New SEC Disclosure Rules: What Makes an Incident ‘Material’?

On July 26, 2023, the Securities and Exchange Commission (the “SEC”) adopted a final rule requiring the disclosure of material cybersecurity incidents and cybersecurity risk management, strategy, and governance by publicly-traded companies. The final rule requires Form 8-K disclosure of material cybersecurity incidents within four business days of the company’s determination that the cybersecurity incident is material. The company must disclose and “describe the material aspects of the incident’s nature, scope, and timing.”

The adoption of the final rule comes in the wake of two other reports, Verizon’s “2023 Data Breach Investigations Report” (the “Verizon Report”) and the 2023 “IBM Cost of a Data Breach Report,” (the “IBM Report” and with the Verizon Report, the “Reports”). Results and analysis of the Verizon Report are extracted from cyber security incidents in one year, a dataset containing 953,894 incidents, of which roughly one quarter were confirmed breaches. The IBM Report revealed, “[i]n 2022, it took organizations 207 days to identify a breach. In 2023, it took only 204 days. On the other hand, organizations required an average of 73 days to contain breaches in 2023, while they required just 70 days on average in 2022.”

The two findings in these heralded reports reveal a few fundamental things: 1) there are many cyber security incidents (the FBI will corroborate this); 2) upon discovery of the cyber security incident, its discoverers have four days to assess the damage of approximately ten weeks wherein cyber criminals had access to company data; and 3) without some guidance on what rises to the level of a material breach, public companies who fall prey to a breach and who want to comply with the new rule, will be filing a sizable number of amended Form 8-Ks. More succinctly, it might take a company some time to determine if a breach was material.

Attorneys at large law firms must stay abreast of the evolving landscape of cyber security incidents, especially in light of the Securities and Exchange Commission's (SEC) new cyber security incident disclosure rules. To effectively navigate this complex terrain, it's crucial to understand what factors distinguish a cyber security incident as a “material incident” and what these new rules entail.

The findings of the Reports underscore the urgency for organizations to adopt robust cyber security measures and precisely assess the materiality of each incident. The SEC has recognized the gravity of cyber security incidents and their potential to significantly impact investors, shareholders, and the public. The new disclosure rules aim to ensure transparency and accountability in the event of a material cyber security incident.

Under these rules, if you, as an attorney at a large law firm, represent a publicly traded company, it's your responsibility to ensure that your client complies with these disclosure requirements. To determine whether a cyber security incident is “material,” the SEC considers several factors:

• Nature and Scope of the Incident. The first step in assessing materiality is understanding the nature and scope of the cyber security incident. Was it a minor data leak, or did it result in a catastrophic data breach affecting millions of individuals? The broader the impact, the more likely it is to be deemed material.
• Financial Impact. Financial considerations play a pivotal role in determining materiality. If the cyber incident results in significant financial losses, such as litigation costs, regulatory fines, or lost revenue, it's more likely to be material. You must work closely with your client to quantify these losses accurately.
• Reputation and Brand Damage. A damaged reputation can be just as financially detrimental as direct monetary losses. Public perception of your client's ability to protect sensitive data is crucial. If the incident tarnishes the company's reputation, it may be considered material.
• Regulatory and Legal Consequences. Evaluate the potential legal and regulatory ramifications of the incident. If your client faces investigations, lawsuits, or regulatory penalties, it's a strong indicator of materiality. You should be well-versed in the specific laws and regulations governing your client's industry.
• Customer and Shareholder Impact. Consider how the incident affects customers and shareholders. Was their personal information compromised? Did the incident lead to a significant drop in stock value? These are critical factors in assessing materiality.
• Operational Disruption. If the incident disrupts your client's operations to a substantial extent, it may be deemed material. Assess the duration and severity of the disruption and its impact on the organization's ability to fulfill its obligations.
• Internal Reporting and Response. Examine your client's internal response to the incident. A delayed or inadequate response can exacerbate the materiality of the incident.
• Third-Party Involvement. Determine whether third parties, such as vendors or contractors, were involved in the incident. This can complicate the assessment of materiality, as it may extend liability beyond your client.

Your role as counsel is pivotal in guiding your client through the materiality assessment process. You must collaborate closely with your client's cyber security team and IT department to gather accurate information about the incident's impact. Additionally, you should stay informed about the latest developments in cyber security regulations and best practices to provide the most up-to-date guidance. Furthermore, it's essential to communicate with your client's leadership and board of directors, ensuring they understand the significance of materiality in the context of cyber security incidents. By establishing a clear and transparent reporting process, you can help your client navigate the intricate web of legal and regulatory requirements.

And of course, to circumnavigate the materiality assessment and reporting requirements, avoid cyber breaches altogether. Encourage them to reevaluate third-party vendors, invest in cyber security measures like data encryption, and adopt a culture of cyber security awareness and compliance throughout their company.

In conclusion, the SEC's new cyber security incident disclosure rules place a significant responsibility on attorneys at large law firms. To effectively represent publicly traded companies, you must be well-versed in the factors that make a cyber security incident material. With proactive assessment and diligent compliance, you can help your clients navigate the complexities of cyber security incident disclosure and protect their interests in an increasingly digital world.