Over the past few decades, cyber attackers have increasingly used newer and more sophisticated methods to exploit system vulnerabilities and wreak havoc on markets. However, for fear of losing competitive advantage, organizations are notorious for downplaying the impact of these attacks, misleading investors and resulting in stock prices that do not accurately represent the risk landscape. is.
In response to these reporting discrepancies, the U.S. SEC updated its Cybersecurity Reporting Regulations in July 2023 with the aim of creating a standardized disclosure framework and promoting higher levels of transparency. has been published. As of December 2023, public companies are required to annually file a 10-K form containing their cyber risk management process and an 8-K form disclosing material impact cyber events.
However, given its ambiguous nature, the materiality threshold is only defined as a level that is “reasonably likely that a reasonable shareholder would consider it.” [it] “It’s important” caught many organizations off guard. In fact, a recent market study by AuditBoard found that fewer than half of organizations have established processes and frameworks for determining such impact status.
This lack of preparation, coupled with a number of recent 8-K submissions that are conspicuously lacking in detail (many of which blatantly ignore materiality benchmarks), raise the need for more specific definitions and guidelines. It shows gender. Only by providing this clarity can the SEC ensure that disclosures include the consistent data needed to inform investors and stabilize markets.
What is the purpose of the SEC's Cybersecurity Form 8-K?
SEC-registered companies have been required to file Form 8-K for several years in the wake of cyberattacks, but updated regulations in July 2023 mandate stricter reporting rules. For example, organizations must disclose a cyber incident within four business days after it is determined to be material, thereby eliminating “unreasonable” delays.
The stricter disclosure rules also require affected registrants to include “the nature, scope, and timing of disclosures.” [material] “incidents” and other quantitative and qualitative information that could sway a rational investor's decision. Ultimately, the 8-K acts as a safeguard, ensuring that investors and market participants are always fully aware of cyber activity that could significantly reduce returns.
8-K (H2) Reporting of Non-Significant Cyber Events
The SEC clarifies that a new component of the Form 8-K, Item 1.05, regarding material cyber incidents should be filed only after the event has been determined to meet the respective materiality thresholds. However, a significant percentage of organizations disclose information prematurely. In fact, these groups have clearly expressed their opposition and declared that despite the disclosure, corporate executives do not consider cyber events to be significant.
Public corporations such as Hewlett Packard, UnitedHealth, Prudential Financial, and Cencora Inc. all include some form of the following sentence in their 8-K disclosures:
“As of the date of this filing, this incident has not had a material impact on the Company's operations, and the Company does not believe that this incident is reasonably likely to have a material impact on the Company's financial condition or results of operations. I’m not judging.”
Clearly, there is a disconnect between what the SEC intended to disclose to registrants and what is actually happening. This discrepancy highlights the need to issue more specific guidelines that provide solid parameters for when an 8-K filing is required versus when it is not.
Why do organizations file 8-Ks for unimportant cyber events?
Although legally unnecessary, recent events appear to have led organizations to disclose nonmaterial incidents to the SEC. Most notably, Tim Brown, former chief information security officer (CISO) at SolarWinds, was charged by the commission with fraud for allegedly submitting misleading statements about the organization's cybersecurity posture. This is what happened.
Although Brown's alleged misconduct was not directly related to the latest cybersecurity disclosure regulations enacted in December 2023, the SEC's move nevertheless sent a clear message to the entire cybersecurity community. Regardless of its form, authorities are prepared to take aggressive action against non-compliance.
As a result, corporate stakeholders have decided that it is in their best interest from both a legal and reputational protection perspective to make the cyber event public as a precaution. The logic of this situation is that if it turns out that the cyber event had a significant impact, it is better to file his 8-K unjustly than to later find out that he did not file an 8-K. That means the risk is lower.
Missing important details about the nature of materiality
Another issue SEC registrants have with the apparently elusive disclosure of “material” cyber events is whether they can explain their methodology for deeming such incidents to have material impact. . The most notable example of this deficiency appears in VF Corporation's Form 8-K, filed two days after he received unauthorized system access.
The apparel company said in a statement that “this incident has had, and is reasonably likely to have, a significant impact” on its business operations until recovery, but provided few further details. In fact, the only information provided of a qualitative nature that is considered an explanation for the determination of materiality is “the company's ability to fulfill orders.” [was] influenced. ”
SEC response to VF Corporation's apparent lack of information
During the feedback phase of the SEC's new cybersecurity regulations, many industry experts expressed regret at the shortened reporting deadline, saying four days is not enough time to determine materiality or include all relevant details. I insisted that it was not the right time. The SEC granted this objection and provided in the final ruling that if the initial 8-K filing is incomplete, the organization may file another filing with more detail four days later.
However, according to the SEC, VF Corporation's Sparse 8-K does not meet even minimum compliance requirements, and the commission argued that the lack of details provided is unacceptable. In subsequent communications, the agency asked registrants to expand their disclosures by further describing both the scope of affected operations and any known material impacts.
We also provided specific advice on how to do so. “For example, consider vendor relationships, potential reputational damage, and the impact on your financial position.”
The day after receiving this letter, the company filed a more detailed revised 8-K, including quantified data recording loss benchmarks and more substantively explaining why it believes the December attack had a significant impact. explained.
Problems with Form 8-K submissions that have insufficient detail and are unimportant
8-K with insufficient details
8-K disclosures that lack sufficient detail defeat the SEC's fundamental goal of protecting investors by providing them with consistent information about the impact of cyber events. If an organization cannot provide the data needed to make informed decisions, stakeholders will not be able to fully assess the simplicity of the situation and, as a result, the potential impact on the bottom line. I can not do.
Moreover, submissions with insufficient detail can put more compliant competitors in a position of potentially compromising transparency, an act that should, in theory, be rewarded. This inconsistency and lack of clarity not only undermines investor confidence but also impedes the market's ability to accurately price risk.
Non-material 8-K
Disclosing non-material cyber events on Form 8-Ks creates unnecessary noise in the market. Not only does this distract from the cyber events that really matter, but it can also lead to regulatory fatigue and complacency. Inundated with too many disclosures, stakeholders can become desensitized and unable to recognize or respond appropriately to truly significant incidents.
Develop clearly defined materiality thresholds based on revenue
The severity of a cyber incident can be determined by a wide range of factors, including qualitative factors such as the duration of the event, the number of records compromised, the extent of financial loss, and even reputational damage. After all, “material” is a contextual concept defined according to the specific organization attacked.
However, the range of interpretation is so wide that many companies clearly do not know how to begin the important decision process. Much less can we develop a comprehensive framework for it. This uncertainty can lead companies to make unnecessary disclosures or provide nonsubstantive information on their 8-K forms.
Before these reporting discrepancies have large-scale unintended market effects, the SEC needs to establish more specific guidelines for determining materiality. One of the easiest ways to do this is to set a loss threshold based on a percentage of your organization's revenue. If an attack results in losses exceeding that amount, companies should seriously consider deeming it significant.
These thresholds are not considered absolute. These are not the single determining factors in deciding whether to classify an incident as serious. Rather, it provides an objective value that informs whether an 8-K is needed in the first place and provides a clear explanation to the SEC.
Interim internal loss benchmark quantification to ensure SEC compliance
Unfortunately, despite the discrepancies in reporting, the SEC is unlikely to take such a bold approach to developing a more specific definition and framework for materiality. Nevertheless, in an era when cyber events are more about when than when they happen, organizations are wise to adopt this approach.
Preliminary quantified loss benchmarking provides business leaders with data-driven insights that can be used to clearly define materiality, thereby ensuring reporting efficiency, consistency, and compliance. By leveraging these numbers, organizations can make disclosures only when appropriate and keep stakeholders aware and up-to-date with the details they need to make informed investment decisions.
Kovrr Cyber Materiality Report
Kovrr's cyber quantification risk experts conducted a comprehensive analysis of companies around the world and concluded that best practices for determining materiality do indeed start with the revenue reference point. Kovrr used this research to create the Cyber Materiality Report, specifically to help organizations determine thresholds and disclose materiality.
If you would like to learn more about this unique service that streamlines SEC reporting and compliance, you can download a sample report or schedule a free demo with one of our cyber risk management leaders.
