Examining Materiality and Cybersecurity Incidents: Practical Tips for Implementing the New SEC Rules

Publicly traded companies have tangled with the question of when a cybersecurity incident should be disclosed to the public and investors. In a bid to add clarity to the topic, the U.S. Securities and Exchange Commission (SEC) released new rules for publicly traded companies requiring a public filing within four days of determining a cybersecurity incident is “material.”

Now, in the midst of a cybersecurity incident, companies must be able to quickly make these determinations. Many may be asking, “What does “material” mean in this context?” and “How should incident response planning change in light of the new rule?”

How and When Is an Incident “Material?”

The SEC is clear that a public company “must determine the materiality of an incident without unreasonable delay following discovery” of an incident. But that leaves unanswered the questions of how a public company should make that determination and who needs to be involved in the decision-making process.

In determining materiality, the SEC is clear in its rule adopting guidance that a “material impact may vary from incident to incident,” meaning there is no one size fits all approach to a materiality analysis. The SEC goes on to state companies should consider “qualitative factors alongside quantitative factors in assessing material impact of an incident.” (SEC Rule at 29.)

Those factors include harm to reputation, relationships, or just general competitiveness, in addition to litigation risk. Some materiality discussions, the SEC notes, could center around “data theft, asset loss, intellectual property loss, reputation damage, business value loss,” as a part of materiality concerns. In the wake of the MOVE-it CL0P incident, the SEC guidance is clear that the incident does not need to originate within an organization for it to be material enough to need disclosure. In other words, there is no get out of jail free card by having an incident occur related to data hosted by a third party.

What Happens Once the Material Threshold Is Met?

Once a determination is made that the cyber incident is material, a public company must make a public disclosure on, for example, a SEC Form 8-K. The disclosure must address:

• the nature, scope, and timing of the incident
• the material impact (or reasonably likely material impact) on the company, including its financial condition and results of operations

The SEC final guidance clarifies that a company does not have to disclose its planned response, including specific or technical information that could harm a company.

The SEC’s new rules on materiality and disclosure are clear that there is no hiding a material cybersecurity incident. As with all incident response, the best plan is to, at the very least, have a plan on how your organization is going to handle materiality in a major incident.

How to Prepare Your Incident Response Team

As security professionals are well aware, each incident is different and has its own complexities. Public companies, as a part of their incident response planning, should task a smaller subgroup of the incident response team with gathering information to make a materiality determination. That group should include both in-house and outside counsel, along with representatives from the IT security team, finance, and general operations leadership.

Take, for example, a ransomware incident at a manufacturing company. The ransomware incident might not impact a significant amount of personal identifying information but could impact a critical manufacturing line. Operations needs to be involved to understand what orders or large-scale customer contracts are impacted. Finance needs to be involved to determine the amount of the loss of revenue per day of a manufacturing line being taken offline and whether that downtime, in light of the totality of the company’s circumstances, is considered material. Once this information is in hand, legal needs to be deeply involved to determine if the materiality threshold has been met and to help craft the public filing due within four days determining of materiality.

Conclusion

Four days to determine materiality, while you are also dealing with a cybersecurity incident, does not leave much breathing room. If you need help preparing your team to comply with the SEC’s new public filing rule, contact a member of the WRVB Cybersecurity & Data Privacy team to begin making a plan.