Crossing a New Threshold for Material Cybersecurity Incident Reporting
January 17, 2024
In July 2023, the U.S. Securities and Exchange Commission (SEC) adopted final rules to enhance and standardize disclosure requirements related to cybersecurity. In order to comply with the new reporting requirements of the rules, companies will need to make ongoing materiality determinations with respect to cybersecurity incidents and series of related incidents. The inherent nature of cybersecurity incidents, which are often initially characterized by a high degree of uncertainty around scope and impact, and an SEC that is laser-focused on cybersecurity from both a disclosure and enforcement perspective, combine to present registrants and their boards of directors with a novel set of challenges heading into 2024.
In addition to requiring certain annual disclosures relating to cybersecurity risk management, strategy and governance, the final rules added Item 1.05 to Form 8-K, requiring domestic registrants to disclose any material cybersecurity incident[1] within four business days after a registrant determines that it experienced such an incident (the final rules also amended Form 6-K to add “cybersecurity incidents” as a reporting topic for foreign private issuers). Now effective for most domestic registrants, new Item 1.05 requires registrants to describe the (i) material aspects of the nature, scope and timing of the incident and (ii) material impact or reasonably likely material impact on the registrant, including on its financial condition and results of operations (new Item 1.05 Form 8-K disclosure will be required for smaller reporting companies starting June 15, 2024). Registrants must also provide updates by filing amended Form 8-Ks to the extent certain information remains unknown at the time of the initial filing.
While registrants generally have well-established disclosure controls and procedures to make sure that required Form 8-K items are disclosed in a timely manner, new Item 1.05 is unique in that the disclosure trigger is the determination of materiality, rather than the underlying event itself, and provides that the determination of materiality is required to be made without unreasonable delay. We expect the impact of anticipated SEC and investor scrutiny of disclosure determinations to cause companies to consider disclosure of events even before a final determination of materiality has been made. Below we discuss some key takeaways and governance considerations in light of the new required Form 8-K disclosure.
Incident Materiality Analysis
In preparation for the materiality determinations that will be required, registrants should ensure their systems and controls for responding to and evaluating cybersecurity incidents address the need for potential disclosure. Cybersecurity incident response plans should contemplate involving internal legal departments early and often in order to make sure that materiality and disclosure obligations are considered repeatedly as a situation develops. Prompt consultation with external advisors, including cybersecurity experts, auditors and outside counsel is also generally advisable. Processes must also be in place to enable aggregation of individual incidents and to perform an aggregated materiality analysis, also on a potentially continuing basis.
Consistent with general disclosure principles and caselaw, information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available” – the SEC has reiterated that it did not create or intend to create a new materiality standard for cybersecurity.
Below, we provide a list of questions that registrants may wish to consider, among others, when evaluating quantitative and qualitative factors to address the materiality of a cybersecurity incident, bearing in mind that materiality determinations must consider the total mix of information and no individual factor would necessarily be dispositive.
Suggested Factors for Consideration:
- Potential economic losses
- Does the cybersecurity incident or response affect operations in a way that has materially affected, or is reasonably likely to materially affect, the company’s financial performance, result in a revenue loss or impact on goodwill?
- Has the cybersecurity incident materially affected, or is it reasonably likely to materially affect, the company’s financial position as a result of adverse costs (including misappropriation of company assets), incident response-related fees (including ransomware payments) or fees for increased cybersecurity defense or insurance?
- Will the company have to spend additional resources to retain existing or obtain new customers or suppliers as a result of this cybersecurity incident?
- Scope of the incident and impact on key systems
- How many individuals were affected, if there is a data breach?
- Is the company’s access to key data or systems compromised?
- Does the incident suggest a potential ongoing security vulnerability?
- Does the incident suggest or result in any significant deficiencies or material weaknesses in the internal control over financial reporting, or implicate disclosure controls and procedures?
- Impact on data
- Was data compromised that relates to business interruption or network security?
- What is the overall sensitivity/proprietary nature of any such compromised data?
- Incident response
- How quick and how effective were the company’s controls in identifying and responding to the incident?
- How quickly does the company expect to recover normal operations?
- Legal consequences and reputational harm
- What is the likelihood of civil litigation or regulatory enforcement actions?
- What is the potential for reputational harm?
- Does the incident expose the company to customer-related disputes including returns, warranty claims or litigation?
Disclosure Timing Considerations
Given the number of moving pieces and factors to consider, it is likely that it may take some time to reach a definitive conclusion around materiality for any given cybersecurity incident. If a registrant waits until it has come to a final conclusion around materiality, a significant amount of time may have passed since the initial discovery of the incident. The SEC has been extremely focused on the timeliness of disclosure of cybersecurity incidents, and while an incident may appear to be immaterial for some period of time and non-disclosure at that time would be technically compliant with the disclosure rules, if the incident is later determined to be material, there is likely to be a tremendous amount of scrutiny around the timing of that determination.
As a result, registrants will want to think carefully about the potential benefits of putting out disclosure on Form 8-K under Item 7.01 (Regulation FD Disclosure) or Item 8.01 (Other Events) (and/or in a press release or other Regulation FD-compliant channel) promptly after discovering a cybersecurity incident, while the materiality of the incident is still under consideration (including if they do not believe the incident will likely be deemed material). In addition to the disclosure technicalities, one of the benefits of initially utilizing Items 7.01 or 8.01 instead of Item 1.05 is that there is no preemptive concession by the registrant of the event’s materiality in a potential future litigation or otherwise. In some circumstances, disclosure more quickly than the usual four day Form 8-K deadline will be appropriate. We have seen an increasing number of registrants adopt this practice, even ahead of the Item 1.05 requirement becoming effective, and believe it can be an effective communication tool, while also mitigating regulatory and other risk. By disclosing early, a registrant will give itself some breathing room to come to a materiality determination in an expeditious but methodical way that considers all necessary factors. In addition, providing prompt disclosure may provide some protection from stock-drop lawsuits following a potential later announcement that the incident has been determined to be material.
Additionally, registrants may need to alert and provide ongoing updates to certain external stakeholders. For example, registrants may need to coordinate logistics with vendors if their systems are inaccessible, or may be unable to meet their immediate obligations to customers due to production or operational issues. These types of issues will necessitate real-time engagement with impacted constituencies. Putting out public disclosure will facilitate this dialogue and alleviate any concerns around claims of selective disclosure in violation of Regulation FD.
We expect that the developing practice of making an initial disclosure on Form 8-K under Item 7.01 or 8.01 (and/or by press release or other Regulation FD-compliant channel) will likely continue, as registrants will not want to commit themselves to Item 1.05 disclosure and the related materiality determination and resulting additional requirements until they have had time to fully assess the situation. Whether Item 7.01 or Item 8.01 is appropriate (the latter of which carries with it an implicit element of materiality and is filed, not furnished) will be a facts and circumstances determination.
Prepare for Subsequent Inquiries
Many registrants that have disclosed cybersecurity incidents have received later inquiries from the SEC. These inquiries have focused on what was known and when, how the incident was detected, whether the registrant was aware of vulnerabilities that were exploited, whether the registrant engaged with the bad actor, the registrant’s process and considerations around disclosure and whether there were any implications for internal controls.
In responding to any cybersecurity incident, registrants should assume that regulators may ask detailed questions after the fact. As a result, registrants will want to document their materiality assessment at multiple junctures in the process, as well as keep a high-level record of the overall timeline for the incident and response, to be able to respond to these inquiries. In some instances, preparing SAB 99 materiality analyses may be warranted, particularly if financial systems and/or controls are implicated in the incident.
Lessons from SolarWinds
When considering disclosure issues around cybersecurity, registrants should take heed of the lessons from the recent charges filed by the SEC against the software company SolarWinds. In October, 2023 the SEC charged the company and its CISO with allegedly misleading investors about its cybersecurity practices and known risks. The SEC’s case is built on contrasting public disclosures touting the company’s supposedly strong cybersecurity practices with allegedly inconsistent internal documents that painted a much bleaker picture regarding the adequacy of its defenses. In addition to alleging that the company included “only generic and hypothetical cybersecurity risk disclosures” that failed to address known, specific risks, the SEC also alleges that when the company did eventually publicly disclose a cybersecurity incident, its disclosure was inadequate because it did not disclose that threat actors had already exploited certain known vulnerabilities multiple times, despite management’s awareness of these incidents.
In the SolarWinds complaint, the SEC made clear its view that registrants must have disclosure controls that cause management to consider the disclosure ramifications of cybersecurity vulnerabilities and intrusions, and for the first time stated its view that a company’s required system of internal controls must include cybersecurity controls that are adequate to ensure that third parties cannot access company assets.
Registrants should make sure that public statements about cybersecurity matters, including the disclosure of any cybersecurity incidents (and the annual disclosure required by other elements of the SEC’s cybersecurity disclosure rule), are carefully reviewed for alignment with company knowledge about the extent of the incident at the time disclosure is made, to make sure the registrant is not understating the known severity, and with the company’s internal assessments of its defenses and risks, to make sure the registrant is not overstating the adequacy if its defenses.
Board Oversight and Key Takeaways for Boards of Directors
To make sure a company is ready to address any cybersecurity incident, boards of directors (and delegated committees) should:
- Receive regular reports on cybersecurity risk from management and outside advisors. Directors should actively deliberate, ask questions, engage in discussions and challenge proposed courses of action, including by engaging external advisors when appropriate.
- Confirm that management regularly updates and tests cybersecurity incident response plans and cybersecurity policies.
- Confirm that plans and policies include disclosure controls and procedures that force management to consider whether cybersecurity incidents, individually or in the aggregate, warrant disclosure.
- Oversee the implementation of disclosure controls and procedures that are reasonably designed to facilitate or ensure that cybersecurity-related disclosure is reviewed by appropriate members of management for accuracy.
- Regularly review the company’s cybersecurity budget to ensure appropriate resources are available, understand where capital is being directed for defense and remediation of systems and assess cyber insurance coverage.
- Make sure that board and committee minutes and other formal board records adequately document the board’s and committee’s discussions of cybersecurity, including any incidents, as well as any internal or external subject matter experts consulted, as it is increasingly common in shareholder derivative suits for the plaintiff to request minutes and other documents from the company and then use those documents to craft a complaint.
Upon discovery of a potentially significant cybersecurity incident, companies should promptly alert and involve the appropriate constituency within the board of directors. Depending on the company, this is likely to be the committee to whom responsibility for the oversight of cybersecurity matters has been delegated, or the chair of that committee. Periodic, high-level updates should also be given to the full board of directors. While management should ultimately be making any materiality determinations and driving the day-to-day incident response, the board should be involved in the oversight of this process.
In particular, once a significant cybersecurity incident is discovered, the board should:
- Oversee management’s response to the incident.
- Discuss management’s disclosure approach, including disclosure to the market, customers, regulators and other stakeholders.
- Consider and evaluate the broader implications of any cybersecurity incidents, including:
- Whether there are any implications for the company’s disclosure controls and procedures and internal control over financial reporting, including whether these are still effective; and
- Whether the incident was anticipated by the company’s cybersecurity defense and implications for the company’s cybersecurity risk management processes as a whole.
- Consider the implications for cybersecurity defense funding going forward, include as this relates to cybersecurity insurance.
- Review and debrief with management on post-incident remediation.
- Review the company’s cybersecurity risk management program and cybersecurity incident response plan to consider lessons learned and appropriate updates.
- Consider the longer-term disclosure implications, as any cybersecurity incidents will inform cybersecurity-related disclosure in future annual reports, including in response to the new rules and in risk factors, on which board members have liability.[2]
Conclusion
SEC attention to and scrutiny of cybersecurity disclosure and internal risk analysis is likely to increase under the new reporting regime. In this brave new world of regulation and with the frequency of cybersecurity incidents only increasing, it remains imperative that boards focus their attention on a company’s system and controls for not only responding to cybersecurity incidents, but also evaluating disclosure obligations with respect to such incidents.
(Republished by New York University School of Law’s Program on Corporate Compliance and Enforcement)
[1] The final rules define a “cybersecurity incident” as “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
[2] For further discussion of cybersecurity disclosure in annual reports, see our August alert memo available here.