Understanding the New Rule

In a move to standardize and amplify cybersecurity risk disclosures, the Securities and Exchange Commission (SEC) has adopted a final rule for public companies under its reporting mandate. This rule necessitates disclosure of all material cybersecurity incidents, yet a considerable grey area emerges when it comes to defining what qualifies as a ‘material’ incident. 

Demystifying the “Material Incident”?

Rather than providing a definitive description, the SEC states that “materiality turns on how a reasonable investor would consider the incident’s impact on the registrant.”  Investors will know if something is material when they see it.  

The final rule requires registered public companies to “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonable likely material impact on the registrant, including its financial condition and results of operations.”  It goes on to state that “financial condition and results of operations” is not exclusive and that both qualitative factors and quantitative factors should be used in assessing the material impact of a cybersecurity incident.   

cyber governance: sec-ready cyber governance

The rule offers instances of potential material impacts, such as damage to a company’s reputation, alterations to customer or vendor relationships, effects on competitiveness, the likelihood of litigation or regulatory investigations, and possible actions by state, federal, and international regulatory bodies. 

In the case of uncertainty about the severity of an incident, the SEC advises companies to err on the side of caution, aligning with the mandate’s protective intent for investors. 

Key Disclosures for a Material Incident

The SEC states its final rule focuses primarily on the disclosure of the impacts of material cybersecurity incidents rather than the details of the incident itself. 

Registrants will make disclosures about cybersecurity incidents on Form 8-K Item 1.05.  They must describe the material aspects of the “nature, scope, and timing; and impact or reasonably likely impact” of the incident. The SEC’s rule leaves it to the registrant to determine as part of their materiality analyses what, if any, additional details to disclose. 

See also  SEC Fires $50 Million Shot Across the Bow: Vital Lessons from LPL & Ameriprise Ahead of Copilot Implementation

The SEC removed the requirement from the final amendment to disclose the incident’s remediation status and whether data was compromised. Registrants also need not disclose specific or technical information about their planned response, their cybersecurity systems, networks, or devices, or the vulnerabilities of those systems that would impede their incident response. 

As for incidents occurring on third-party systems, the SEC is not exempting registrants from providing disclosures about them if they are determined to be material. 

Timeline for Disclosures

The SEC notes that, prior to the new rule, they saw evidence that delayed reporting of cybersecurity incidents led to possible mispricing of securities that could be exploited by cybersecurity threat actors and others with knowledge of the incident before it becomes public. 

With the new rule, registrants have four business days to disclose information about the impact of an incident once it has been determined to be material. The SEC does not set a timeline of how long registrants have to make the materiality determination other than stating it should be made “without unreasonable delay”.  They go on to say that “adhering to normal internal practices and disclosure controls and procedures will suffice to demonstrate good faith compliance.” 

Lastly, in certain exceptional circumstances, the SEC may grant a delay in disclosure if the Attorney General determines that the immediate disclosure could pose a “substantial risk to national security or public safety”. 

Agio Can Help

As cybersecurity professionals at Agio, we know that the materiality determination of a cybersecurity incident is a business, legal, and compliance decision.  Where we help public companies is governing cybersecurity risk management to prevent, detect, and respond to incidents, minimizing the material impact of them. Contact us today.