Determining Materiality of Cyber Events: A Guide for the New SEC Cybersecurity Disclosure Rule
Risk managers at public companies have always needed a process for determining materiality as it pertains to their shareholders. A factory being wiped out in a hurricane or a union strike is information that could and should be considered by shareholders and potential investors and must be made public, while smaller incidents like a small flood impacting a single warehouse are not necessary to disclose.
The recently released Securities Exchange Commission (SEC) Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule adds a new layer of complexity to this materiality question in that cyber events must now be taken into consideration. This new rule is part of an overall shift in the instinct to focus all protection efforts on an initial victim of a cyber incident to understanding that a cyber incident at Company A has the potential to quickly spread across industries and geographic locations significantly increasing the need for transparency. Disclosure allows organizations to work together to contain the overall effects of an incident.
The problem is that the SEC left the wording of how materiality is to be determined intentionally vague and, without many historic cybersecurity examples to draw from, companies must figure out how to weave cyber events into existing materiality frameworks and considerations.
In response to this, Consortium Networks has created a guide for developing a process of determining materiality of cyber events. This guide should be used only as a starting point and any decisions regarding disclosures must be made in coordination with counsel and other relevant stakeholders.
Download your copy today.