On March 9, 2022, the Securities and Exchange Commission (“SEC”) announced Proposed Rules on cybersecurity risk management, strategy, governance, and incident disclosure (“Proposed Rules”) to address concerns of increasing cybersecurity threats to public companies. Under the Proposed Rules, public companies must promptly disclose material cybersecurity risks and incidents. The SEC confirmed that “materiality” for purposes of the Proposed Rules would be consistent with applicable case law.
This means that certain facts are material if a reasonable shareholder would have relied on the information in order to make informed investment decisions or it would “significantly alter the ‘total mix’” of information available to the shareholder, the standard set by the United States Supreme Court in TSC Industries, Inc. v. Northway Inc., 426 U.S. 438 (1976). In TSC Industries, the Court held that a fact was material in the context of securities fraud if there was a “substantial likelihood that a reasonable shareholder would consider it important in deciding how to vote.” Id. at 449. “Put another way,” the Court continued, “there must be a substantial likelihood that the disclosure of the omitted fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.” Id.
But from a practical perspective, determining what is material and when to disclose it is not always a straightforward inquiry with a clear answer. A review of the examples given and questions raised in the Proposed Rules provides some useful guidance.
What type of incidents or risks are material in the context of cybersecurity?
Companies should develop internal protocols to streamline and standardize key considerations for making objective materiality determinations related to cybersecurity incidents or risks. The SEC explains that companies must consider both quantitative and qualitative factors, making materiality determinations based on an incident’s nature, extent, and potential magnitude for harm. But what does this mean in practice? The Proposed Rules provide clues as to the type of material cybersecurity incidents and risks that may warrant disclosure, including:
- Incidents violating a company’s security policies or procedures, or that expose a company to liability;
- Incidents affecting a company’s reputation, products, or services, including decreases or delays in production;
- Incidents affecting a company’s financial position, either directly or indirectly, through adverse costs such as payments for ransom or extortion demands, fees for remediation or increased cybersecurity protection, lost revenue, or any damage to the company’s competitiveness;
- Incidents disturbing a company’s relationship with either its customers or suppliers through the accidental exposure or access to customer data, deliberate attacks to seal, sell, or alter data, and compromises to the confidentiality, integrity, or availability of such information;
- Incidents affecting a company’s operations including unauthorized access to, damage to, interruption or loss of control over business information or systems; and
- Individually immaterial incidents that are material in the aggregate, meaning that a number of smaller but continuous cybersecurity breaches may, in fact, be subject to disclosure.
Because public companies vary in size and complexity, the SEC invites comments on whether disclosure instead should be required only where costs associated with an incident surpass a certain financial threshold in reference to the company’s overall assets, equity, revenue or net income. While it is not meant to be a mechanical or strictly quantitative exercise, the Proposed Rules stress the importance of analyzing the impact a cybersecurity incident has or may have on a company’s business strategy, financial outlook, and financial planning including any potential changes to its business model or allocation of capital.
Discovery of any cybersecurity incident listed above should prompt internal discussions with both in-house counsel and compliance professionals as to the proper response and whether disclosure is appropriate.
When do public companies have to disclose material incidents or risks?
Under the Proposed Rules, a company’s determination that a cybersecurity incident or risk is material triggers certain required disclosures. Within four days of the materiality determination, a company will have to disclose (i) when the incident was discovered and whether it is ongoing, (ii) a brief description of the nature and scope of the incident, (iii) whether any data was compromised and, if so, how, (iv) the effect on the company’s operations, and (v) whether the incident has been remediated or is currently being remediated. The SEC notes that, “[i]n some cases, the date of the [company’s] materiality determination may coincide with the date of discovery of an incident, but in other cases the materiality determination will come after the discovery date.” These new disclosures will be in addition to existing security breach notification laws at the state level that require timely notification of breaches involving personally identifiable information to both customers and corresponding state Attorneys General.
Because the SEC expects companies to make a materiality determination “as soon as reasonably practicable” after the discovery of a cybersecurity incident, company leadership must collaborate with their legal and information technology (“IT”) departments to establish detection, reporting, evaluation, and disclosure procedures before a cybersecurity incident occurs. These lines of communication have to be open now in order to save a company from potential turmoil in the future. The SEC warns that while an ongoing investigation into a cybersecurity incident may “affect the specifics of a registrant’s disclosure,” it will not serve as a basis for avoiding disclosure. Overall, companies will have to balance completing any ongoing investigation and remedial measures with the various disclosure and notification deadlines. As with other operational and financial risks, public companies should institute an ongoing review of the adequacy of such evaluation procedures and disclosure policies, especially in light of the short timeframe governing the proposed disclosures.
- The standard for materiality has not changed, meaning information about a cybersecurity incident is material if it “significantly alter[s] the ‘total mix’” of information available to investors.
- Applying the materiality standard in the context of cybersecurity requires an objective analysis of both quantitative and qualitative factors, including evaluation of an incident’s nature, extent, and potential magnitude for harm.
- Incidents may be material if they have significant impact on the company’s financial position, operation, or relationship with its customers.
- Individually immaterial incidents that are material in the aggregate may be subject to disclosure.
- Now more than ever, public companies should encourage transparency and ongoing communication between the company’s IT or information security department and the company’s legal department or disclosure committee, where applicable, to facilitate prompt discovery and disclosure of material cybersecurity incidents and risks.