransomware-related interruptions or other remediation efforts that affect business continuity.
• Frequent amendments Thirteen companies filed amended Form 8-K disclosures in the first year to provide updates on their material cybersecurity incidents. These amendments typically disclosed further incident details, impacts, or confirmation of remediation efforts.
• Third-party incidents The rules proved especially challenging for incidents originating from third-party vendors, where companies have limited visibility into the compromised systems. Disclosures revealed that over a quarter of the reported incidents in the first year involved a third party.

Recent Enforecment Actions Over Cybersecurity Disclosures

Recent SEC enforcement actions and commentary reveal the key elements of a robust process. Strong disclosure controls and procedures (DCP) ensure that material information, including cybersecurity incidents, is escalated to the appropriate level of management and accurately presented in public filings and statements.

Based on SEC scrutiny, here are examples of what strong cybersecurity DCPs entail:

• Prompt communication: In the Blackbaud case, the SEC penalized the company because technical staff failed to communicate key details of a breach to senior management, which resulted in misleading public statements. A robust DCP includes an established communication plan for escalating incident details to management and disclosure committees without delay.
• Third-party incident communication: For incidents involving third-party vendors, strong controls require communication protocols to ensure all relevant information is collected and escalated, despite the company’s limited visibility into the vendor’s systems.

Maintaining an Incident is Critical for Documenting the Entire Incident

• Improved visibility and communication: Centralizing logs provides a comprehensive, real-time view of system activity, which allows teams to quickly search, analyze, and correlate data. This eliminates data silos and ensures that everyone is on the same page regarding an ongoing incident.
• Faster troubleshooting and response: Aggregating log data into a single, searchable location accelerates troubleshooting and root cause analysis. Real-time monitoring and alerts help teams detect and respond to issues before they escalate and impact service continuity.
• Enhanced security and forensics: Centralized logging strengthens an organization’s security posture by making it easier to detect threats and suspicious activity. It provides a comprehensive audit trail for forensic investigations, helping to reconstruct a security incident’s timeline.
• Increased accountability and traceability: By recording all actions taken during a Cybersecurity incident, a centralized log creates a clear audit trail and fosters a culture of responsibility. This helps identify areas for improvement and ensures adherence to protocols.

• Regulatory compliance and audits: Many industry standards, such as HIPAA, GDPR, and SOC 2, require detailed log retention and a clear audit trail. A centralized system automates log retention and provides the necessary documentation for compliance reporting.

Key components of an incident log entry

• Basic information: The date, time, and exact location of the Cybersecurity incident.
• People involved: The names, roles, and departments of those involved or affected, as well as any witnesses.
• Incident description: A clear, objective, and chronological narrative of what occurred.
• Injuries or damages: Specifics about any injuries, property or equipment damage, or environmental hazards.
• Supporting evidence: Photos, diagrams, and witness statements.
• Immediate response: Actions taken by responders to contain and resolve the incident.
• Contributing factors: An analysis of what may have led to the incident, such as equipment failure, environmental conditions, or process gaps.
• Corrective actions: Recommended steps to mitigate the risk of recurrence.
• Resolution and sign-off: Documentation of the final resolution, with signatures from the reporter and any supervisors.

Best practices for creating a centralized incident log

• Implement a standardized template: Use a consistent format across all logs to ensure uniformity and completeness.
• Focus on relevant logs: Define what data is critical for security and operations to avoid noise and excessive storage costs.
• Prioritize prompt reporting: Require a Cybersecurity incident to be logged as soon as possible, while details are still fresh.
• Assign clear roles: Define specific roles and responsibilities for incident logging and review.
• Ensure security: Protect log data from unauthorized access or tampering by using encryption and access controls.
• Conduct training: Provide regular training for all employees on the logging process and the importance of accurate documentation.
• Use digital tools: Implement digital tools and software to automate log collection, simplify reporting, and enhance search and analysis capabilities.
• Regularly review and update: Periodically audit logs and refine procedures to ensure the logging solution remains effective as the organization evolves. 

What should a detailed Cybersecurity incident description include

• The “Five Ws”: A complete description should clearly answer who, what, where, when, and why/how.
  • Who was involved? List all individuals, including employees, customers, or third parties directly affected, as well as any witnesses. Include their roles and departments to clarify their context within the incident.
  • What happened? Give a concise, factual summary of the incident itself.
  • Where did it take place? Be specific about the location, including the exact address or specific area within a facility.
  • When did it happen? Record the exact date and time of the incident’s occurrence.
  • Why/How did it happen? Describe the sequence of events leading up to, during, and after the incident. Identify any contributing factors, such as unsafe conditions, equipment failure, or procedural gaps.

• Environmental conditions: Note any relevant conditions at the time of the incident, such as weather, lighting, or noise levels, that may have played a role.
• Equipment involved: List any equipment, machinery, or materials that were a part of the incident. Include details like the equipment’s ID number and maintenance history if relevant.
• Initial response: Document the actions taken immediately following the event, such as first aid administered or equipment shutdowns.
• Witness statements: Include signed statements from any witnesses to provide additional perspectives. Record direct quotes when possible.
• Evidence documentation: Attach and reference any supporting evidence gathered, such as:
  • Photos or videos of the scene
  • Diagrams or sketches
  • System logs, for IT incidents
  • Maintenance records

• Factual and objective: Use neutral, descriptive language. Stick to facts and avoid making assumptions or assigning blame. For instance, write “the employee slipped on a wet floor” rather than “the careless employee fell”.
• Clear and concise: Organize the report chronologically and use simple, straightforward language. Bullet points or numbered lists can make complex information easier to digest.
• Thorough: Include as much relevant information as possible to provide a complete picture for future reviewers, such as auditors, managers, or legal teams.

• Avoid personal assumptions: Stick to what is seen, heard, and known. Do not speculate on the cause of the incident or the motivations of those involved.
  • Incorrect (opinion-based): “The employee was careless and probably intoxicated, which is why he fell.”
  • Correct (fact-based): “The employee displayed unsteady movement, slurred speech, and smelled of alcohol. He subsequently fell.”
• Use direct quotes from witnesses: Record witness opinions or interpretations verbatim and enclose them in quotation marks. This clarifies that the statement is a perspective, not a fact.
  • Example: A witness statement might include, “I heard [Employee’s Name] say, ‘I didn’t want to wear my non-skid slippers and slipped on the floor,'”.
• Structure for analysis: Include a separate section for analysis and recommendations after the incident description. Qualified individuals can provide expert opinions based on the facts documented in the report to help determine the root cause and prevent future Cybersecurity Failures.
  • For example, an IT expert might provide an analysis explaining how a configuration error (fact) likely led to the outage (opinion/assessment).
  • An expert’s opinion should be clearly labeled and based on observable evidence. 

• Use neutral language: Avoid judgmental or emotional language. Focus on what happened.
• Focus on verifiable facts: If a statement cannot be proven true or false, it is likely an opinion and should not be presented as a fact.
• Use specific descriptions: Be as detailed as possible when describing events, people, and conditions. This specificity is less prone to misinterpretation.
• Distinguish sources: Clearly separate observations from secondhand information. This maintains a clear chain of evidence.

• Attribute the source clearly: Always name the individual who provided the secondhand information. This is critical for documenting what was heard, not what was seen.
• Use quotation marks: Any information that is not a direct, firsthand observation should be enclosed in quotation marks. This signifies that it is a statement made by another person.
• Identify the information as secondhand: Explicitly state that the information was received from another source. For clarity, use phrases like “Employee A told me…” or “According to Witness B…”.
• Record verbatim statements: Write down the secondhand information exactly as it was told to avoid misinterpretation. Any paraphrasing could introduce bias.
• Do not include gossip or speculation: A report is not a place for rumors or assumptions. If the secondhand information is based on gossip or unverified conjecture, it should be excluded.
• Include it in a dedicated section: Create a specific section for witness statements in more complex reports. This keeps firsthand accounts separate from secondhand information and analysis. 

• Maintains objectivity: Separating facts from secondhand accounts ensures the report remains an objective record of events. This is essential for investigations, audits, and legal matters.
• Avoids bias: By attributing hearsay to its source, the report avoids presenting someone’s opinion as an objective fact, which prevents bias from influencing the record.
• Promotes legal defensibility: If an incident leads to legal proceedings, distinguishing between direct observations and secondhand information is critical. Improperly reported hearsay can compromise the report’s credibility.
• Enhances clarity: Clearly documenting secondhand information makes the report easy to understand for everyone involved, from investigators and managers to legal teams.

• Regulatory scrutiny Generic, boilerplate language in early Cybersecurity disclosures drew SEC comment letters and enforcement actions for insufficient detail on a cybersecurity incident. Companies are now expected to provide more specific, decision-useful information.
• Extortion tactics At least one ransomware group attempted to use the new cybersecurity  disclosure rules as a pressure tactic by filing a whistleblower report with the SEC after a company refused to pay a ransom. However, this tactic does not appear to have become a widespread trend.
• Refining governance The rule has forced many organizations to re-evaluate and enhance their Cybersecurity incident response strategies. It has also highlighted the importance of clear governance, defined roles, and robust disclosure controls and procedures to facilitate timely and accurate reporting.

• Identity theft and financial fraud: Stolen personal information can be used to commit fraud, open new accounts, or make unauthorized purchases.
• Psychological distress: Victims often experience significant anxiety, stress, anger, and feelings of helplessness and paranoia. For some, the trauma of a breach can cause long-term psychological issues.
• Embarrassment and shame: Public exposure of private data can lead to humiliation, social anxiety, and isolation. 

• National security threats: State-sponsored attacks, like the SolarWinds breach, can compromise government agencies and critical infrastructure, including power grids and election systems.
• Disruption of critical services: Attacks on vital infrastructure can lead to power outages, supply chain failures, and other disruptions that endanger public safety and economic health.
• Erosion of trust: Widespread Cybersecurity Failures and online disinformation campaigns can cause the public to lose faith in technology, institutions, and online services. 

• Sophistication of attacks: Cybercriminals are using AI and other emerging technologies to develop more complex Cybersecurity Failures and evasive attacks, including zero-day exploits and multi-stage campaigns that can remain undetected for years.
• The cybersecurity skills gap: There is a severe global shortage of skilled cybersecurity professionals, leaving many organizations vulnerable. The demand for qualified experts far outpaces the available supply.
• Evolving technology and attack surface: The rapid adoption of new technologies like AI, 5G networks, the Internet of Things (IoT), and cloud services creates a larger and more complex cybersecurity failures surface for hackers to exploit.
• Human error: Employees remain one of the weakest links in security. Mistakes like falling for phishing scams, using weak passwords, or misconfiguring systems are major causes of breaches.
• Insider threats: Current or former employees with privileged access can intentionally or accidentally compromise data security. These threats can be hard to detect because they come from trusted sources.
• Third-party and supply chain risks: Organizations are vulnerable through their supply chain and third-party vendors. If a supplier has poor security, it can serve as an entry point for attackers to infiltrate a partner’s network.
• Compliance and regulatory complexities: Organizations must navigate an ever-changing landscape of data privacy laws and regulations, which can be challenging and costly to manage, especially across multiple jurisdictions.
• Budget constraints: Many organizations lack sufficient budgets to invest in the latest security technologies, hire enough personnel, or provide comprehensive employee training. This leaves them under-resourced and highly exposed to threats.