Making materiality judgments in cybersecurity incident reporting

A materiality evaluation should be made using the framework established in the federal securities laws, with a focus on the importance of the information to a reasonable investor. This is no different from the framework used by companies today. The evaluation will be specific to the company and cybersecurity incident.

The SEC’s cyber incident disclosure rule summarizes illustrative quantitative and qualitative factors, including the following:

• Harm to a company’s reputation
  
• Impact of disruption to business operations
  
• Harm to a company’s customer or vendor relationships
  
• Harm to competitiveness
  
• The possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-US authorities
  
• Impact on business value
  
• Actual and expected direct and indirect costs stemming from the incident
  

Asking the following questions could help in assessing those factors:

• What was the nature of the attack? For example, was it a new type of attack or a variation on an old attack? Also, was the company the sole target, or was it part of a broader attack against a number of companies in an industry, geographic area or some other grouping? Was the attack made on the company’s own systems or through a third party?
  
• What are the characteristics of the threat actor? For example, was it an individual, a loosely affiliated group, a sophisticated criminal organization or a nation state? 
  
• What systems were compromised and what information was stored on those systems? The role that the system(s) play in the company's overall operations would be an important consideration.
  
• What was the timeline and nature of the response? For example, how long did it take to detect the incident, and how long did it take to resolve the incident? What level of expertise was needed to resolve the incident? To what extent did the incident trigger involvement by executive management or members of the board?
  
• What are the potential ongoing effects to the company and impacts on the future trends of the business? In addition to considering the direct and indirect costs relating to resolution, fortification of systems and ongoing mitigation to prevent similar attacks, are there other potential costs associated with changes to operations and strategies as a result of the incident or potential future incidents? Are there changes to forecasted revenues, expenses, profitability and cash flows?
  
• What industry does the company operate in, and how have investors considered cyber risks in valuations, if at all? For example, certain industries may be considered at high risk of cyber incidents such that investors may have already priced cyber risks into valuations. In other industries, cyber risks may not have been incorporated into market pricing, such that an incident may be viewed differently by investors in that industry.
  
• What are the potential legal implications associated with the incident? For example, does the incident increase the risk or likelihood of future lawsuits, enforcement actions or other legal proceedings? Are there loss contingencies that should be accrued or disclosed in the financial statements? 
  

This is not an all-inclusive list. Management will need to consider its own situation to determine any relevant factors, while at the same time consider how those factors should be considered and weighted collectively. In setting forth its opinion on materiality, the Supreme Court acknowledged that “doubts as to the critical nature of information misstated or omitted will be commonplace,” but stated that such doubts should be resolved in the favor of those the statute is designed to protect (in this case, investors). 

Over the years, the SEC staff has provided guidance to assist preparers in their evaluation of the materiality of errors in the financial statements, such as the guidance in SAB 99. Cyber incidents may not impact amounts or disclosures in the financial statements. For example, it may involve theft of various types of intellectual property that are not reflected on the balance sheet but are considered important elements of the company’s overall value in the markets. For these reasons, evaluating the materiality of cyber incidents may warrant greater consideration of qualitative factors than what is discussed in SAB 99 or other SEC staff guidance and statements.

No. The adopting release says, “a material cybersecurity incident may not result in actual harm in all instances. For example, a company whose intellectual property is stolen may not suffer harm immediately, but it may foresee that harm will likely occur over time as that information is sold to other parties, such that it can determine materiality before the harm occurs. The reputational harm from a breach may similarly increase over time in a foreseeable manner. There may also be cases, even if uncommon, where the jeopardy caused by a cybersecurity incident materially affects the company, even if the incident has not yet caused actual harm. In such circumstances, we believe investors should be apprised of the material effects of the incident.” 

It is important to keep in mind the Supreme Court definition, as highlighted above, that a fact is material if there is a “substantial likelihood that..the fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”

Yes, but only if they are related occurrences. The definition of a cybersecurity incident includes a series of related occurrences. Therefore, related occurrences will need to be aggregated in conducting the materiality determination and, if material, in disclosing the incident. Events that involve the same malicious actor or multiple actors exploiting the same vulnerability are examples of when events may be related. Unrelated occurrences would not be required to be aggregated and instead each unrelated occurrence would be evaluated for materiality separately.