The SEC says corporations have four days to notify shareholders (via an 8-k) if a cyber incident is of material interest. Assessing materiality of a breach may sounds easy to leaders who deal with that concept in financial situation. But in the cyber domain complying with new SEC requirements will require many corporations to re-think the governance processes they have in place. This post provides insights which can help accelerate improvement of the quality and compliance of materiality decisions. It is based on decades of work in cybersecurity governance and a deep understanding of the new SEC regulations.
The SEC’s new cybersecurity disclosure rules require publicly traded companies to do things differently. These rules are far stronger than previous guidance, mandating detailed reporting on two major categories: governance processes designed to mitigate cyber risks and reporting on incidents that may have a material impact on shareholder opinions.
In the first category, companies must disclose information on their strategies for risk management and governance. The SEC now demands more detailed disclosures (via form 10-k), including how corporations assess, identify, and manage material risks from cybersecurity threats. Additionally, the role of boards in overseeing risks from cybersecurity threats and management’s role and expertise in assessing and managing these risks must also be disclosed.
The second category requires companies to disclose any materially relevant cyber incident within four days of determining its material relevance (via a Form 8-K). Since these rules took effect, the concept of materiality has become a hot topic in the security community. Many have been calling out for SEC clarification on how to assess materiality in cybersecurity, but so far all that has been provided on the topic has been a post asking corporations not to send too many 8-k’s on the topic. Seems there is now a concern about corporations sending an 8-k on anything related to cyber just to be safe.
As for how to determine materiality, the SEC rules state that materiality is determined based on whether “there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision.”
Companies are told to assess the materiality of cybersecurity incidents through the lens of a reasonable investor, considering all relevant facts and circumstances, including both quantitative and qualitative factors. Factors to consider include the immediate fallout of a data breach, longer-term effects on operations, finances, brand perception, and customer relationships. Determining materiality does not rely solely on financial thresholds; qualitative impacts, such as reputational harm or potential litigation, can also make an incident material. Additionally, a significant breach affecting data housed on third-party systems (think SaaS or supply chain or partners) must also be considered.
The issue is that determining materiality in cybersecurity is more challenging than it might seem. Corporations seeking to reduce cyber risk while complying with SEC requirements must understand and be prepared to exercise judgement over many issues, including:
Diverse Nature of Cyber Incidents: Cybersecurity incidents can range from data breaches and ransomware attacks to denial-of-service attacks and insider threats. Each type of incident can have different implications and consequences. The scope and severity of incidents vary widely, complicating uniform materiality assessments.
Quantitative vs. Qualitative Impact: Quantitative impacts include direct financial costs like remediation expenses, legal fees, regulatory fines, and potential loss of revenue. These costs can be straightforward to quantify in some cases but highly uncertain in others. Qualitative impacts encompass reputational damage, loss of customer trust, competitive disadvantage, and potential changes in customer behavior, which are subjective and difficult to quantify accurately.
Timing of Impact: Some impacts of a cyber incident, such as operational disruptions, may be immediately apparent. Others, like reputational damage or regulatory repercussions, might unfold over a longer period, complicating the materiality assessment at the time of the incident. The evolving threat landscape adds another layer of complexity, as new vulnerabilities or attack vectors can emerge rapidly.
Dependency on External Factors: Many organizations rely on third-party service providers for critical functions. Incidents involving these third parties can complicate the materiality assessment, as the organization might have limited visibility and control over the incident. Different industries and jurisdictions have varying regulatory requirements for cybersecurity disclosures, adding to the complexity.
Judgment and Subjectivity: Determining materiality often requires significant judgment by management, considering various factors such as the nature of the incident, the information available at the time, and the potential future impact on the organization. Cyber incidents often involve a high degree of uncertainty, especially in the early stages, making it difficult to make a definitive materiality determination.
Stakeholder Expectations: Investors and other stakeholders may have different perspectives on what constitutes material information. Balancing these expectations while complying with regulatory requirements can be challenging. The potential for public backlash or loss of customer trust can influence the perception of materiality, even if the immediate financial impact seems manageable.
Transforming Cybersecurity Oversight
The topic of compliance with SEC regulations gives companies an opportunity to do more than just comply. This is a chance to transform and truly reduce many systemic risks facing modern corporations.
Both boards and management have roles to play in rethinking governance processes.
Boards are overall in charge and set the tone. By law, case law and SEC regulations, boards must function with informed action in the best interest of the corporation and its shareholders. But the board is not day-to-day management. The board should ensure the right processes are in place and exercise oversight. Board members should be regularly trained on cybersecurity risks, incident response, and regulatory requirements. The CISO or equivalent executive should regularly report to the board on cybersecurity issues, including incidents and materiality assessments. We are believers in the contributions that technical executives can make to boards, and encourage every board to consider elevating their expertise in tech to ensure value creation is optimized and risks reduced in the modern world (Board members can work to continuously improve their contributions to governance by applying to join the OODA Network).
An increasing number of boards have decided that the best way to ensure they appropriately exercise duty of care is to establish a dedicated committee for cybersecurity oversight. This is a much more effective method than having a risk or audit committee take responsibility for cybersecurity. A cyber committee can work with management in a more frequent basis to understand and assist in improving policies and procedures used for assessing materiality.
Management has the day-to-day responsibility for corporate operations including cybersecurity. Transforming cybersecurity oversight before the next incident can improve how quickly the organization recovers and ensure optimal materiality decisions are made. Every corporation is different and no journey in transformation is starting at the same spot. But here are considerations for management action:
Establish Cross-Functional Cybersecurity Teams Both For Incident Response and Materiality Decisions Consider the issues articulated above. No single leader or single office can master all of those. Cross functional teams for incident response and materiality decisions are required. Optimally these teams should be led by someone who really knows both how the business creates value and how technology works. This leader should be a direct report to the CEO and someone the board is very familiar with, perhaps a CIO, CISO or CTO. Members should include representatives from IT, legal, compliance, risk management, finance, public relations, and operations, ensuring a holistic view of the incident’s impact on the organization. Engaging external cybersecurity professionals who can provide unbiased, fiduciary cybersecurity support to the board and management is also highly recommended.
Develop and Implement Comprehensive Policies: Management should define their approach to cybersecurity, including prevention, detection, response, and recovery. These days every company has some policies like these. They should all be reviewed to capture the need for clear protocols for internal and external reporting of cybersecurity incidents, ensuring alignment with SEC requirements and other relevant regulations. Criteria and thresholds for determining the materiality of cybersecurity incidents should be defined and reviewed. Policies should ensure decision-makers get the right information for materiality decisions and that the basis for all decisions is well documented.
Establish and Train to Protocols and Procedures: An incident response plan should be regularly trained on, including conducting simulated cyberattack exercises (tabletop exercises). Immediate steps to be taken when a cyber incident is detected should be outlined, and internal and external communication protocols defined to ensure timely and accurate information flow. Practice making determinations of materiality.
External Consultation and Compliance: Engaging external legal and cybersecurity experts who operate in a fiduciary cybersecurity model (one that has a duty of loyalty and duty of good faith to boards vice a model) is essential to ensure unbiased advice to board directors and management. This is directly in the domain of OODA and many members of the OODA network. Regular benchmarking of the organization’s cybersecurity practices against industry standards and best practices is also recommended.
By establishing cross-functional teams, implementing comprehensive policies, defining clear protocols, ensuring robust board oversight, and engaging external advisors who provide non-biased fiduciary advice, boards can create a governance framework that enables effective compliance with SEC cybersecurity requirements. This approach not only helps in meeting regulatory obligations but also enhances the organization’s overall resilience against cyber threats.
Additional Resources for the Board and C-Suite
Why Board Members Must Prioritize Cybersecurity: Lessons from an SEC fine on the NYSE and Intercontinental Exchange.
SEC Rules on Cybersecurity for Publicly Traded Corporations: Actionable context for management and boards.
Corporate directors who seek to inform their decision-making around mitigation of systemic cyber risk can also apply to join the OODA Network.
OODA also helps clients in need of dedicated board cybersecurity services focused on helping Directors understand and manage the complexities of cyber risk. Our advisory team is comprised of only senior executives who have deep domain expertise combined with executive management functions such as serving on Boards of Directors or managing cyber risk as CEOs, CTOs, and CISOs. We help bridge the gap between Boards and their internal security management teams. Learn more at OODA Board Cyber Advisory Services
