Introduction
Energizing times are ahead in the new year. As many organizations get their cybersecurity strategies up and running for 2024, they will need to ensure they comply with the U.S. Securities and Exchange Commission’s (SEC) cybersecurity disclosure rules that went into effect in December 2023. For those organizations that do not fall under SEC scrutiny, do not stop reading. The recommendations below reflect practices to implement within your strategy. Additionally, various states, as well as other countries, may soon implement similar rules that may impact non-SEC regulated companies.
Executive Summary of the Guidance
1. SEC's Rationale: The SEC introduces cybersecurity disclosure requirements for publicly traded companies to enhance investors' information consistency and comparability for their decision-making. This is in response to the growing cybersecurity challenges associated with electronic systems, supply chains, and remote work.
2. Materiality Standard: Aligned with existing securities laws and Supreme Court precedents, the SEC uses a materiality standard that takes into consideration quantitative and qualitative factors for effective risk assessment. The SEC does not provide a one-size-fits-all formula and it is up to each organization to create the required definition and documentation to support materiality.
3. Material Cybersecurity Incident Disclosure: Public companies must disclose material incidents within four business days, focusing on financial implications. The disclosure is narrower than proposed to balance disclosure needs with potential risks. There is an extension exception process available if more time is needed.
4. National Security and Public Safety Delay: The final rule, which addresses concerns raised earlier, allows delayed reporting for incidents posing substantial risks to national security or public safety, subject to Attorney General notification.
5. Annual Risk Management Disclosures: Public companies must disclose cybersecurity risk management annually, with a focus on cybersecurity strategy and governance. The rule avoids being overly prescriptive while emphasizing management's role in assessing risks.
The Final SEC Rule is published here: https://www.sec.gov/files/rules/final/2023/33-11216.pdf
What this Means for Your Organization
The SEC has introduced significant cybersecurity disclosure requirements for publicly traded companies. This mandates the public disclosure of a "material" cybersecurity incident in Form 8-K within four business days of determining its materiality. Extensions are allowed in cases where immediate disclosure poses a significant risk to national security or public safety, subject to the determination of the U.S. Attorney General.
In the dynamic realm of cybersecurity, a "material" incident, as per SEC standards, holds the essence of importance in the eyes of a reasonable investor, sans a rigid financial benchmark. SEC's viewpoint underscores the intricate dance between quantitative and qualitative dimensions when dissecting an incident's materiality.
Beyond the confines of financial thresholds, the SEC encourages companies to design a holistic analysis. Imagine incidents that, while not breaching specific financial limits, cast a long shadow through reputational harm or impact on individuals and customers. It is a nuanced journey where the significance transcends mere numbers.
As we delve into the enhanced reporting requirements, it is only natural for questions to arise. One key concern buzzing around involves the integration of qualitative factors into materiality calculations. The following is not legal or regulatory advice rather it comes from the standpoint that security is a team sport, and these are the steps that all organizations should strive to implement within their business continuity, business resiliency, and cybersecurity maturity roadmaps.
Materiality is a concept that will continue to evolve. After reading the SEC’s notes on how it came to pass the guidance, it appears that the SEC acknowledges the challenge of pinpointing materiality through a magic number of impacted records or dollar thresholds. The essence remains constant: delivering information crucial for informed investment decisions.
Things to Consider
The following are high level questions that you can use in your data gathering process.
Historical Lessons
Erik Gerding, Director of the SEC’s Division of Corporation Finance, recently shared instances where materiality sparked debates, drawing on valuable lessons from Supreme Court cases. See Appendix B.1 for Mr. Gerding’s official statement on the commission’s newest cybersecurity disclosure rules.
Navigating Cybersecurity Disclosures and Deciding Materiality of Impact
Whether you have a nascent or very mature approach to the SEC regulatory requirements, I recommend reviewing your framework to see if has incorporated the following six key elements.
Creating a Seven-Step Framework
Based upon reading the SEC guidance and the FBI’s guidance on asking for an extension from the four-day regulatory control, organizations should create a framework with the following seven elements:
1. Customized and Documented Materiality Calculations
· Understand that no two public companies are identical; personalize your approach.
· Consider qualitative and quantitative differentiating factors, including industries served, operational processes, product/service portfolio, business size, economic environment, and risk transfer mechanisms.
· Document the qualitative and quantitative calculation approach and seek internal and legal counsel approval.
2. Assessment of Cyber Impact on Business Factors
· Recognize the interconnectedness of business factors and their role in determining materiality.
· Consider industry landscape, operational intricacies, and economic conditions specific to your business.
3. Alignment of Cyber Scenarios with Business Realities
· Ensure cyber scenarios align with the intricate realities of your business.
· Recognize investments in backup technologies, recovery tools, and insurance may make you more resilient, but may or may not assist with the materiality calculation.
· Go beyond theoretical assessments and ground your strategies in the practical implications of your unique operational landscape via tabletop exercises and backup, resiliency, and recovery system stress tests.
4. Ranked or Weighted Qualitative Factors
· Understand that qualitative factors may hold substantial weight in material determinations.
5. Cyber Risk Quantification
· Integrate cyber risk quantification for the organization’s materiality calculations.
· Tailor your strategy to your unique organizational profile and remember that vendor scorecards that take a one-size-fits-all approach does not apply.
6. Cyber Risk Qualitative Alignment
· Leverage cyber risk quantification to fill the knowledge gap left by qualitative determinations.
· Align cyber scenarios with your holistic business view to unveil the actual financial consequences of potential incidents.
7. Statistical Significance
· Recognize that statistical significance is another element in determining materiality, but note that the absence of statistical significance does not automatically render an incident immaterial.
Acting Promptly
The recent SEC regulations emphasize the imperative of prompt disclosure for cyber incidents and advocate for thorough materiality assessments, aligning with the principles outlined in SAB 99. If you need clarification as to where SAB 99 fits in, from the SEC website, it says, "SAB No. 99 states that while the intent of management does not render a misstatement material, it may provide significant evidence of materiality. “
In determining the materiality of a cybersecurity incident, a company is urged to act promptly and not wait until a full investigation is complete if sufficient information is available. The possession of critical information – especially if "crown jewels" or key operational systems are compromised – may trigger the reporting clock even before a comprehensive investigation concludes. Factors, such as unauthorized access or exfiltration of significant data, should also prompt a materiality determination. The distinction between encrypted and unencrypted data is considered in the materiality analysis, but it may not be decisive.
Despite streamlined reporting requirements and tight deadlines imposed by the SEC, it is crucial to ensure reports are not misleading. Legal and technical cybersecurity personnel should scrutinize incident response team conclusions, identifying any "known unknowns" in the initial report, with provisions for filing amended reports as information gaps are filled, all while promptly addressing any corrections or material omissions.
Calculating Materiality
The SEC guidance is focused on the voice of the investor. Keep this in mind as you think through materiality.
Please note: there may be cybersecurity incidents that do not require notification under state legislation but can still materially affect the company. For example, a threat actor might use malware to delete data on a company’s system, without stealing covered PII. According to legal experts, in both these cases, the breach could be material to the company without triggering state data breach notification laws.
Below, please review the 10 most critical steps – and corresponding questions and statements – that your organization should consider when determining your materiality calculation.
1. Define the Nature of the Attack
· Was it new; a variant of something previously seen by others; or part of a broader assault?
· Identify the target. Was it focused entirely on your company or was it a part of a more significant industry-focused attack?
· Did the attack target the company's systems directly or via a third party?
2. Assess the Threat Actor’s Characteristics
· Was it an individual, group, sophisticated criminal syndicate, or nation-state?
3. Determine the Impact on Trade Secrets, Intellectual Property, and Company Operations
· What was the impact on compromised systems, operations, processes, and data?
· Can your security teams identify what data has been anonymized and/or encrypted?
· Can you estimate downtime and determine if there were any obvious public impacts?
4. Analyze the Incident Response Timeline and its Complexity of Response
· How would you gauge the expertise required for resolution and the involvement of executive management or board members?
5. Document the Ongoing Effects and Future Business Trends
· What are the potential ongoing reputational risks and resiliency effects on the company?
· What are the impacts on future business trends, including changes in operations, strategies, and forecasted financials?
6. Consider Industry and Investor Perception
· What is the industry landscape and how do investors perceive cyber risks?
· Are cyber risks already factored into valuations given industry-specific contexts?
7. Weigh the Legal Implications
· What are the potential legal implications stemming from various privacy laws?
· Has the incident increased the risk of lawsuits, enforcement actions, or other legal proceedings?
8. Determine Materiality
· How should your company tailor its considerations to its unique organizational situation?
· How would you weigh factors collectively and resolve doubts favorably for investor protection?
9. Place Greater Emphasis on Qualitative Factors
· Acknowledge that cyber incidents may extend beyond measurable service level agreements, key performance indicators, or financial impacts.
10. Anticipate Harm for Materiality
· Recognize that materiality does not require actual harm in all instances.
· Anticipate potential harm (e.g., reputational damage and intellectual property theft) and inform investors accordingly.
Delaying Guidance
You may be eligible for an extension if your organization needs more time. To request a reporting delay, victim companies must contact the FBI directly at cyber_sec_disclosure_delay_referrals@fbi.gov. Other reporting options requesting a delay are available through CISA, the U.S. Department of Defense, U.S. Secret Service, or another sector risk management agency.
See more on the process at: https://www.fbi.gov/investigate/cyber/fbi-guidance-to-victims-of-cyber-incidents-on-sec-reporting-requirements.
Appendix A – Sources
1. The Wall Street Journal, Voya Case Study: https://www.wsj.com/articles/sec-cyber-rules-loom-over-public-companies-5c627d09?mod=djemCybersecruityPro&tpl=cy
2. SAB 99: https://www.sec.gov/news/statement/munter-statement-assessing-materiality-030922#:~:text=purpose%20acquisition%20companies.-,SAB%20No.,provide%20significant%20evidence%20of%20materiality.
3. Beyond Materiality: Comparing the SEC’s Proposed Data Breach Notification Rules with Evolving State Notification Laws: https://www.velaw.com/insights/beyond-materiality-comparing-the-secs-proposed-data-breach-notification-rules-with-evolving-state-notification-laws/
4. Updating Corporate and Cybersecurity Practices to Satisfy the SEC’s Final Cybersecurity Disclosure Rules: Assessing Materiality of Cybersecurity Incidents: https://www.perkinscoie.com/en/news-insights/updating-corporate-and-cybersecurity-practices-to-satisfy-the-secs-final-cybersecurity-disclosure-rules-assessing-materiality-of-cybersecurity-incidents.html