Markets Prefer Opacity

If You Only Read One Thing

The most consequential market-structure story today is not Anthropic's $200 billion cloud tab; it is the SEC proposing to let public companies choose slower disclosure. The new 10-S option and the Daemon Tools compromise are both trust stories: one makes market information scarcer, the other shows why signed software is no longer enough.

The SEC Wants Less Signal

The SEC is framing semiannual reporting as flexibility. The more honest description is selective opacity with a market-pricing wrapper.

The agency proposed allowing U.S. public companies to file one semiannual report on a new Form 10-S and one annual report each year instead of three quarterly 10-Qs and a 10-K. The comment period runs for 60 days after Federal Register publication. The option would be available to all reporting companies, not only smaller issuers or pre-revenue firms, and companies would elect it by checking a box on their 10-K or registration statement.

Why it matters: This is not just an administrative tweak. Quarterly reporting is a metronome that forces public companies to turn private information into standardized, comparable data before insiders, suppliers, customers, and alternative-data buyers pull too far ahead. The SEC's fact sheet says Form 10-S would include the same narrative disclosures and financial information as a 10-Q, but over six months rather than a quarter. That halves the cadence of mandatory operating transparency while leaving voluntary earnings releases, conference calls, and 8-K material-event filings to fill the gap.

The best case for the rule is real. Quarterly reporting creates cost, ritual, and short-term incentives; Europe and the U.K. moved away from mandatory quarterly reports roughly a decade ago, and many companies there still report quarterly by choice, as TechCrunch noted. Commissioner Mark Uyeda's statement argues that investors can punish companies that choose a cadence they dislike by demanding a higher cost of capital.

That is true, but incomplete. The cost of less disclosure does not fall evenly. Large funds can buy card data, channel checks, web-scrape panels, satellite imagery, app telemetry, and management access. Retail investors get a longer blackout. The proposal itself asks whether semiannual reporting would raise insider-trading risk, delay material information, and worsen information asymmetry. The Managed Funds Association made the sharper point in an April comment letter: less frequent structured disclosure can widen bid-ask spreads, reduce liquidity, and make primary research more important.

The structural move is that public companies are being offered a private-market trait without giving public investors a matching protection. If the SEC wants more companies to go public, it is choosing to make public markets feel more private. That may increase issuer supply, but it also turns disclosure frequency into a signaling game.

Room for disagreement: Many large companies will keep quarterly calls because analysts, lenders, index rules, and peer pressure will force them to. The rule may matter most for small companies where 10-Q preparation is genuinely burdensome. A voluntary system also lets investors penalize the companies that abuse the gap.

What to watch: The important variable is adoption by companies with real operating volatility. If the first wave is mostly small biotech and low-float issuers, this is burden relief. If mature cyclicals, banks, or AI-infrastructure suppliers opt in, it is a market-transparency retreat.

Daemon Tools Breaks Signing

The comforting assumption about software supply chains is that signed code from the official website is safer than random code from the internet. Daemon Tools just damaged that assumption.

Kaspersky said attackers have been distributing trojanized Daemon Tools installers from the vendor's primary domain since April 8. The compromised version affects 12.5.0.2421 through the current release, uses a valid AVB Disc Soft developer certificate, and installs malware with the same administrative trust users grant to disk-emulation software. TechCrunch reported that Kaspersky sees a widespread campaign against thousands of Windows computers and targeted follow-on activity against about a dozen retail, scientific, manufacturing, and government systems.

Why it matters: The interesting part is not that old desktop software can be compromised. It is that the attacker borrowed every trust cue defenders tell users to rely on: the real site, the real installer flow, the real certificate, and a tool that legitimately needs low-level access. Code signing verifies publisher identity and binary integrity at signing time. It does not prove the publisher's build pipeline, download server, or release process stayed clean afterward.

That is why this is different from the long-tail hosting risk we covered last week. cPanel was about forgotten internet control planes exposed to remote exploitation. Daemon Tools is about the trust distribution layer itself. If a signed official installer can carry a boot-time backdoor for nearly a month, the defense moves from "download from the official site" to "verify release provenance, monitor behavior, and assume vendor compromise is possible." That is a much harder bargain for small vendors and ordinary IT teams.

The counterintuitive part is scale versus intent. Kaspersky says most victims are in Russia, Brazil, Türkiye, Spain, Germany, France, Italy, and China, while hands-on activity appears concentrated in a smaller set of organizations. That is how modern supply-chain operations work: cast a broad update net, then decide which machines are worth touching. The mass install base becomes target discovery.

The structural implication is that software authenticity is becoming a runtime problem. A signature can establish where code claims to come from. It cannot establish what the code will do after installation.

Room for disagreement: Daemon Tools is not Windows Update, npm, PyPI, or a hyperscaler control plane. The affected install base may be smaller and less enterprise-critical than the brand's history suggests. Kaspersky also links the malware to Chinese-language indicators, not a confirmed named state actor.

What to watch: Watch whether AVB Disc Soft publishes a clean-room rebuild, certificate revocation, and customer-impact notice. If the response stays dependent on Kaspersky telemetry, the trust repair will be slower than the compromise.

The Contrarian Take

Everyone says: Less frequent SEC reporting helps companies think long term, while the Daemon Tools attack is another one-off security breach.

Here's why that's incomplete: Both stories are about trust being converted from a public standard into a private judgment call. Semiannual reporting asks investors to trust companies to disclose enough between mandatory filings. Signed installers ask users to trust a vendor's release pipeline because the certificate checks out. The pattern is the same: when the institutional signal weakens, advantaged actors with better telemetry, access, or monitoring get the first read.

Under the Radar

Education tech is still a soft data target: Hackers stole student data from Instructure, the company behind Canvas, according to TechCrunch. The missed angle is that schools increasingly outsource identity, coursework, and behavior data into SaaS systems without the security budgets of banks or hospitals.
Robotaxi deployment is becoming a permit ladder: Nuro received a driverless testing permit in California ahead of its planned Uber robotaxi service, TechCrunch reported. The commercial milestone is not the demo ride; it is the staged accumulation of approvals that turns autonomy into a regulated logistics business.

Quick Takes

Anthropic became Google's backlog concentration problem: Reuters, citing The Information, says Anthropic committed to spend $200 billion on Google Cloud and TPUs over five years, more than 40% of Google's disclosed cloud backlog. The bullish read is that Google has a real TPU customer; the bearish read is that cloud backlog is increasingly a frontier-lab financing chain. (Source)
Apple paid for the Siri promise: Apple agreed to a $250 million settlement over claims it advertised personalized Siri features in 2024 that still had not shipped. The lesson is that AI vaporware is moving from reputation cost to legal cost, especially when marketing turns future capability into present-tense product claims. (Source)
FDA science became a publication-control fight: Reuters says FDA officials blocked several Covid and shingles vaccine-safety studies from publication, while HHS argued the conclusions exceeded the data. The structural issue is not just vaccine politics; it is whether public-health agencies can bury taxpayer-funded safety analysis when the conclusion conflicts with leadership's policy direction. (Source)
AMD is no longer just the second GPU story: AMD reported Q1 revenue of $10.3 billion, up 38%, with data-center revenue up 57% and Q2 revenue guidance of about $11.2 billion. Lisa Su tied demand to inference and agentic AI, which matters because agents may pull more CPU and memory bandwidth into the AI bill of materials. (Source)

The Thread

Today's stories are about the privatization of early signal. Public investors may get fewer standardized updates while better-resourced funds buy alternative data. Software users may get valid signatures while security vendors see the suspicious runtime behavior first. Cloud investors may see backlog while only insiders know the durability of lab commitments. The pattern is not that trust disappears. It becomes expensive, asymmetric, and sold to whoever can afford better instrumentation.

Predictions

New predictions:

I predict: By 2026-10-31, the SEC will adopt a semiannual reporting option substantially intact, but no more than 15% of S&P 500 companies will elect it for the first eligible fiscal year. (Confidence: medium; Check by: 2026-10-31)
I predict: By 2026-05-31, at least one major security vendor or government cyber agency will attribute the Daemon Tools campaign to a named China-linked intrusion set or publish victim-sector indicators beyond Kaspersky's initial telemetry. (Confidence: medium; Check by: 2026-05-31)

May 6, 2026, 3:15 AM ET.