The US Securities and Exchange Commission (SEC) cyber disclosure rule went into effect in July 2023. One year later, a wealth of information is available to determine how useful it has been and what changes still need to be made. In May 2024, the SEC found it necessary to review the filings it had received and offer guidance. To understand the current situation, it is helpful to review how we got here. This involves understanding the original intent behind the disclosure rule, how it was interpreted, and what the updated guidance says.
Cyber disclosures to regulatory and capital markets have become increasingly relevant in the face of ongoing ransomware threats. Ransomware and extortion account for approximately 66% of all financially motivated attacks. The financial impacts of these cyberevents have been a significant concern for rating agencies for several years.
It can be inferred that the SEC has scrutinized the state of information available to investors about their cyberoperations and incidents and has found them to be insufficient. Considering the remit of the SEC in regulating the sale of securities, it wants to ensure that the investor community understands the risk associated with an enterprise’s security. Therefore, the SEC has long used the following two standards to determine materiality:
- Does it affect the total mix of information?
- Would a reasonable investor consider it material?
Over the years, these subjective measures of materiality have been interpreted in various ways, often subject to non-official financial thresholds. Despite this, there has been a flood of disclosures about cyberevents that are not material, with many filings explicitly stating this. The SEC has taken note and responded to the issue.
In a May 2024 statement, the SEC opines about the number of filings that are not material. It states:
Although the text of Item 1.05 does not expressly prohibit voluntary filings, Item 1.05 was added to Form 8-K to require the disclosure of a cybersecurity incident “that is determined by the registrant to be material,” and, in fact, the item is titled “Material Cybersecurity Incidents.”
It is clear now that the current regime of nonmaterial materiality disclosures is not what the SEC wants. So, what can you do to prepare your organization to make only material disclosures?
Number one on that list is to quantify your cyberrisk posture. This involves employing cyberrisk quantification (CRQ) methods to assess the financial losses your organization may experience. Once you have that in place, only then can you begin to establish thresholds that drive action in the organization. Such actions include budgeting, cyberinsurance purchases, capital adequacy testing, risk acceptance, and regulatory reporting. The SEC guidelines are not exclusively about financial impact, but once you have established something as financially impactful, it cannot be qualitatively reasoned that it is not material. So, the takeaway is that the regulatory agency responsible for instituting the material disclosure process wants you to treat it as such, rather than being viewed as an incident disclosure process. Update your internal processes for incident response accordingly.
Jack Freund
Is a cyberrisk quantification expert, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, ISSA Distinguished Fellow, FAIR Institute Fellow, IAPP Fellow of Information Privacy, (ISC)2 2020 Global Achievement Awardee and the recipient of the ISACA® 2018 John W. Lainhart IV Common Body of Knowledge Award.