Getty Images/iStockphoto
What qualifies as a material cybersecurity incident?
In SEC rules, a cyberincident's materiality hinges on its potential impact on a public company's standing. Learn what this means for cybersecurity disclosure requirements.
In light of the increasing sophistication and pervasiveness of cybersecurity threats, the U.S. Securities and Exchange Commission, or SEC, has implemented stringent reporting requirements for public companies.
A key aspect of these regulations is a public company's obligation to report a cyberincident within four business days of determination of materiality, using Form 8-K.
This directive, while clear in its urgency, leaves a critical question for cybersecurity practitioners and CISOs: What constitutes a "material" incident under the SEC disclosure rules?
Understanding cyberincident materiality
Materiality, in the realm of cybersecurity, is a concept borrowed from financial and regulatory frameworks, where it denotes the significance of an event or information to stakeholders.
The SEC defines material cybersecurity incidents as those that reasonable investors would consider important in making investment decisions. Consider, for example, how a data breach might change a public company's outlook by having material impact on the following:
- Financial conditions.
- Operational performance.
- Reputation.
- Market position.
Key factors that determine cybersecurity incident materiality
To establish whether a cyberincident is material, companies should evaluate the following five important factors.
1. Impact on financial statements
- Direct costs. Account for quantitative expenses related to incident response, legal fees, regulatory fines and potential settlements, as well as whether reasonable shareholders would consider such information pertinent to their interests.
- Indirect costs. Also, consider the loss of revenue due to operational disruptions, reputational damage and the potential for increased insurance premiums.
2. Operational disruption
- Business interruption. Any cybersecurity incident that disrupts critical operations, results in significant downtime or threatens public safety is likely material. For instance, an attack that shuts down a manufacturing plant, disrupts a critical supply chain or threatens critical infrastructure almost certainly affects a company's financial outlook.
- Long-term implications. Assess whether an incident affects strategic initiatives or hampers the company's ability to deliver products or services in the long term.
3. Reputational damage
- Customer trust. Incidents that lead to significant data loss or theft, especially of sensitive customer information, can erode trust and lead to loss of business. A reasonable investor would likely consider such breaches of material interest.
- Market perception. Negative publicity surrounding a breach can impact stock prices and investor confidence -- crucial considerations for publicly traded companies.
4. Legal and regulatory consequences
- Compliance breaches. Incidents that lead to violations of SEC regulations or data protection laws, such as GDPR or HIPAA, can result in severe penalties that affect a company's outlook.
- Litigation risk. Factor the potential for class action lawsuits or regulatory enforcement actions due to a cybersecurity incident into any materiality assessment.
5. Impact on market position
- Competitive disadvantage. If it significantly hampers a company's competitiveness or leads to the loss of intellectual property or reputational damage, a cybersecurity incident is almost certainly material.
- Strategic setbacks. A breach that derails a merger, acquisition or other strategic project qualifies as a material cybersecurity incident due to its clear impact on the company's market position.
SEC cyberincident reporting requirements
Under the new SEC regulations, companies must publicly report material cybersecurity incidents within four business days of determining their materiality.
This quick turnaround time necessitates internal procedures for promptly assessing incidents and their potential impact. Companies must have clear incident response plans and dedicated teams to evaluate the severity and materiality of cyberthreats.
One possible exception: If the FBI becomes involved in an incident with national security implications, the agency could approve a reporting delay. This might happen, for example, if law enforcement determines a nation-state might be involved in an attack.
Best practices for cybersecurity practitioners
Understanding and applying the concept of materiality is crucial to ensure compliance with SEC regulations. Following are some suggested best practices:
- Implement a materiality assessment framework. Develop a clear framework for assessing the materiality of cyberincidents, incorporating the key factors discussed above.
- Establish rapid response protocols. Ensure the incident response team is equipped to quickly assess and report the materiality of cyberincidents. This might include informing law enforcement agencies, such as the FBI.
- Conduct regular training and simulations. Regular training for both cybersecurity and executive teams on materiality analysis and incident response is vital. Do this annually, at a minimum, but preferably quarterly. More training equals better preparedness.
- Maintain detailed records. Documenting incidents and the decision-making process regarding their materiality is essential in achieving regulatory compliance and preparing for potential audits. Ensure relevant stakeholders understand what specific reports and records the company requires them to create and maintain.
- Stay informed on regulatory changes. Keep up to date with SEC guidelines and other relevant regulatory frameworks to ensure ongoing compliance. Ignorance of current rules is not a legitimate excuse.
Determining the materiality of a cybersecurity incident is a complex but essential task for public companies as they navigate the increasingly intricate landscape of cyberthreats and regulatory requirements.
When any cyberincident occurs, CISOs should carefully consider its potential financial, operational, reputational and regulatory impact to ensure both protection of stakeholders' interests and compliance with SEC cybersecurity disclosure rules.
Jerald Murphy is senior vice president of research and consulting with Nemertes Research. With more than three decades of technology experience, Murphy has worked on a range of technology topics, including neural networking research, integrated circuit design, computer programming and global data center design. He was also the CEO of a managed services company.