SEC Cyber Incident Materiality Disclosure Rule

Written By Andrew Alaniz

A quick reminder. 1) I’m not an attorney, this is not legal advice and 2) My thoughts are my own.

It’s been a minute since I’ve had the time to write here, and I realize that I miss it. This is a topic that I have had the pleasure of diving quite deep into. I’ve seen a lot of FUD spread about this, and to be honest, I don’t think it is anything we (cyber security professionals need to get worked up about). My goal is to identify the reason why this is not as big a deal for the cyber security industry as some would have us believe.

The Cybersecurity Org does NOT file 8-Ks

This is the first reason why should not get worked up about this. This doesn’t change anything about our day to day. None of us are going to be asked to write an 8-K and file it on behalf of our organization (at last not in a decently large org) and if you do, you should push back.

8-Ks are Nothing New

Publicly traded companies file 8-Ks fairly regularly. There are other rules from the SEC that require these to be filed. An 8-K is just a form used for these companies to announce something material that shareholders need to know about.

4 Days for Notification is NOT Unique

As I mentioned before there are other triggers for filing an 8-K, which is just a form for disclosing something material, and those items also have a 4 day window. There was already precendent for this.

4 Days for Notification Does NOT Change your IR Program

The rule does NOT say you have to report every incident or any incident within 4 days. It says within 4 days of determining materiality. This is the key here. I will offer some suggestions on this further down, but essentially you have a chance to define what that process looks like.

The SEC is NOT Prescribing How Incident Response Should Perform

Again, they aren’t saying they expect anything to change in an IR program, other than, have a trigger to when something may be material.

Cybersecurity is NOT in a Position to Determine Materiality

Materiality is a really big deal for a public company. Think bankruptcy (has a filing trigger), mergers and acquisitions, and major deals. These are the types of things that generally trigger an 8-K to be filed. We are not talking about someone clicking on a phishing link, triggering EDR to isolate an executable and BAU IR activities taking place. We’re talking about Solar Winds, and MGM, and Colonial Pipeline level events. I’ll caveat that with depending on the company, there could be other things of lesser nature that may be material.

1) Cybersecurity does not speak for the business as a whole

2) Cybersecurity is not in a position to understand things like reputation, financial impact to customers, many types of legal risk/impact.

3) A conflict of interest could be generated if the cybersecurity org is both responsible for detecting/preventing incidents and reporting on their severity, and this should be removed. It is no one’s best interest to impact either of those processes.

So What Do We Do? Who is Responsible?

First, we recognize that as Phil Venables noted, the outrage factor has increased given the disclosure rule, and therefore we must ensure we consider that aspect of it. We should either 1) now understand, within our orgs, how an 8-K is filed, who files it, and who determines materiality or 2) guide our organizations to define that.

Who is responsible is not cookie cutter. It really depends on the org, and especially in a large org, is likely not one person. It could be a committee, but most likely will be some subset of Corporate Officers.

If we aren’t already doing this, then now is the time for the cybersecurity org to lift itself out of only playing in the technology space and enter into the business space. This means being prepared to distill an IR plan, severity levels, and the technical nuance of an incident into business jargon and relevance. We also need to adjust our IRP to include triggers for when an incident should automatically be considered for materiality. There is always a chance something lesser could subjectively be considered, but there are certain situations that should always be reviewed.

We will absolutely have a voice in the materiality of an incident, so we need to figure out how an incident could translate to materiality, at least within our area of responsibility (e.g. incident details, employee impact, breadth of impact, at least indications of data loss, technology impact, etc). There is definitely a chance that the SEC could challenge the non-disclosure of an incident, but that is why its important to have the definition of a process for determining materiality. Then it’s a matter of rationalizing the decision that was made within that process. Erring on the side of over reporting isn’t going to help the industry, it isn’t going to help the shareholders, and it isn’t going to help a business’ customers.

Conclusion

The fact that so many in the cybersecurity industry and are making this into a huge deal is the exact reason why it’s so important for the cybersecurity to transform itself to better understand the business. 8-Ks and materiality are not new to business, they have just never been on cybersecurity’s radar. This isn’t a massive change; this is a massive chance to help your organization define a process that establishes cybersecurity as a business partner and for us to show the business leaders in our orgs that we are prepared to truly be partners.

I suggest reading this as I found it insightful: SEC.gov | Cybersecurity Disclosure [*]

Andrew Alaniz
Next

Leadership Culture