The Securities and Exchange Commission (SEC) has enhanced its disclosure requirements for companies to identify the cybersecurity risks they face and apprise investors, together with its new cyber risk and incident disclosure rules. Notwithstanding the impact of the recent SolarWinds ruling on the SEC’s enforcement powers, the cyber disclosure rules are important in the context of the SEC’s recent – and perhaps future amended – lawsuits charging that companies and their CISOs misled investors and the public as to the existence of cyber risks and the state of their cybersecurity programs, as well as the severity of cyberattacks they suffered. 

The final SEC disclosure rules that took effect in December 2023 were made to help investors “assess risks to their investments, in the same way that they receive consistent and comparable disclosure about other risks that public companies face,” Corporation Finance Director Erik Gerding stated at the time. The rules obligate companies to provide investors information they need to make informed investment and voting decisions that is “more timely, consistent, comparable, and decision-useful.” 

Disclosure now takes two forms. 

1. Public companies must disclose how they identify and manage their cybersecurity risk, and management’s role in assessing and managing material risks from cybersecurity threats. The rules are informed by prior guidance from the SEC on the levels of detail that must be disclosed, including details revealed by required risk assessments and employees’ internal deliberations. Disclosure must also include whether and which management positions or committees are responsible for considering cybersecurity threats, and their relevant expertise.
2. Companies must also disclose on 8-Ks (under Item 1.05) when material cybersecurity incidents occur, and describe both why they are material and the material impact or reasonably likely material operational or financial impact that could result.* After determining, without unreasonable delay, that an incident is material, SEC registrants must disclose it within four days.

   *Note: On May 21, Director Gerding issued a statement suggesting that public companies consider voluntarily disclosing incidents that either are not material or have not yet been determined to be material, using Form 8-K Item 8.01 (not Item 1.05). This reporting on the part of public companies will not be deemed an admission of materiality, but more of a good-faith demonstration that the company is filing these incidents in a “placeholder space” if and until it determines that they are material, when the regular disclosure process holds.

Both risk-related and incident-related disclosure requirements depend on determining materiality within a reasonable period. The SEC recognizes in the final rule that “a materiality determination necessitates an informed and deliberative process.” And, the Commission has taken the position that materiality of risks will be viewed considering the risk disclosures. 

What might the process of determining materiality of risks and incidents look like, not just for public companies, but also as a best practice for companies not regulated by the SEC?

Determining materiality

For SEC disclosure purposes “materiality” is a critical concept in securities law that is less about the conventional cybersecurity definition, and more about standards imposed to help investors make informed decisions. Both the notions of “materiality” and the “reasonable investor standard” are inherently ambiguous. That public companies are required to make the determination under penalty of potential SEC enforcement action makes their materiality assessment process inherently risky. 

It is helpful to develop, document, and be able to articulate to investors and the SEC how the company establishes the criteria it uses to determine materiality of cyber risk and incidents and the process it employs to apply those criteria in making determinations. As perhaps the most pervasive and persistent risk that companies face, it is helpful to consider and characterize cybersecurity risk through the framework of enterprise risk management (ERM). 

Cyber risk is a result of the combination of threat, vulnerability to threats, the probability of attacks occurring, their likely impacts, and whether a series of related or unrelated attacks might explain the same vulnerability. Organizations should develop a risk register or ranking of their inherent cyber risks, from most to least severe. They should then address these inherent risks through some combination of risk acceptance, reduction, transfer, and avoidance, based on their risk appetite. Companies should be able to clearly articulate – ultimately if asked by SEC staff – how their organization uses the ERM process to identify and characterize their cyber risks and the criteria they establish for the risk rankings they assign, as part of their obligation for disclosing how they assess and manage their cyber risk.

Articulating oversight

Another part of that obligation is to disclose how management and the board oversee the cybersecurity management process, so prospective investors can evaluate that as part of their investment decisions. The trend in cyber regulation – not only from the SEC – is to begin to elevate oversight responsibility for the cybersecurity program from the CISO and management team into the boardroom. This requires companies to clearly articulate their governance model and document that both the board and management team include people with a level of cyber-familiarity sufficient to exercise the fiduciary duty of care to supervise the cybersecurity risks and program that is increasingly expected of both. 

Even if this cyber “knowledge quotient” and expertise is not a disclosure requirement, it is an important element of legal risk management, because lawsuits brought after cyber incidents invariably assert that the management team, the CISO, and the board did not adequately exercise that duty of care.

Even if CISOs are not a defined corporate officer in the corporate bylaws, the CISO should be considered a member of senior management so they can be covered under the directors’ and officers’ insurance policy. Many top CISOs will not take on that high-risk role without being named in the D&O policy. Moreover, companies may already be at a disadvantage in the context of a lawsuit if they do not have a qualified security officer who is on the management team.

Defensible models may depend on naming some sort of materiality and disclosure committee that operates under a clear communication process and set of disclosure controls, as a best practice for meeting the intent and outcome envisioned by the SEC for cybersecurity disclosure. Proactive disclosures must be made in annual reports on Form10-K to provide investors with sufficient information about the material cyber risks the organization faces, how it manages those risks, and how management and the board oversee this risk. Responsive disclosures must be made by organizations to inform investors and the SEC about actual cyber incidents that they characterize as material. (However, these committees and disclosure models preferably should not be limited to cyber risk, but should consider all material risks that investors may depend on.)

Both types of materiality disclosures require that companies define, document, and operationalize processes and disclosure controls around how they determine if cyber risks and incidents are material, as a basis for providing sufficient information from which investors can make informed decisions. SEC actions can include enforcement around not only the lack of disclosure, but also not having effective disclosure controls in place to produce timely and effective disclosure. 

The process of determining if risks or incidents are material, and therefore disclosable, requires the appropriate public company officers and staff or their qualified designees, possibly operating as a named committee, including:

Because material incident disclosures on Item 1.05 Form 8-K must be made within four days from the determination of materiality, final disclosure decisions must be made rapidly enough to accommodate the actual disclosure process. 

Effective materiality criteria might reasonably include:

How CohnReznick can help

CohnReznick develops detailed cybersecurity materiality and disclosure models to help our public company clients think through the process. In each of these materiality and disclosure categories, there are many questions that companies might reasonably consider asking as they determine – with qualified legal advice – if they should disclose. There is also a reasonable order of determination that might be optimally defensible in the circumstances of an SEC inquiry or legal action. The safe route is to document the criteria, process, and thresholds the company uses to make its determination of materiality and follow the process with both care and speed.

Reach out to learn more.