Three months since the launch of the Securities and Exchange Commission’s cyber incident reporting rule, companies are grappling with the question of when the impact of a breach or attack is considered material.
The rule, which went into effect Dec. 18, requires publicly traded firms to report an incident within four business days of determining materiality.
In the immediate aftermath of several high-profile cyber disruptions in recent months, companies have scrambled to immediately determine if the incidents were technical breaches or malicious attacks.
The materiality assessments have thus far proven to be far more complicated. Companies have to examine the scope of data loss, the downstream impact on operations and the longer term implications from regulatory, financial and brand reputation.
“When it comes to disclosing cybersecurity incidents to the SEC, companies face a balancing act,” said Maksim Vander, KPMG U.S. partner, audit, technology assurance, said via email.
Companies need to begin thinking about the 8-K as soon as the initial incident takes place, but organizations need to consider a mix of qualitative and quantitative factors when assessing materiality, according to a report released by KPMG.
Quantitative factors include:
- Impacts on business operations, including the duration of an incident, number of business segments impacted, and loss of intellectual property or data.
- Impacts on financial performance or earnings, including revenue, stock price and divergence from prior forecasts.
- Incident response and containment expenses, including ransom payments, legal fees, future insurance costs and forensic analysis.
Qualitative factors include:
- Type and amount of information taken
- Reputational damage
- Impact on supply chain, both upstream and downstream
- Government inquiries and legal disputes
Disclose early, update often
While not explicitly required by the rules, a number of companies have disclosed incidents to the SEC soon after they were discovered. The filings were later updated through amended 8-K disclosures or through additional disclosures in quarterly or annual reports.
Days after discovering a cyberattack in mid-November, Fidelity National Financial disclosed the incident in an 8-K filing with the SEC. The company confirmed that an unauthorized actor gained access to some of the company’s systems and also stole certain credentials.
The prolific ransomware gang AlphV/BlackCat claimed credit for the attack.
The company contained the incident in late November, and updated investors in an amended 8-K filing. The company later updated investors on the response during a virtual fireside chat, which was also disclosed in an 8-K filing in early December.
After completing its investigation in mid-December, Fidelity National Financial disclosed additional details in an amended January filing, which revealed 1.3 million customers were potentially impacted by the attack. The company then said it did not expect the attack to have a material impact on earnings.
In another high profile attack, MGM Resorts disclosed in October that a cyberattack against the company during September would have a $100 million financial impact on its Las Vegas area properties.
The company provided regular updates in quarterly reports and just last month disclosed that the company was facing investigations from state and federal regulators, in a 10-K annual report filed with the SEC.
In prior years, companies would often completely conceal a ransomware attack, due to concerns about corporate reputation and fears of investor and customer liability.
In many ways, companies have changed their stance on ransomware disclosure, in part due to concerns about reputational harm not from the attack, but the response, according to cybersecurity experts.
“They’re less worried about being the victim of a ransomware attack — because so many are — they’re worried about the reputational impact of how they handle it,” said Matt Gorham, leader of the Cyber & Privacy Innovation Institute at PwC and a former assistant director at the FBI.
SEC Chair Gary Gensler said publicly that materiality in connection with cybersecurity incidents is not a new concept.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” Gensler said in a July statement after the SEC approved the incident reporting rule.
Erik Gerding, director of the SEC's division of corporate finance, further explained in a December statement the agency recognizes that companies are not often able to determine materiality directly after an incident.
Companies often need time to gather information from third-party forensic investigators and understand the full impact of an attack.
