Determining Materiality of Cyber Events: A Guide for the New SEC Cybersecurity Disclosure Rule

Risk managers at public companies have always needed a process for determining materiality as it pertains to their shareholders. A factory being wiped out in a hurricane or a union strike is information that could and should be considered by shareholders and potential investors and must be made public while smaller incidents like a small flood impacting a single warehouse are not necessary to disclose. 

The recently released and soon-to-take-full-effect Securities Exchange Commission (SEC) Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule adds a new layer of complexity to this materiality question in that cyber events must now be taken into consideration. The problem is that the SEC left the wording of how materiality is to be determined intentionally vague and, without historic examples to draw from, companies must figure out how to weave cyber events into existing materiality frameworks and considerations.

In response to this, Consortium Networks has created a guide for developing a process of determining materiality of cyber events. This guide should be used only as a starting point and any decisions regarding disclosures must be made in coordination with General Counsel and other relevant stakeholders.

Determining materiality of a cyber event will require an assessment of five different impact categories and their impact levels. The five categories are:

• Financial: Direct and indirect potential financial losses or costs associated with the cyber incident. This can include things such as remediation costs, fines, and loss of revenue.
• Operational: Potential disruption to business operations and the ability to deliver products or services. Things such as downtime, lost productivity, and supply chain disruptions should all be considered.
• Reputational: Potential harm to the company’s reputation including damage to brand image, customer trust, and long-term stakeholder relationships.
• Regulatory: Impact of the event on regulatory compliance including the company’s obligations to report to other regulatory bodies aside from the SEC.
• Legal: Potential legal consequences of the incident including liability, lawsuits, and need for legal defense.

Each of these categories will require relevant stakeholders to come together in conversation to assess the real and potential impact of the event to determine which impact level to assign to each category: none, low, moderate, high, or extreme.

In taking the full matrix of impact level to impact category together, the more moderate to extreme impacts an incident has, the more likely that it will be a material event that will require SEC disclosure.