As public companies face increasing threats from malicious actors targeting their information systems and proprietary data, cybersecurity has become a key agenda item for boards [1] and audit committees [2] in 2024. Against this backdrop, the US Securities and Exchange Commission (SEC) implemented new rules, effective December 18, 2023, requiring public companies to disclose material cybersecurity incidents on Form 8-K within four business days. Additionally, detailed information regarding their cybersecurity risk management and governance must be included on Form 10-K. [3] These rules demonstrate the SEC’s focus on the criticality of cybersecurity disclosures in formal financial reporting.
However, the implementation of the new rules has raised many questions specific to materiality. The SEC defines a material incident as a matter to which “a reasonable shareholder would consider it important” in making an investment decision. [4] In other words, an incident is material if it significantly impacts a company’s operations, financial position, reputation, or legal obligations.
This definition of materiality presents challenges for companies in assessing the significance of cybersecurity incidents and, in turn, supporting disclosure decisions to regulators and other interested parties. Establishing a clear process for determining the materiality of a cyber incident and ensuring proper mechanisms are in place to aid in this determination are crucial for fostering trust in the business, its cybersecurity, and the capital markets.
It is up to each company to consider an array of factors surrounding a cyber incident to determine whether it meets the materiality threshold. Importantly, these factors must take into account both the actual and expected impacts of the cyber event.
One of the key difficulties that companies are encountering in assessing materiality is the need to consider qualitative factors in addition to the quantitative factors that they may be more accustomed to in financial reporting. Additionally, cybersecurity reporting requires that the information technology (IT) function play an integral role in assessing materiality—a task that is traditionally assigned to the finance or controller function.
As a starting point for assessing the materiality of a cyber incident, consider the following factors:
These factors are not exhaustive and may vary depending on the specific circumstances of each incident, but they provide a starting point for identifying and assessing the quantitative and qualitative impact of a breach. Importantly, these factors leave room for interpretation, necessitating further due diligence before determining materiality.
Quantitative and qualitative factors are a solid starting point for assessing materiality. However, it would be more sophisticated and prudent to leverage a combination of these factors and an established materiality framework. Most organizations already have established structures and processes for determining the severity of an operational incident. These existing frameworks, such as Enterprise Risk Management (ERM) programs, business impact assessments, Business Continuity and Disaster Recovery (BCDR) strategies, incident response strategies, and data governance and data privacy strategies, can serve as a foundation for a basic materiality framework when applied to cyber incidents.
In addition to internal frameworks, companies are starting to leverage publicly available external frameworks for assessing materiality in cyber and other accounting topics. One example is the Factor Analysis of Information Risk (FAIR) Institute Materiality Framework, based on the FAIR™ model. [5] This framework offers a detailed taxonomy of loss categories and expands the loss magnitude factor, enabling companies to quantify the impact of cyber incidents, report financial risk, and track the total cost.
Ultimately, companies should choose the framework that best suits their functions, whether it is internally developed, externally sourced, or a combination of the two. Regardless of the chosen framework, it is crucial to properly document all cyber incident materiality processes and decision points in a manner that regulators can easily interpret.
A common mistake in evaluating materiality is looking at a cyber incident solely from the perspective of the impacted company. Instead, materiality must be determined objectively and through the lens of outside stakeholders. In other words, companies must carefully determine whether an investor would consider the information related to a cyber event material to their investment decision.
In an effort to bring this multistakeholder lens to cybersecurity, many organizations are developing cross-functional disclosure committees consisting of C-suite executives, general counsel, board representatives, and finance personnel who are responsible for assessing cyber incident fact patterns and, ultimately, making the materiality determination. Integrating representatives from the existing cyber response team into the disclosure committee can facilitate a swift and comprehensive response.
The disclosure committee should be prepared to discuss various aspects of the incident and response. Consider the following questions as a starting point:
If a cyber incident is deemed material, then the company must disclose it on Form 8-K within four business days of making this determination.