No Match Found
In July 2023, the SEC issued a new disclosure rule related to cybersecurity that applies to all SEC registrants reporting under the Securities Exchange Act of 1934. The rule, among other things, requires timely disclosure of certain information about a cyber incident if the incident is determined to be material, beginning December 18, 2023.
Interpretative guidance from the SEC in 2011 and 2018 reminded registrants that material cybersecurity incidents and their related impacts would generally require disclosure under existing SEC rules and regulations. The 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures interpretive release stated “Companies are required to establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including those related to cybersecurity. Such robust disclosure controls and procedures assist companies in satisfying their disclosure obligations under the federal securities laws.” In the final rule, the SEC highlighted that disclosures are already being made by registrants regarding material cybersecurity incidents.
The new rule is intended to standardize the information companies disclose about a material cyber incident. Registrants must disclose in new Item 1.05 of Form 8-K the material aspects of the incident’s nature, scope, and timing, as well as the material impact or reasonably likely material impact on the registrant, including the impact on its financial condition and results of operations. The rule’s adopting release states that in addition to the impact to financial condition and results of operations, companies should also consider qualitative factors when assessing the materiality and impact of an incident.
The disclosure is required within four business days of determining that a cyber incident is material. Although no time limit is prescribed for how long a company should take to make the materiality determination, the materiality determination is required to be made “without unreasonable delay” after discovery of the incident.
The material cyber incident disclosure requirements will be effective on December 18, 2023; smaller reporting companies have until June 15, 2024.
A materiality evaluation should be made using the framework established in the federal securities laws, with a focus on the importance of the information to a reasonable investor. This is no different from the framework used by companies today. The evaluation will be specific to the company and cybersecurity incident.
The SEC’s cyber incident disclosure rule summarizes illustrative quantitative and qualitative factors, including the following:
Asking the following questions could help in assessing those factors:
This is not an all-inclusive list. Management will need to consider its own situation to determine any relevant factors, while at the same time consider how those factors should be considered and weighted collectively. In setting forth its opinion on materiality, the Supreme Court acknowledged that “doubts as to the critical nature of information misstated or omitted will be commonplace,” but stated that such doubts should be resolved in the favor of those the statute is designed to protect (in this case, investors).
Over the years, the SEC staff has provided guidance to assist preparers in their evaluation of the materiality of errors in the financial statements, such as the guidance in SAB 99. Cyber incidents may not impact amounts or disclosures in the financial statements. For example, it may involve theft of various types of intellectual property that are not reflected on the balance sheet but are considered important elements of the company’s overall value in the markets. For these reasons, evaluating the materiality of cyber incidents may warrant greater consideration of qualitative factors than what is discussed in SAB 99 or other SEC staff guidance and statements.
No. The adopting release says, “a material cybersecurity incident may not result in actual harm in all instances. For example, a company whose intellectual property is stolen may not suffer harm immediately, but it may foresee that harm will likely occur over time as that information is sold to other parties, such that it can determine materiality before the harm occurs. The reputational harm from a breach may similarly increase over time in a foreseeable manner. There may also be cases, even if uncommon, where the jeopardy caused by a cybersecurity incident materially affects the company, even if the incident has not yet caused actual harm. In such circumstances, we believe investors should be apprised of the material effects of the incident.”
It is important to keep in mind the Supreme Court definition, as highlighted above, that a fact is material if there is a “substantial likelihood that..the fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”
Yes, but only if they are related occurrences. The definition of a cybersecurity incident includes a series of related occurrences. Therefore, related occurrences will need to be aggregated in conducting the materiality determination and, if material, in disclosing the incident. Events that involve the same malicious actor or multiple actors exploiting the same vulnerability are examples of when events may be related. Unrelated occurrences would not be required to be aggregated and instead each unrelated occurrence would be evaluated for materiality separately.
Determining materiality should not be solely the responsibility of any one person. Taking these three steps now can help you avoid unpleasant surprises later.
Among the essential groups that should establish an organized process for determining materiality: the team under the CISO, CIO, CTO; the CFO and finance team; and the General Counsel (GC) and legal team. The new rule will stress-test how efficiently these three functional teams communicate and coordinate.
Outline the responsibilities of each functional team in the determination and disclosure of a material cyber incident. Share foundational knowledge to bridge across the disciplines. The CISO, CIO, CTO will need information on materiality, while the CFO and finance team and GC will need information on incident response and cyber strategy.
Ask these questions to anticipate the processes that the company needs to establish or strengthen.
The CISO (or CIO, CTO) should collect the information that those ultimately responsible for the materiality determination need. Clarity on these questions will help: What is the relevant information that should be communicated based on the known and unknown facts and circumstances of the cyber incident? Can the CISO and team provide the information quickly enough and in the form that would be most useful in the materiality determination? Do they have appropriate relationships with third parties, such as forensic firms, if external expertise were required to collect critical information?
The documentation of the company's process, who was involved and ultimately the conclusions reached, including the basis for such conclusions is critical. Is each team able to produce contemporaneous documentation of the facts — known and unknown — about an incident and the factors considered in assessing the materiality? The company would want the documentation ready if requested by the SEC.