Many publicly traded companies are making decisions about the materiality of cybersecurity incidents in accordance with the new Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Final Rule issued by the U.S. Securities and Exchange Commission (SEC) on July 26, 2023. We are considering how to approach the evaluation and disclosure of information. Below we review the main components of the rule.
In the final rule, the SEC will notify registrants that information is material if:
- There is a good chance that a rational shareholder would consider it important when making an investment decision.
- The disclosure of the information would be considered by a reasonable investor to have materially changed the overall mix of information available.
The rule requires cybersecurity incidents, if deemed material, to be disclosed on Form 8-K (Form 6-K for foreign private issuers) within four business days. Registrants will describe material aspects of the nature, scope, and timing of the incident and its material or reasonably possible material impact on the registrant in newly introduced Item 1.05 of Form 8-K. is needed. A delay in filing may be granted if the U.S. Attorney General determines that immediate disclosure would pose a significant risk to national security or public safety.
In addition to completing Form 8-K, registrants will also be required to submit information regarding cybersecurity risk management and strategy, management's role in assessing and managing material risks posed by cybersecurity threats, and board oversight of cybersecurity risks. You must file a Form 10-K explaining.
The SEC rules define three important terms:
- Cyber security incident: Any unauthorized event or association on or through Registrant's information system that jeopardizes the confidentiality, integrity, or availability of Registrant's information system or the information residing thereon; A series of fraudulent events.
- Cybersecurity threats: all possibilities Unauthorized events committed on or through Registrant's information systems. result in an adverse effect on the confidentiality, integrity, or availability of Registrant's information systems or the information residing therein;
- Information system: Electronic information resources owned or used by Registrant. This includes the physical or virtual infrastructure controlled by such information resources, or any component thereof, that collects, processes, maintains, uses, shares, distributes, maintains or supports Registrant Information. , or organized for disposal. Registrant operations.
To properly evaluate a collection of related non-critical incidents, registrants must continually improve their incident response management processes. This includes maintaining a robust incident logging process to record incident details. Continuously assessing the materiality resulting from the aggregation of these incidents is essential to enable informed disclosure decisions.
The SEC emphasizes that registrants must use judgment in determining whether information within their information systems has been compromised during a cybersecurity incident. This assessment requires careful consideration of factors such as the nature and complexity of the information and its importance to the registrant's business.
Given that the definition of a cybersecurity incident extends to a series of related unauthorized occurrences, companies should consider whether to aggregate related cyber incidents. For example, aggregation is expected if collectively the following are important:
- Incidents in which the same malicious actor launches many small, sustained attacks against the same company
- Related attacks by multiple attackers exploiting the same vulnerability
Factors to consider when assessing materiality include, but are not limited to:
- Potential severity of loss
- probability of adverse outcome
- harm to all parties involved (e.g., individual customers, vendor relationships, registrant's reputation, market position from a competitive perspective);
- Potential impact on the company's financial reputation
- potential litigation or regulatory investigation;
The materiality standard in this rule is consistent with principles set forth in the federal securities laws and draws on various case precedents regarding materiality. Each company is expected to employ its own methodology in applying materiality to the unique facts, incidents and circumstances encountered.
Determining materiality requires a high degree of judgment. Companies should conduct an objective analysis of both quantitative and qualitative factors and consider the impact and reasonable likelihood of an incident. result. It is also important to note that the absence of significant quantifiable harm does not necessarily mean that the incident is unimportant.
Establish a cross-functional committee that includes in-house legal experts, lawyers (particularly for major cases that require outside counsel), financial experts, compliance officers, and IT experts (CIO, CISO, CTO, etc.) This will improve the efficiency of evaluation. Analyze cybersecurity incidents qualitatively and quantitatively. Each participant should have clearly defined responsibilities for incident assessment, decision-making, and disclosure.
Registrants must also assess and, if material, disclose known cybersecurity incidents impacting third-party systems that the company uses in its operations. Ownership of affected/compromised systems does not exempt registrants from disclosing known cyber incidents involving third party systems. The SEC imposes a responsibility on registrants to disclose third-party cyber incidents without requiring disclosure of specific third-party details.
The following information, if known at the time of filing, must be disclosed on Form 8-K.
- Important aspects of the nature, scope and timing of the incident
- A material impact on the registrant, or a material impact that is reasonably likely to be material, including an impact on the registrant's financial condition and operations.
Registrants must disclose if any of the above information is undetermined or unavailable at the time of filing a Form 8-K. The instructions in item 1.05 state that such disclosures do not need to provide specific or technical details that could affect management's response to the incident or development of a remediation plan. .
