Under the new Securities and Exchange Commission (SEC) rules that will be effective from December 18, 2023, companies face a new challenge of making real-time materiality determinations following a cybersecurity incident. This comes with the introduction of the 8-K reporting obligations for “material” cybersecurity incidents.
The SEC has stressed that this new Item 1.05 reporting requirement is entrenched in traditional securities law concepts of materiality. The yardstick for this rule is – is there a considerable likelihood that a reasonable investor would consider the information important in making an investment decision?
With the growing number of sophisticated cyber attacks, the Form 8-K cybersecurity materiality determinations will greatly affect how corporations respond to these threats. Firms must be vigilant in their proactive and reactive cybersecurity measures. They also need to carefully consider how these incidents impact their materiality determinations in light of these new rules.
Though it may seem daunting at first glance, the requirement is not as unprecedented as it may appear. To navigate these new rules, corporations can look to existing precedent. From the SEC’s Division of Corporation Finance guidance on disclosure obligations related to cybersecurity risks and incidents issued in February 2018, to various SEC enforcement actions and litigation concerning disclosures of cybersecurity incidents, there are a number of key considerations that can guide how to navigate the form.
Understanding how to ascertain whether a cybersecurity incident is “material,” and therefore needs to be reported, will be critical. Notably, the nature, extent and potential magnitude of the incident, how the incident could impact the operations and financial results, and the range of harm that could be caused to the corporation and its clients, employees, and partners are some of the vital factors to be considered when making this determination.
Despite the inherent challenges faced in such reporting, these requirements underline the SEC’s push for increased transparency around cyber risk management in businesses. This further emphasizes the significance of strong cybersecurity regulations and practices in today’s digital age.
For the full details, please visit Key Considerations for Form 8-K Cybersecurity Materiality Determinations.