Cybersecurity Disclosure Rule Poses “Material” Challenge
To hear Shakespeare tell it, labels are irrelevant. “A rose by any other name would smell as sweet,” Juliet tells Romeo, assuring him that she loves him despite his family name. This may not come as a surprise, but the SEC does not adopt the same worldview as the besotted Capulet.
Late last month, the SEC finalized new rules on cybersecurity disclosure; under them, the obligation of public companies to disclose cyber incidents depends entirely on whether they are labelled “material.” Getting more granular, the rule requires registrants to disclosure “material” cybersecurity incidents within four days “after a registrant determines that a cybersecurity incident is material” (with an exception when disclosure would affect national security or public safety).
All this, of course, begs the question: what is a “material” incident? That question has purchased vacation homes for generations of securities lawyers, who debate it profitably to this day. We do have a few hints. The SEC laid out broad parameters in the rule itself, noting that materiality depends on the “impact to the registrant” (and not, for instance, on “where the electronic systems reside or who owns them”). The SEC also clarified that “material” means the same thing in the cybersecurity context as it does elsewhere in securities law: “information is material if ‘there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision’…or if it would have ‘significantly altered the total mix of information made available.’”
All clear then? Didn’t think so. Which is why, as much as their legal counsel may benefit from such debatable standards, public companies were not thrilled to see them in this rule. The rule received significant pushback from business groups, in part because of the difficult decisions it forces registrants to make. For instance, registrants must make the materiality classification “without unreasonable delay.” Commentators have noted that making a quick call on materiality in an active breach could pose “significant challenges and risks” for public companies. Others have warned that it could lead to uninformed disclosures. “The prospect of the SEC and investors scrutinizing a materiality decision may incentivize companies to make a disclosure before they have complete information,” lawyers at Cleary Gottlieb write.
Companies that don’t disclose quickly, meanwhile, may find themselves proven wrong later, as the impact of a cybersecurity incident may not be clear on a four-day timeline. “What looks like a minor breach of 100 customer records might be discovered to be one million as an investigation continues,” one consultant told the Wall Street Journal.
For more guidance on what type of information the SEC will be expecting companies to disclose, we searched the Intelligizeâ platform for past instances in which the SEC asked for greater disclosure around cybersecurity incidents. In each, the SEC was careful to note that it was asking only for “material” information regarding the incidents. Nonetheless, the SEC’s requests of the following four registrants may be instructive:
- Fidelis Insurance Holdings Ltd: After the company disclosed cyber-attacks, the SEC asked it to discuss “the magnitude of the incident or incidents, the consequences and when the attacks occurred.”
- Belite BIO, Inc.: After the company disclosed threats to its data, the SEC asked it to “include a description of the incident, costs, and other consequences.”
- S-Evergreen Holding LLC: After the company disclosed a ransomware attack, the SEC asked it to disclose “the costs and impact of that incident” as well as “the board’s role in overseeing the company’s cybersecurity risk management.”
- Alion Science & Technology Corp.: After the company disclosed unauthorized access to its network “in a prior fiscal year,” the SEC asked it to describe “when the cyber incident occurred” and “any material costs or consequences.”
Together, these comment letters suggest that the SEC will be expecting companies to reveal the timing of cybersecurity incidents along with their magnitude, cost, and other impacts.
It did not ask for any last names.