With 8-K reporting obligations for "material" cybersecurity incidents under the new Securities and Exchange Commission (SEC) rules becoming effective as of December 18, 2023, most companies will soon be tasked with making "real-time" materiality determinations following a cybersecurity incident.1 While the SEC has emphasized that the new Item 1.05 reporting requirement is rooted in traditional securities law concepts of materiality (i.e., is there a substantial likelihood that a reasonable investor would consider the information important in making an investment decision, or would such information have "significantly altered the 'total mix' of information made available?"), applying those concepts in the context of a cybersecurity incident is not straightforward. Consistent with the SEC's 2011 and 2018 interpretive guidance, the adopting release for the new cybersecurity rules cites the relevance of both quantitative and qualitative factors to cybersecurity materiality – including reputational and relationship harm, litigation, investigation or regulatory action risk, and the need to analyze "immediate fallout and any longer term effects on ... operations, finances, brand perception, [and] customer relationships." In light of the relatively limited guidance contained in the release, this blog post outlines several practical considerations for making these materiality determinations.
Substantive analysis tips
The role of external precedent
Materiality determinations are inherently fact specific. While peer and industry precedent may be instructive, the adopting release emphasizes that "the same incident that affects multiple registrants may not become reportable at the same time, and it may be reportable for some registrants but not others." Nonetheless, consideration of precedents – including reactions to similar incidents from litigants and relevant regulators, commercial counterparties (such as significant company customers and suppliers), the company's key investors and the broader market – may all be instructive in assessing certain aspects of an incident's potential impact.
The role of internal precedent
Unfortunately, many/most companies have suffered or will suffer multiple security incidents over time. In making materiality decisions, organizations should consider their prior responses and analyze the impact from incidents they have resolved in the past. Following an established process and ensuring consistency in approach can help mitigate potential liability.
Current and likely impacts
While the final rules require 8-K reporting only upon a determination of materiality, rather than detection of an incident, such determinations must be made "without unreasonable delay after discovery of the incident." Materiality judgments must consider both impacts already experienced and reasonably likely future impacts; however, the SEC has indicated determinations may not be delayed until such future impacts have emerged. For example, an incident that gives rise to reasonably likely material litigation risk would be reportable when the company determines that the factors giving rise to such a risk are implicated in an incident, not when actual litigation claims are first raised. The adopting release cites as other examples the foreseeable impacts of reputational damage or stolen intellectual property, even if such harms are not yet experienced.
Multifaceted costs
Quantitative factors impacting materiality may include a wide variety of costs. In addition to incident containment and remediation expenses, companies should consider response costs, such as forensics, public relations firms, outside legal counsel or costs related to incident notifications, including mailing services and call centers. In considering such costs, it also will be important to evaluate the availability of insurance or indemnification rights from service providers or other counterparties. In addition to these expenses, companies also should evaluate potential lost revenue or other impacts due to factors such as theft of trade secrets, intellectual property or other confidential information, business interruption, data asset loss, or failure to retain or attract customers.
Process and formality
In addition to the substantive determination of materiality, developing effective materiality assessment processes will not only assist companies in making materiality determinations in a timely manner, but also will help them respond to any after-the-fact scrutiny from the SEC or the plaintiffs' bar.
Advance consideration
Advance consideration in a legally privileged environment of types of incidents and indicia of potential materiality related to such incidents can facilitate the development of internal reporting plans and help identify quantitative and qualitative factors that will be relevant to real-time determinations, as well as potential sources of information necessary to evaluate such factors. For example, many companies already have playbooks for particular types of security incidents (e.g., a ransomware playbook) and should consider identifying criteria for making materiality decisions for each incident type. Taking days or weeks to determine the materiality of an incident may be harder to defend if the company has not done the advance work to identify key decision-making criteria.
Establishing internal escalation processes
Instituting internal escalation processes also will facilitate
timely and effective materiality determinations, particularly
incident escalation plans that define how incidents and
vulnerabilities are reported up within the organization – and
when to involve senior management, boards, advisers or other third
parties. Formalizing a materiality assessment process should
include consideration of the appropriate personnel who should be
involved and identification of who will ultimately make the
materiality determination (e.g., members of management, the board
or a board committee, as applicable). In addition to IT personnel,
such as a chief information security officer or chief information
officer, teams such as legal, finance, communications and customer
relations – as well as outside counsel and other third-party
advisers – may play an important role and should be
integrated into organized response plans, as appropriate.
In determining the right mix of participants, companies should
consider not only where necessary information sits within the
organization, but also factors such as maintaining legal privilege,
effective coordination and communication with key decision-makers.
Companies also should consider whether incident escalation and
analysis should be integrated into existing disclosure committee
processes, or if a separate process should be maintained specific
to cybersecurity incidents. In addition, since the definition of
"cybersecurity incident" includes "a series of
related unauthorized disclosures," processes should be
established to monitor whether and when a series of related
occurrences may collectively have a material impact, or reasonably
likely material impact, and therefore trigger an Item 1.05 8-K,
even if each individual occurrence on its own would not rise to the
level of materiality.
Documenting materiality assessment contemporaneously
Consideration should be given to contemporaneous privileged documentation of the materiality conclusion, similar to the Staff Accounting Bulletin (SAB) 99 memo prepared in the context of the analysis of the materiality of financial statement errors, in order to satisfy the company's auditors and help respond to potential inquiries or information requests from the SEC. These benefits will need to be balanced against the potential for creating a discoverable litigation record if claims of privilege are challenged and the additional administrative burden. In addition, any initial documented conclusion may need to be continually updated as new information comes to light during the process of the investigation.
Potential reporting pitfalls
Erring on the side of materiality versus detrimental overreporting
The SEC's adopting release cites the classic materiality statement in TSC Industries, Inc. v. Northway, Inc. that "doubts as to the critical nature" of the relevant information should be "resolved in favor of those the statute is designed to protect." As a result, given fears of being made a test case under the new rules, many companies may be inclined to systematically err on the side of materiality. Nonetheless, overreporting has numerous potential drawbacks – including the potential for false positives that drive down stock price, reputational damage and creating precedent for future similar incidents. In addition, given the fast-evolving and ambiguous nature of many cybersecurity incidents, erring on the side of early reporting may give rise to unnecessary investor and customer panic and could result in inaccurate or misleading disclosure, requiring frequent ongoing updates.
Second-guessing of negative materiality judgments
While companies will likely determine that many incidents – including tough cases – do not rise to the level of materiality, they should be aware of factors that may cause the SEC, investors or potential litigants to second-guess such judgments, including:
- Inconsistency with prior disclosure, such as statements about cybersecurity risk and materiality in SEC disclosure, privacy websites, or environmental, social and governance (ESG) publicity regarding cybersecurity and data privacy that may be inconsistent with a determination of nonmateriality.
- Inconsistency with other external and internal statements regarding the relevant cybersecurity incident, such as statements to customers, employees, investors, vendors and regulators that would support a materiality determination. Companies should strive to align the timing of substantive internal and external statements with 8-K decision-making, and individuals involved in 8-K decision-making should review such content to ensure it is consistent with the materiality determination.
- Inconsistency with internal risk management analyses,such asif the company has prepared internal risk analyses that rank the type of incident in question as a significant risk or more significant than other cybersecurity or business risks that have been disclosed when they materialized. As a result, companies will need to strike a balance between establishing internal risk criteria as part of the incident response preparedness process, while being careful not to predefine the materiality criteria in such a way that eliminates flexibility to analyze each incident independently.
- Inconsistency with market practice – Even though the SEC has emphasized the company-specific nature of materiality determinations, widespread 8-K disclosure of the same or similar incidents may create a presumption of materiality.
- Inadequate disclosure controls – A lack of adequate internal processes to escalate and analyze cybersecurity incidents – including insufficient and/or untimely communication with senior management and the board – may undermine otherwise defensible materiality determinations, especially in light of recent SEC enforcement actions that have applied the internal control provisions of the Exchange Act expansively, including with respect to policies and procedures concerning the disclosure of cybersecurity incidents.
- Insider sales or other transactions contemporaneous with an incident also may give rise to scrutiny of negative materiality determinations, particularly in light of the SEC's emphasis on the intersection of cybersecurity and insider trading in its 2018 interpretive guidance and subsequent enforcement actions.
- Stock price declines – A significant decline in stock price following disclosure of a cybersecurity incident directly to customers – through the company website or social media channels – may require a reassessment of an initial determination of nonmateriality.
- Duty to update challenges –The final rules remove the requirement to include updates on previously reported incidents in 10-Qs and 10-Ks, and the adopting release explicitly states that, other than amending 8-Ks to include required information unavailable at the time of the initial filing, the final rules"do not separately create or otherwise affect a registrant's duty to update its prior statements." Nonetheless, given the evolving nature of cybersecurity incidents and remediation efforts, companies will often want to provide updates to the public to avoid having outdated information in the public domain or having the accuracy or completeness of their initial disclosures questioned. In addition to formal statements and public disclosures, investor relations, customer support and sales teams will often receive questions requesting updates. Companies should carefully consider the materiality of information contained in such updates for Regulation FD purposes. In addition, as with other business matters, companies may choose to include material updates on 8-K filings in advance of the next quarterly or annual report for purposes of having such information incorporated into registration statements.
Takeaway
Although rooted in the well-established materiality framework, the disclosure requirements in new Item 1.05 of Form 8-K present novel issues for companies in terms of how the framework is applied. As the new rule goes into effect, there will inevitably be variability in how companies assess materiality and in the resulting disclosure. However, one thing is certain: The processes by which the materiality of cybersecurity incidents is evaluated, as well as the ultimate conclusions, must be tailored to each company's particular facts and circumstances.
Footnote
1. Smaller reporting companies (SRCs) will be subject to the new 8-K reporting requiring beginning June 15, 2024.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
