TheCorporateCounsel.net

If the SEC adopts the cybersecurity disclosure rules largely as proposed, there will be one important piece of the rules that will likely remain within our purview (or the purview of the Generative AI robots, once they replace us). That is the question of materiality. In all likelihood, the SEC will not specifically define materiality for this purpose, but will rely on established standards of materiality for determining whether a particular cybersecurity incident must be disclosed on a current basis.

While I can only speak to the topic anecdotally, it is important to consider that they vast majority of cybersecurity incidents that occur on a daily basis are not material and therefore not disclosed through the SEC disclosure system. While it is always a tricky analysis based on the information that one has available at the time, many cybersecurity incidents just do not move the needle from a public disclosure standpoint. That is not to say that public companies should not be prepared from a disclosure standpoint and should not conduct a materiality analysis when an incident happens, but I think the practical reality is that when the SEC’s new rules go into effect, we are unlikely to see a flood of Form 8-Ks reporting material cybersecurity incidents.

In this regard, information about a cybersecurity incident is considered “material” if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision or if the information would have been viewed by the reasonable investor as having significantly altered the “total mix” of information made available to the investor. As part of a materiality analysis, the company should consider the indicated probability that an event will occur and the anticipated magnitude of the event in light of the totality of company activity. No single fact or occurrence is determinative as to materiality, which requires an inherently fact-specific inquiry.

The SEC has noted that an evaluation of the materiality of a cybersecurity incident should not be based solely on a quantitative analysis of the cybersecurity incident; rather, a company must thoroughly and objectively evaluate the total mix of information, taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident (including both quantitative and qualitative factors) to determine whether the incident is material. Even if the probability of an adverse consequence from a cybersecurity incident is relatively low, when the magnitude of the loss, liability or other harm is high, the incident may still be material.

The materiality of cybersecurity incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations. The materiality of cybersecurity incidents also depends on the range of harm that such incidents could cause, including:

– The potential harm to the company’s financial performance;
– The potential harm to the company’s relationships with customers, clients, vendors, business partners and others;
– The potential harm to the company’s reputation; and
– The possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.

Once the SEC’s rules are adopted, companies should revisit the materiality framework that they have established for cybersecurity incidents and the disclosure controls and procedures that are designed to facilitate the analysis of incidents in real time. For most companies, this will be a “tune up” rather than a blank slate exercise.

– Dave Lynn