Wall Street’s top regulator has adopted new cybersecurity rules that require companies to disclose a material cyber breach within four days of determining that the breach is material. The 96-hour requirement has been on the table for months, but the materiality qualifier puts a critical onus on boards and CISOs to get specific on their cyber-risk tolerance.
Until now, breach notification has been driven primarily by regulations or industry rules requiring notification “without unreasonable delay.” That afforded a fair amount of bandwidth within which to understand and assess a situation and then determine the most appropriate path forward. The new SEC rules raise the bar for publicly traded companies, demanding that they not only know that an incident has occurred but also requiring boards to quickly get fact-based in the context of materiality.
Any situation where shareholders would consider the breach important, or where there is significant potential impact on the company’s financial position, operations, customer relationships, or reputation would clearly be material. But, often, data breaches or other cyber incidents are more nuanced. For example, a data breach that impacts a small number of customers or a denial of service (DoS) that impacts a small location and that is quickly remediated might not be considered material for SEC reporting purposes.
In 2022, for example, there were an estimated 490 million ransomware attacks, and Microsoft said that it mitigated an average of 1,435 DoS attacks a day; most of those incidents would probably not meet a standard of materiality. While we always must be beyond reproach on reporting, we should not fall into the trap of launching a disclosure cycle only to find out that the incident was not, in fact, material.
Here are best practices to follow to ensure compliance with the new SEC rule.
Consider Materiality as a New and Critical Element of Cyber Oversight
The interpretation of materiality should be provided by the board, in the form of clear risk tolerance guidelines. Defining risk tolerance is a normal practice at the board level; clearly define the triggers that would push an incident into the SEC four-day window by using scenario-based analysis, including:
- Customer data: If the breach impact is known, contained, and minimal, is it material?
- Operational impact: If a subset of operations is impacted, and impacts can be contained and recovered, is it material?
- Reputational risk: If a disclosure occurred where there was a small impact and the awareness and response are beyond reproach, is that material?
Understand How the Board of Directors Interprets ‘Materiality’
Neither the CISO nor the technology team should be responsible for determining or interpreting materiality. What matters under the new SEC rules is very much subject to interpretation, so the team needs to know in advance how the board wants “materiality” to be interpreted.
In addition, be mindful of opportunities to proactively stay within approved risk tolerance. For example, notification is generally not required for encrypted data, so take advantage of data encryption as it continues to be your best defense. If you have not already encrypted personally sensitive information, consider taking action to encrypt the data that is most exposed from the board’s risk tolerance perspective.
Ensure that You Have the Data to Assess, Monitor, and Report in the Context of the Approved Risk Tolerance
Plan around the defined risk tolerance to know exactly how to bring together the necessary data to monitor and report. Then build the capability to produce a clear, concise, and meaningful report that could be used for management and the board in an incident situation. Develop communications templates in advance for use if you have an incident, including models for reporting on progress and incident closure with a consistent notification and reporting cadence. Understand how you would report to each of the risk tolerance elements and exercise the data sources to know how those boundary conditions will be tested and reported on.
The new SEC rules raise the risk that the board will be distracted by the clock in the heat of a cyber incident. Time pressures make it easy to say too much or to elaborate beyond what is required. By planning the critical data strategy beforehand and using templated communications to share the right message, you can ensure that nothing is missed but the situation is not exacerbated by oversharing.
We look forward to learning more as the SEC rules are absorbed, and sharpening our thoughts and guidance as more details emerge.