Publicly traded companies, amidst the growing threat of cyber-attacks, have long been grappling with the question of when a cybersecurity incident warrants public and investor disclosure. Adding some much-needed transparency to this topic, the U.S. Securities and Exchange Commission (SEC) has put forth new directives for said companies. They now find themselves obligated to submit a public filing within a span of four days upon determining that a cybersecurity incident is of “material” significance.
This recent development has been introduced by Woods Rogers Vandeventer Black.
It is noteworthy that the term “material” carries a significant weight in this situation. Legally speaking, an event is considered as such when a reasonable investor would view it as having altered the ‘total mix’ of information made available. How then, should this notion of materiality be applied in the case of a cybersecurity incident?
Given the complexity and the often technical nature of such incidents, companies will need to make more informed judgments about the potential impact of an alleged cyber intrusion or data breach. This involves assessing the probability of its occurrence, its potential magnitude and the extent to which it may disrupt operations or damage a company’s reputation.
To help companies navigate through this complexity, the SEC has provided some guidance in its rules. For instance, it has stated that public companies should look at both quantitative and qualitative factors when evaluating if a cybersecurity incident is material. Moreover, they are expected to assess the impact a cybersecurity incident could have on their operational results, financial condition, effectiveness of internal control over financial reporting, and disclosure controls and procedures.
That said, even with this guidance, the categorization of a cybersecurity incident as ‘material’ may remain largely nuanced and subjective to each company’s assessment. This move, therefore, does not only require companies to be vigilant about their cybersecurity but also demand a deeper understanding of the relationship between cyber risk and their wider business strategy.
Key takeaways from this decision can be summarized as:
- Publicly traded companies are now mandated to file a public report within four days of identifying a ‘material’ cybersecurity incident.
- The SEC guidance brings clarity but also leaves room for subjectivity regarding what is deemed ‘material’.
- Companies must now evaluate the connection between cyber threats and their overall business strategy.
This regulatory change underlines a shift in the role of cybersecurity in the framework of corporate governance and disclosure. As such incidents become more frequent and potentially impactful, this evolution should prompt legal professionals to re-examine and fine-tune their strategies to handle cybersecurity risks.