New regulations have been implemented to govern the reporting of cyberattacks by publicly traded companies to financial regulators. These rules focus on the concept of materiality, though there is disagreement among executives about the simplicity of this concept.
The U.S. Securities and Exchange Commission (SEC) recently adopted final rules that require listed companies to report cyberattacks within four days of determining that the hack will have a material impact. Starting from December 18, most companies will need to report these incidents using an 8-K form.
According to Lona Nallengara, a partner at law firm Shearman & Sterling and former chief of staff for former SEC chair Mary Jo White, “Materiality questions are not easy questions at all.”
Unlike a factory fire that immediately results in production loss, the true extent of a cyberattack may not be immediately apparent. Michael Oberlaender, an independent consultant and former chief information security officer, explains that what initially appears to be a minor breach could end up involving millions of compromised records. He points out that companies often disclose the increasing costs of such attacks in their quarterly financial statements, as the full impact becomes clearer over time.
The SEC’s argument behind these regulations is that investors should be informed about cyber incidents that can impact a company’s financial health and performance. A report from professional services company Aon has revealed that a significant cyber incident can decrease shareholder value by an average of 9% in the following year.
The SEC has granted companies the discretion to determine whether a hack is material, as long as their definition aligns with established case law and legislation from the 1930s. In essence, information is considered material if a reasonable person would deem it important for making an investment decision or if it significantly affects existing publicly available information about a company. Any doubts should be resolved in favor of the investor.
Thomas View, managing director of Temvi, emphasizes the importance of transparency and candor in cybersecurity communications for CEOs and boards, even if there isn’t an explicit requirement for disclosure.
For executives responsible for cybersecurity, the key is to document the process and reasoning behind materiality assessments. The SEC also provides protections against companies that attempt to delay reporting. They state that materiality determinations must be made “as soon as reasonably practicable after the discovery of an incident.” Companies are also required to disclose the criteria used to determine materiality in their annual reports.
The only scenario in which a report can be delayed is if the U.S. attorney general makes a direct written request to protect national security or public safety.
Rex Booth, CISO at cybersecurity company SailPoint, believes the new rules give security chiefs flexibility in determining when to assess materiality in their incident-response process. He believes that responsible CISOs will have ample time to investigate, determine materiality, and report the incident. Booth also mentions that similar rules imposed on federal agencies in 2017 led to improved incident-response processes.
According to Merritt Baer, field CISO at cloud security provider Lacework and former senior cyber official at the Federal Communications Commission, investors will now have insights into a company’s ability to identify, prioritize, and remediate security issues. She believes that the four-day reporting requirement is reasonable and illustrates the SEC’s expectation for responsible efforts.
Baer also remarks that these rules are likely to increase collaboration between CISOs and boards, as directors need to be aware of details that may impact materiality determinations. She hopes this will motivate businesses to involve CISOs at the decision-making table and make cybersecurity a recognized business interest.
For more information, contact James Rundle at [email protected] and Kim S. Nash at [email protected].
Denial of responsibility! VigourTimes is an automatic aggregator of Global media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, and all materials to their authors. For any complaint, please reach us at – [email protected]. We will take necessary action within 24 hours.
