close
close

What is considered a material cybersecurity incident?

Given the increasing complexity and proliferation of cybersecurity threats, the U.S. Securities and Exchange Commission (SEC) has introduced strict reporting requirements for publicly traded companies.

A key aspect of these regulations is the obligation of a publicly traded company to report a cyber incident using Form 8-K within four business days of determining its materiality.

While this directive is clear in its urgency, it leaves a critical question for cybersecurity professionals and CISOs: What constitutes a “material” incident under SEC disclosure rules?

Understanding the materiality of cyber incidents

Materiality in cybersecurity is a concept borrowed from the financial and regulatory sectors, where it refers to the importance of an event or piece of information to stakeholders.

The SEC defines material cybersecurity incidents as those that reasonable investors would consider important in making their investment decisions. For example, consider how a data breach could alter the prospects of a publicly traded company by having a material impact on:

  • Financial conditions.
  • operating performance.
  • Call.
  • market position.

The SEC defines material cybersecurity incidents as those incidents that reasonable investors would consider important in making their investment decisions.

Key factors that determine the materiality of cybersecurity incidents

To determine whether a cyber incident is a material incident, organizations should evaluate the following five key factors.

1. Impact on the annual financial statements

  • Direct costs. Consider the quantitative costs associated with incident response, legal fees, regulatory fines and potential settlements, and consider whether reasonable shareholders would consider this information relevant to their interests.
  • Indirect costs. Also consider lost revenue due to business interruptions, reputational damage and the possibility of higher insurance premiums.

2. Operational disruptions

  • Business interruption. Any cybersecurity incident that disrupts critical operations, causes significant downtime, or threatens public safety is likely to be of significant importance. For example, an attack that shuts down a manufacturing facility, disrupts a critical supply chain, or threatens critical infrastructure is almost certain to impact a company’s financial performance.
  • Long-term effects. Assess whether an incident impacts strategic initiatives or hinders the company’s ability to deliver products or services in the long term.

3. Reputational damage

  • Customer trust. Incidents that result in significant data loss or theft, particularly of confidential customer information, can undermine trust and result in business losses. A reasonable investor would likely view such breaches as materially affecting interests.
  • Market perception. Negative headlines related to a data leak can impact share price and investor confidence – crucial factors for publicly traded companies.

4. Legal and regulatory consequences

  • Compliance violations. Incidents that result in violations of SEC regulations or data protection laws such as GDPR or HIPAA can result in serious penalties that impact a company’s future prospects.
  • Litigation risk. In any materiality assessment, consider the potential for class action litigation or enforcement actions by regulators resulting from a cybersecurity incident.

5. Impact on market position

  • Competitive disadvantage. If a cybersecurity incident significantly impacts a company’s ability to compete, or results in the loss of intellectual property or reputational damage, it is almost certainly material.
  • Strategic setbacks. A breach that causes a merger, acquisition, or other strategic project to fail is considered a material cybersecurity incident because of its clear impact on the company’s market position.

Reporting requirements for cyber incidents to the SEC

Under new SEC rules, companies must publicly report material cybersecurity incidents within four business days of determining their materiality.

This short response time requires internal procedures to assess incidents and their potential impact in a timely manner. Organizations must have clear incident response plans and dedicated teams to assess the severity and materiality of cyber threats.

One possible exception: If the FBI becomes involved in an incident that has national security implications, the agency could authorize a delay in reporting. This could happen, for example, if law enforcement determines that a nation-state may be involved in an attack.

Best practices for cybersecurity professionals

Understanding and applying the concept of materiality is critical to ensuring compliance with SEC regulations. Below are some recommended best practices:

  • Implement a materiality assessment framework. Develop a clear framework for assessing the materiality of cyber incidents, taking into account the key factors discussed above.
  • Create protocols for quick response. Ensure the incident response team has the ability to quickly assess and report the significance of cyber incidents. This may include informing law enforcement agencies such as the FBI.
  • Conduct training and simulations regularly. Regular training for cybersecurity and leadership teams on materiality analysis and incident response is essential. Do this at least annually, but preferably quarterly. More training means better preparation.
  • Keep detailed records. Documenting incidents and the decision-making process regarding their materiality is critical to complying with legal requirements and preparing for potential audits. Make sure relevant stakeholders understand what specific reports and records the company requires them to keep.
  • Stay informed about regulatory changes. Stay up to date on SEC guidelines and other relevant regulatory frameworks to ensure ongoing compliance. Ignorance of current rules is not a valid excuse.

Determining the materiality of a cybersecurity incident is a complex but essential task for publicly traded companies as they navigate the increasingly confusing landscape of cyber threats and regulatory requirements.

For any cyber incident, CISOs should carefully consider its potential financial, operational, reputational and regulatory impacts to ensure both the protection of stakeholders’ interests and compliance with SEC cybersecurity disclosure rules.

Jerald Murphy is Senior Vice President of Research and Consulting at Nemertes Research. Murphy has over 30 years of experience in the technology field and has worked on a range of technology topics including research on neural networks, integrated circuit design, computer programming, and global data center design. He has also served as CEO of a managed services company.