SEC expectations for the materiality assessment for cybersecurity disclosures

Many public companies are deliberating how to approach materiality assessment and disclosure of cybersecurity incidents in accordance with the new Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure final rule issued July 26, 2023, by the U.S. Securities and Exchange Commission (SEC). Below we review the rule’s key components.

In the final rule, the SEC reminds registrants that information is material if:

• There is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision.
• Disclosure of the information would have been viewed by the reasonable investor as having significantly altered the total mix of information made available.

The rule requires the disclosure of cybersecurity incidents on Form 8-K (Form 6-K for foreign private issuers) within four business days if deemed material. Registrants must describe the material aspects of the incident's nature, scope and timing, as well as its material impact or reasonably likely material impact on the registrant in the newly introduced Item 1.05 of Form 8-K. Delayed filing is allowed if the U.S. attorney general determines that immediate disclosure would pose a substantial risk to national security or public safety.

In addition to completing Form 8-K, registrants must file Form 10-K to describe their cybersecurity risk management and strategy, management’s role in assessing and managing material risks from cybersecurity threats, and their board of directors’ oversight of cybersecurity risks.

The SEC rule defines three key terms as follows:

• Cybersecurity incident: An unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein.
• Cybersecurity threat: Any potential unauthorized occurrence on or conducted through a registrant’s information systems that may result in adverse effects on the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein.
• Information systems: Electronic information resources owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of the registrant’s information to maintain or support the registrant’s operations.

To properly assess the aggregation of related immaterial incidents, registrants must continually refine their incident response management process. This includes maintaining a robust incident logging process to record incident details. Ongoing evaluation of materiality arising from the aggregation of these incidents is imperative to enable informed disclosure decisions.

The SEC emphasizes that registrants must exercise judgment when determining if any information within their information systems has been compromised during a cybersecurity incident. Factors such as the nature and complexity of the information and its criticality to the registrant's business must be carefully weighed in this assessment.

Given that the definition of a cybersecurity incident extends to a series of related unauthorized occurrences, companies must consider whether to aggregate related cyber incidents. For example, aggregation would be expected when, collectively, the following are material:

• Incidents in which the same malicious actor engages in a number of smaller, continuous attacks against the same company
• Related attacks from multiple actors exploiting the same vulnerability

Factors to consider in assessing materiality include, but are not limited to:

• The potential significance of the loss
• The probability of an adverse outcome
• The harm to all concerned (e.g., individual customers, vendor relationships, the registrant's reputation and its market position from a competitiveness standpoint)
• The potential impact on the company’s financial reputation
• The possibility of litigation or regulatory investigations

The rule’s materiality standard aligns with the principles delineated in federal securities laws and draws on precedents from various court cases addressing materiality. Each company is expected to employ its specific methodology in applying materiality to the unique facts, incidents and circumstances it encounters.

Making a materiality determination involves a high degree of judgment. Companies must conduct an objective analysis of both quantitative and qualitative factors, and consider an incident's impact and reasonably likely consequences. They must also keep in mind that a lack of significant quantifiable harm does not necessarily mean that an incident is not material.

Establishing a cross-functional committee—involving in-house legal experts, lawyers (especially in major incidents requiring external counsel), finance professionals, compliance officers, and IT specialists (CIO, CISO, CTO, etc.)—enhances the efficiency of assessing cybersecurity incidents qualitatively and quantitatively. Each participant should have well-defined responsibilities in the assessment, determination and disclosure of incidents.

Registrants should also assess and, if material, disclose known cybersecurity incidents affecting third-party systems the company uses in its operations. Ownership of the affected/compromised systems does not absolve registrants from disclosing known cyber incidents involving third-party systems. The SEC places the onus on registrants for disclosing third-party cyber incidents, without mandating the disclosure of specific third-party details.

The following information should be disclosed on Form 8-K, if known at the time of filing:

• The material aspects of the nature, scope and timing of the incident
• The material impact or reasonably likely material impact on the registrant, including on its financial condition and its operations

A registrant must disclose if any of the above information is not determined or is not available at the time of the Form 8-K filing. Item 1.05 instructions state that such disclosures do not need to provide specific or technical details that may affect management's response to the incident or the formulation of remediation plans.

SEC final rule readiness assessment

• Does our organization have a defined methodology for assessing the impact of cyber incidents from a reasonable investor's standpoint?
• Do pertinent parties in our organization know how to gather qualitative factors related to cyber incidents, especially factors significant from an investor’s perspective?
• Does our cybersecurity-related information gathering and processing facilitate a timely determination of materiality?
• Does management have a methodology for applying materiality considerations to both qualitative and quantitative factors related to cyber incident reporting?
• Has our organization clearly delineated the types of incidents “reasonably likely” to be material for reporting purposes?
• Is a collaborative process established among key stakeholders across the organization for responding to cybersecurity incidents?
• Do we have a sustainable process for meeting the requirement to report a cyber incident within four business days of establishing its materiality?

Incident response and reporting

• Does our organization boast a robust incident management process that effectively facilitates the receiving, recording, assessment and escalation of cyber incidents?
• Do we consistently deliver a comprehensive cyber awareness program at all levels to enable prompt identification of potential cyber threats and incidents?
• How efficiently do we escalate incidents from initial reporting to final assessment and determination for disclosure?
• Does our organization maintain a resilient vendor management program, ensuring appropriate oversight to promptly ascertain information about cyber incidents experienced by our vendors?
• Are our service-level agreements (SLAs) equipped with clauses requiring vendors’ timely communication of cyber incidents to our organization?
• Do we have established working connections or SLAs with forensic firms to ensure the timely collection and comprehensive assessment of critical information during a cybersecurity incident?

Are you prepared to navigate key components of the new SEC cybersecurity rule’s materiality assessment process and ensuing disclosure requirements?