The U.S. Securities and Exchange Commission adopted final rules last week that require companies listed on stock exchanges to report cyberattacks no later than four days after they determine a hack will have a material impact. Most companies must start reporting such attacks starting Dec. 18, in an 8-K form.
“Materiality questions are not easy questions at all,” said Lona Nallengara, a partner at law firm Shearman & Sterling, who previously served as chief of staff for former SEC chair Mary Jo White.
Unlike a factory fire that immediately knocks out production, a cyberattack’s fallout might not be apparent right away, said Michael Oberlaender, an independent consultant and former chief information security officer who serves on the board of the greater Houston chapter of Isaca, a technology governance training organization.
What looks like a minor breach of 100 customer records might be discovered to be one million as an investigation continues. It is common to see companies disclose a pileup of attack costs with each quarterly financial statement, he added. “Impact comes to light over weeks and months,” he said.
The SEC’s central argument is that investors should be informed about cyber incidents that can affect a company’s financial health and performance. A significant cyber incident decreases shareholder value by 9% on average in the following year, according to a report from professional services company Aon on Tuesday.
The SEC gave companies discretion to determine whether a hack is material as long as the definition conforms to established case law and legislation enacted in the 1930s.
That is, information is material if a reasonable person would consider it important when making an investment decision, or if it would significantly affect existing publicly available information about a company. Any doubts should be resolved in the favor of the investor.
“Even if leaders are not explicitly required to make a certain level of disclosure, CEOs and boards would be well advised to exercise the highest level of forthrightness and candor in communications related to cybersecurity,” said Thomas View, managing director of Temvi, which advises senior leaders on cyber liability.
The key for executives accountable for cybersecurity will be to document their process and thinking when assessing materiality. The SEC has included some protections against companies that try to delay reporting. The agency said a materiality determination must be made “as soon as reasonably practicable after the discovery of an incident,” and companies must disclose the criteria by which they determine materiality in their annual reports.
The only method by which a report can be delayed is through a direct request from the U.S. attorney general, in writing, to protect national security or public safety.
“We note that in the majority of cases registrants will have had additional time leading up to the materiality determination, such that disclosure becoming due less than a week after discovery should be uncommon,” the agency said in the final rules.
For security chiefs, the new rules give some flexibility to decide when in their incident-response process a materiality determination should be made, said Rex Booth, CISO at cybersecurity company SailPoint.
“Any normal and rational and well-intentioned CISO is going to have an adequate amount of time to do their investigation, determine materiality and then report out,” said Booth, who was the director of stakeholder engagement at the Office of the National Cyber Director until September 2022. “It doesn’t seem so strict as to warrant these complaints that we’re seeing.”
Similar rules requiring federal agencies to report cyberattacks to the Department of Homeland Security, enacted in 2017, led to better incident-response processes, he said.
Investors, under the new requirements, will get a look at whether the company has the processes to identify, give priority to and remediate security issues, said Merritt Baer, field CISO at cloud security provider Lacework, and a former senior cyber official at the Federal Communications Commission. Four days, she said, is long enough to report on a determination of materiality.
“The SEC is really asking for reasonable efforts to be responsible,” she said. The rules are also likely to bring CISOs into contact with boards and disclosure committees more often, given the need for directors to be aware of details that might affect materiality determinations.
“I hope this will be a motivator for the business to give a seat at the table to the CISO, and board members to make cybersecurity an intentional business interest,” she said. If the new rules push managers and directors in that direction, “the SEC will have been part of innovation,” she said.
