Effective December 18, 2023, the Securities and Exchange Commission (SEC) is enforcing a pivotal rule for public companies reporting under the Securities Exchange Act of 1934.
This rule mandates timely disclosure of material cyber incidents. But what makes a cyber incident 'material'?
According to the SEC ruling, here’s how to understand ‘materiality’ in cybersecurity:
Consistent Materiality Standard: The SEC clarifies that the materiality standard aligns with federal securities laws and various court rulings. A fact is ‘material’ if a reasonable investor finds it important or if it significantly alters the total information mix available.
Objective Analysis: Companies must objectively analyze both quantitative and qualitative aspects of a cyber incident. This includes evaluating the incident's impact and its probable future impacts.
As you can see, the standard for assessing materiality is a pretty grey area. Luckily, we are here to help you!
Here are 10 questions that companies should ask to determine the materiality of a cybersecurity incident in line with the SEC’s cyber incident disclosure rule:
Nature of the Attack: What was the specific nature of the cyber attack? Was it a novel type of attack or a variation of a known method? Was our company the sole target, or part of a larger attack on the industry or region? Did the attack originate in our systems or via a third party?
Characteristics of the Threat Actor: Was the attacker an individual, a loosely affiliated group, a sophisticated criminal organization, or a nation-state?
Compromised Systems and Data: What systems were compromised and what type of information was stored on them? How critical are these systems to our overall operations?
Response Timeline and Nature: How quickly was the incident detected and resolved? What level of expertise was required for the resolution? Did the incident necessitate involvement from executive management or the board?
Ongoing and Future Impacts: What are the potential ongoing effects on our company and the future trends of our business? Beyond immediate costs, are there potential future costs related to operational changes or strategies to prevent similar attacks?
Industry-Specific Considerations: How does our industry view cyber risks? Have these risks been factored into investor valuations, and how might an incident alter this perception?
Legal Implications: What are the potential legal consequences of the incident? Does it increase the likelihood of lawsuits, enforcement actions, or other legal proceedings?
Harm to Reputation: How has the incident affected our company’s reputation?
Business Operation Disruption: What impact has the incident had on our business operations?
Customer and Vendor Relationship Impact: How has the incident affected our relationships with customers and vendors?
While this is not an all-inclusive list, these questions are designed to help management assess the materiality of a cyber incident by considering a range of factors, from the nature of the attack to its broader business implications. These factors are also in line with the Supreme Court's guidance to resolve doubts about materiality in favor of investor protection.
The reality is, calling a security incident ‘material’ in the heat of the moment will prove to be very challenging at best. This is why we help companies prepare by documenting materiality playbooks and performing tabletop exercises that debate the materiality aspects of an incident.
Thanks for reading and feel free to contact [email protected] if you have any questions about how the new SEC rulings affect your organization.