Analysis: HPE Hack Shows How The SEC’s Disclosure Rule Is Playing Out
The company says it revealed details about the compromise of its Office 365 email environment voluntarily, in keeping with the ‘spirit’ of the SEC rules on cyber incident disclosure.
For all the cybersecurity transparency fans out there, the latest corporate hack disclosure may show where things are headed.
In a filing with the U.S. Securities and Exchange Commission Wednesday, Hewlett Packard Enterprise revealed that its Office 365 cloud email environment was compromised last year by a Russia-aligned threat actor.
HPE made it clear that the filing was prompted at least partially by the SEC’s recently introduced cyberattack disclosure rules for public companies.
From that perspective, the disclosure is an interesting case, because it appears that HPE did not actually need to file it for compliance purposes, and only did so voluntarily.
The SEC rule, which took effect on Dec. 15, requires publicly traded companies to disclose major cyberattacks within four business days of determining an incident is “material” for its shareholders.
However, HPE’s filing says just the opposite about the impact of the attack: “As of the date of this filing, the incident has not had a material impact on the Company’s operations,” the company said in its filing. (My emphasis added.)
The IT infrastructure giant then goes even further, saying it “has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.”
In a statement Wednesday, HPE confirmed that its compliance with SEC rules was not actually on the line here. The company says it only filed the disclosure “out of an abundance of caution and a desire to comply with the spirit of new regulatory disclosure guidelines.”
At the same time, I can think of one excellent reason why HPE would want to disclose the incident, even if it wasn’t necessary for SEC compliance purposes. The state-sponsored Russian threat actor believed to have been behind the HPE attack, which is tracked as Midnight Blizzard, was blamed just days earlier for an attack that compromised senior Microsoft executives.
As these things go, there’s a chance the high-profile Microsoft incident could have led to details emerging about HPE’s own incident. HPE, it would seem, made the prudent choice to be the one to tell everyone about it (a lesson learned from the Okta saga, perhaps?)
Notably, HPE said it learned about the incident, which began in May 2023 and impacted a “small percentage” of staff email accounts, on Dec. 12. Other than the Microsoft hack revelation, it’s not clear what else might have convinced HPE that now was the right timing to disclose, given that the vendor learned of the incident more than a month ago.
Better Transparency, Or ‘White Noise’?
One other thing to consider is that Microsoft had itself filed a disclosure with the SEC about its own Midnight Blizzard hack. And the Microsoft filing indicates that a material impact is not certain. The company has “not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations,” Microsoft said in the Jan. 19 filing.
What we have, then, is that companies are now filing cyber incident disclosures just to cover their butts. We’ll have to wait to see if others follow their lead, but I’d put money on it.
This is an entirely welcome development for the purposes of cyberattack transparency — something which we’ve long needed more of from corporations.
But I also worry we may end up seeing more of these voluntary, “as-a-precaution” filings than the actual types of disclosures that the SEC is after. The disclosures of serious breaches might still end up withheld by many companies as they always have been.
Danny Jenkins, the co-founder and CEO of cybersecurity vendor ThreatLocker, has a related concern about how the SEC rules are playing out in practice. Jenkins said he sees a danger that compliance with the SEC regulations will result in a blizzard of “micro-incidents” being disclosed to the public.
“Generally disclosure is good, but the danger here is that a company the size of HPE is going to have [a lot of] micro-incidents that are disclosed,” he said. “I don’t know all the details of the HPE incident but based on what has been disclosed I would say this is not a major incident.”
And if public companies opt to disclose large numbers of security incidents, according to Jenkins, “what we are going to see is white noise.”
Steve Burke contributed to this report.