The U.S. Securities and Exchange Commission (SEC), through a new requirement of Item 1.05 of the 8-K, requires that all regulated companies report significant cybersecurity breaches within four business days of determining that the incident was “material”.
You can see a list of current 8-K Item 1.05 cybersecurity incident reports here.
Per the SEC’s official announcement:
“The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material.”
We first covered this announcement in the KnowBe4 blog here.
An important part to understand is that the four-day requirement does not start upon discovery of the cybersecurity breach, but upon determination that the event was “material." However, materiality determination cannot be unreasonably delayed.
My university B.S. degree is in accounting and at one time, I worked for a CPA firm and passed the VA CPA exam. I still shudder from how hard that exam was. I will not share how many times I had to take it to pass. Materiality is an accounting concept that is drilled into the head of every accounting student. Materiality is a generally accepted accounting standard that says an event only needs to be reported to stakeholders (i.e., customers, stockholders, regulators, etc.) if omitting it would have had an impact on a decision being made by a reader of that disclosure or of a financial statement.
Here are two good summary statements on materiality:
What is or is not considered “material” can change depending on the stakeholders and event. Officially, accounting professionals (e.g., CPAs, etc.) are told there is no particular amount or percentage that makes an event material or not material. When in doubt, follow the standard of “would it matter to a reader of a financial statement”. But in practice, the SEC says the amount involved can be as little as 0.5% - 5% of total assets. It can also be lower or higher. It depends on the event.
If not already accomplished, have senior management or the board officially determine what amount of impact on revenue or operations the company would consider material.
If not already accomplished, have senior management or the board officially determine how to determine the materiality of a cybersecurity breach ahead of time.
There is a good chance that deciding on these factors will involve accounting, finance, legal, senior management and possibly other departments, personnel, and maybe even consultants, to decide. Determining materiality is a huge legal decision that cannot be made lightly. It is also a decision that should be made ahead of a possible cybersecurity breach.
Any decision made under duress during a stressful cybersecurity breach is likely to be more rushed and less thoughtful. So, do it ahead of time, document it, and add it to your cybersecurity response plans. If you are regulated by the SEC, it is required.
It might even be required that you disclose how you calculated materiality. Per the SEC’s final rule on the subject on page 10, it states: “In addition, the Commission's Investor Advisory Committee adopted recommendations (“IAC Recommendation”) with respect to the proposal, […] suggests requiring companies to disclose the key factors they used to determine the materiality of a reported cybersecurity incident…”
Consult with your legal staff on whether such disclosure is required versus suggested. Either way, by documenting how you determined materiality ahead of time, you will be better prepared to meet determined SEC obligations whether you have to disclose the contributing factors or not.
Consider Possibly Reporting Even if Immaterial
Traditionally, most companies resisted reporting any negative significant event on their 8-Ks or financial statements if they could avoid it. I have known of many company leaders who sighed in relief when the involved event missed materiality thresholds. There have also been many accounts of companies that (accidentally) incorrectly calculated materiality thresholds so that a negative event that possibly should have been reported was not.
So far, since the SEC’s new cybersecurity rules have been in effect, many companies like Microsoft and Johnson Controls, have been reporting cybersecurity events in 8-K Item 1.05 reports even if the event was clearly immaterial. For example, Johnson Controls said the impact of their recent cybersecurity event, a ransomware event in September 2023, was $27 million in remediation costs. They have annual revenues in excess of $26 billion. Clearly the $27 million figure is not material.
Still Johnson Controls (and others) have reported those events, either out of an abundance of caution (if costs end up rising) or to be fully transparent to readers of their financial statements. Many would say, nothing says you are not hiding anything by publicly reporting something you are not legally required to report. So, consider reporting significant cybersecurity events even if they are not material. Again, this type of decision should be made ahead of a possible cybersecurity event for the most thoughtful consideration.
In conclusion, all companies covered by the SEC should determine and document what determines cybersecurity incident materiality in order to prepare for any future reporting requirements.