Making materiality judgments in cybersecurity incident reporting

Companies should consider establishing processes, procedures and controls to confirm they are able to promptly assess the impact of a cyber incident, from collection of information to escalation to contemporaneous documentation, and, if necessary, disclosure.

In July 2023, the SEC issued a new disclosure rule related to cybersecurity that applies to all SEC registrants reporting under the Securities Exchange Act of 1934. The rule, among other things, requires timely disclosure of certain information about a cyber incident if the incident is determined to be material, beginning December 18, 2023.

To summarize:

  • The SEC affirmed in the final rule that the materiality standard registrants should apply is consistent with that set out in the federal securities laws as well as numerous court cases addressing materiality.
  • This standard, as outlined in the rule’s adopting release, is anchored to what the Supreme Court has deemed material information: a fact is material if there is a “substantial likelihood that a reasonable investor would consider it important” or if it would have “significantly altered the ‘total mix’ of information made available.”
  • To apply this standard in the context of a cyber incident, companies should be prepared to conduct an objective analysis of both quantitative and qualitative factors, including evaluation of an incident’s impact and reasonably likely impacts.
  • There is often a high degree of judgment in making a materiality determination, and it can benefit from an informed and deliberative process. At a minimum, this requires effective communication among the company’s IT/security, finance, and legal departments. The goal is that those charged with making the materiality assessment, determining the appropriate response, and evaluating the need for disclosure and the nature of those disclosures, have the right information on a timely basis.
  • Companies should have a defined process to assess cyber incidents, starting with the security and IT teams’ collection of information and assessment, escalation to teams responsible for SEC disclosures (finance and legal), and contemporaneous documentation of judgments and conclusions as well as the basis and rationale for such.

What’s new, what isn’t?

Disclosing the existence of a material cyber incident is not a new requirement.

Interpretative guidance from the SEC in 2011 and 2018 reminded registrants that material cybersecurity incidents and their related impacts would generally require disclosure under existing SEC rules and regulations. The 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures interpretive release stated “Companies are required to establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including those related to cybersecurity. Such robust disclosure controls and procedures assist companies in satisfying their disclosure obligations under the federal securities laws.” In the final rule, the SEC highlighted that disclosures are already being made by registrants regarding material cybersecurity incidents.

What’s new with the July 2023 rule? The specificity of what, how, when and where to disclose a material cyber incident

The new rule is intended to standardize the information companies disclose about a material cyber incident. Registrants must disclose in new Item 1.05 of Form 8-K the material aspects of the incident’s nature, scope, and timing as well as the material impact or reasonably likely material impact on the registrant, including the impact on its financial condition and results of operations. The rule’s adopting release states that in addition to the impact to financial condition and results of operations, companies should also consider qualitative factors when assessing the materiality and impact of an incident. 

The disclosure is required within four business days of determining that a cyber incident is material. Although no time limit is prescribed for how long a company should take to make the materiality determination, the materiality determination is required to be made “without unreasonable delay” after discovery of the incident.   

The material cyber incident disclosure requirements will be effective on December 18, 2023; smaller reporting companies have until June 15, 2024.

What should companies consider when evaluating materiality?

A materiality evaluation should be made using the framework established in the federal securities laws, with a focus on the importance of the information to a reasonable investor. This is no different from the framework used by companies today. The evaluation will be specific to the company and cybersecurity incident.

The SEC’s cyber incident disclosure rule summarizes illustrative quantitative and qualitative factors, including the following:

  • Harm to a company’s reputation
  • Impact of disruption to business operations
  • Harm to a company’s customer or vendor relationships
  • Harm to competitiveness
  • The possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-US authorities
  • Impact on business value
  • Actual and expected direct and indirect costs stemming from the incident

Asking the following questions could help in assessing those factors:

  • What was the nature of the attack? For example, was it a new type of attack or a variation on an old attack? Also, was the company the sole target, or was it part of a broader attack against a number of companies in an industry, geographic area or some other grouping? Was the attack made on the company’s own systems or through a third party?
  • What are the characteristics of the threat actor? For example, was it an individual, a loosely affiliated group, a sophisticated criminal organization or a nation state? 
  • What systems were compromised and what information was stored on those systems? The role that the system(s) play in the company's overall operations would be an important consideration.
  • What was the timeline and nature of the response? For example, how long did it take to detect the incident, and how long did it take to resolve the incident? What level of expertise was needed to resolve the incident? To what extent did the incident trigger involvement by executive management or members of the board?
  • What are the potential ongoing effects to the company and impacts on the future trends of the business? In addition to considering the direct and indirect costs relating to resolution, fortification of systems and ongoing mitigation to prevent similar attacks, are there other potential costs associated with changes to operations and strategies as a result of the incident or potential future incidents? Are there changes to forecasted revenues, expenses, profitability and cash flows?
  • What industry does the company operate in, and how have investors considered cyber risks in valuations, if at all? For example, certain industries may be considered at high risk of cyber incidents such that investors may have already priced cyber risks into valuations. In other industries, cyber risks may not have been incorporated into market pricing, such that an incident may be viewed differently by investors in that industry.
  • What are the potential legal implications associated with the incident? For example, does the incident increase the risk or likelihood of future lawsuits, enforcement actions or other legal proceedings? Are there loss contingencies that should be accrued or disclosed in the financial statements? 

This is not an all-inclusive list. Management will need to consider its own situation to determine any relevant factors, while at the same time consider how those factors should be considered and weighted collectively. In setting forth its opinion on materiality, the Supreme Court acknowledged that “doubts as to the critical nature of information misstated or omitted will be commonplace,” but stated that such doubts should be resolved in the favor of those the statute is designed to protect (in this case, investors). 

Over the years, the SEC staff has provided guidance to assist preparers in their evaluation of the materiality of errors in the financial statements, such as the guidance in SAB 99. Cyber incidents may not impact amounts or disclosures in the financial statements. For example, it may involve theft of various types of intellectual property that are not reflected on the balance sheet but are considered important elements of the company’s overall value in the markets. For these reasons, evaluating the materiality of cyber incidents may warrant greater consideration of qualitative factors than what is discussed in SAB 99 or other SEC staff guidance and statements.

Must there have been actual harm for an incident to be material?

No. The adopting release says, “a material cybersecurity incident may not result in actual harm in all instances. For example, a company whose intellectual property is stolen may not suffer harm immediately, but it may foresee that harm will likely occur over time as that information is sold to other parties, such that it can determine materiality before the harm occurs. The reputational harm from a breach may similarly increase over time in a foreseeable manner. There may also be cases, even if uncommon, where the jeopardy caused by a cybersecurity incident materially affects the company, even if the incident has not yet caused actual harm. In such circumstances, we believe investors should be apprised of the material effects of the incident.” 

It is important to keep in mind the Supreme Court definition, as highlighted above, that a fact is material if there is a “substantial likelihood that..the fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”

Does the rule require immaterial cyber incidents to be aggregated when determining materiality?

Yes, but only if they are related occurrences. The definition of a cybersecurity incident includes a series of related occurrences. Therefore, related occurrences will need to be aggregated in conducting the materiality determination and, if material, in disclosing the incident. Events that involve the same malicious actor or multiple actors exploiting the same vulnerability are examples of when events may be related. Unrelated occurrences would not be required to be aggregated and instead each unrelated occurrence would be evaluated for materiality separately.

First things first: Agree on a process for materiality determination in your company 

Determining materiality should not be solely the responsibility of any one person. Taking these three steps now can help you avoid unpleasant surprises later.

1. Establish an organized process with the right people.

Among the essential groups that should establish an organized process for determining materiality: the team under the CISO, CIO, CTO; the CFO and finance team; and the General Counsel (GC) and legal team. The new rule will stress-test how efficiently these three functional teams communicate and coordinate.

Outline the responsibilities of each functional team in the determination and disclosure of a material cyber incident. Share foundational knowledge to bridge across the disciplines. The CISO, CIO, CTO will need information on materiality, while the CFO and finance team and GC will need information on incident response and cyber strategy. 

Ask these questions to anticipate the processes that the company needs to establish or strengthen.

  • On making the materiality judgment: What types of incidents would the company consider reasonably or likely to be material? What qualitative factors may be most relevant to investors in the event of a cyber incident and what mechanisms does the company have to evaluate their impact based on the perspectives of a reasonable investor? 
  • On the information needed to make a materiality judgment: What information is needed to review each incident and make a joint determination in an objective and factual way? How would we identify related occurrences that should be considered together? What information would be needed to disclose the nature, timing and scope of the incident as well as its impacts? What will our process be to accumulate the information required for disclosure and file the 8-K within the four business day timeline? Should external SEC legal counsel be consulted? 
  • A defined disclosure process: When should incidents be escalated and to whom? What process should be followed for disclosure drafting and review to meet the 4 business day reporting timeline upon a conclusion of materiality?

2. Confirm the information you need to collect to determine materiality

The CISO (or CIO, CTO) should collect the information that those ultimately responsible for the materiality determination need. Clarity on these questions will help: What is the relevant information that should be communicated based on the known and unknown facts and circumstances of the cyber incident? Can the CISO and team provide the information quickly enough and in the form that would be most useful in the materiality determination? Do they have appropriate relationships with third parties, such as forensic firms, if external expertise were required to collect critical information?

3. With each cyber incident, prepare to document contemporaneously.

The documentation of the company's process, who was involved and ultimately the conclusions reached, including the basis for such conclusions is critical. Is each team able to produce contemporaneous documentation of the facts — known and unknown — about an incident and the factors considered in assessing the materiality? The company would want the documentation ready if requested by the SEC.

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.