SEC Regulations: What is a “Material” Cybersecurity Incident?

Independent benchmarking for SEC disclosure strategy

In one of the most important cybersecurity regulatory developments in recent memory, the U.S. Securities and Exchange Commission (SEC) recently adopted new cybersecurity disclosure requirements for publicly traded companies, including a requirement to publicly disclose a “material” cybersecurity incident in Form 8-K within four business days of determining that it is material.

What exactly is a “material” cybersecurity incident?

It’s one of the hottest topics being discussed in the cybersecurity and legal communities today.

The SEC cybersecurity rules describe a material incident as a matter “to which there is a substantial likelihood that a reasonable investor would attach importance” in an investment decision. A reasonable investor is a hypothetical investor generally understood to be a long-term, passive investor of average wealth and sophistication.

According to the SEC rules, understanding whether a cyber incident is material requires an analysis of the total mix of quantitative and qualitative data surrounding the incident. There is not a specific financial threshold for a material cyber incident. In fact, the SEC states in the regulation, "...some cybersecurity incidents may be material yet not cross a particular financial threshold.”

The SEC offers a few examples of what a material cybersecurity incident might look like. “For example, an incident that results in significant reputational harm to a registrant may not be readily quantifiable and therefore may not cross a particular quantitative threshold, but it should nonetheless be reported if the reputational harm is material. Similarly, whereas a cybersecurity incident that results in the theft of information may not be deemed material based on quantitative financial measures alone, it may in fact be material given the impact to the registrant that results from the scope or nature of harm to individuals, customers, or others, and therefore may need to be disclosed."

However, as the SEC noted in comments to the rulemaking, “most organizations’ materiality analyses will include consideration of the financial impact of a cybersecurity incident.” For this reason organizations may wish to shine a brighter light on financial quantification of potential cyber risks. Organizations should consider performing a cyber risk quantification analysis to help them understand different impact scenarios where the company is exposed financially. This assessment can inform risk and security leaders about gaps in their program, areas to invest in, and potential risk transfer options.

Ultimately, incidents should be evaluated on a case-by-case basis in conjunction with legal counsel to determine materiality. CISOs can play a critical role in understanding what these incidents may look like and developing proactive plans to remediate the risk of an incident. However, the ultimate determination of materiality is often left to legal counsel, the CEO, and the board of directors.

CISOs Guide to Cyber Risk Disclosure - SEC

This guide will help cybersecurity leaders understand the SEC regulation and get started on a journey to satisfying the requirements, meeting investor expectations, and creating a cybersecurity program that will stand the test of time.

What about the four day requirement to disclose a “material” incident?

Some observers have suggested that the SEC’s four day disclosure requirement after determining an incident’s materiality is a tough bar to meet. In fact, the data suggests companies may not currently be prepared to meet these new incident disclosure requirements. Bitsight researchers analyzed more than 12,000 publicly disclosed cybersecurity incidents from 2019-2022 to assess how organization size and incident severity affects the timeliness of incident discovery and disclosure.

According to the analysis, it takes the average organization over 70 days to disclose a moderate, medium, or high severity incident once it has been discovered—well in excess of the four day requirement. Having the right security technology in place along with a methodology to quickly and accurately assess cyber incident materiality will be crucial in meeting the new SEC requirements.

Are there examples of effective incident disclosure?

Companies should analyze prior incident disclosures to identify best practices. For example, in 2019, Norsk Hydro was the victim of a ransomware attack that impacted operations. The company’s response to the incident —which included a press conference featuring corporate executives, frequent, data-rich updates on the corporate blog, an engaged and knowledgeable leadership team, and sound financial estimates in quarterly filings— was widely praised by the market for providing timely, relevant information.

Notably, Norsk Hydro shared information about its cybersecurity program (including information about network segmentation, backup systems, and operational status), insurance coverage and the estimated total financial impact of the cyber attack in quarterly filings following the incident.

Get a handle on cybersecurity regulations

The new SEC regulations offer cybersecurity professionals an opportunity to become business leaders, critical to achieving risk reduction and business growth goals.

CISOs use Bitsight Security Performance Management solutions to provide assurance to shareholders and investors. From independent benchmarking to cyber risk quantification to effective cybersecurity governance and disclosure, Bitsight enables security leaders to understand their cybersecurity programs by leveraging industry and sector benchmarking—ultimately fostering greater trust with stakeholders.

Elevating your security posture is the next step in your compliance journey. Explore cybersecurity benchmarking with Bitsight.