SEC disclosure rules leave IT pros asking: What’s ‘material’?

SEC disclosure rules now require publicly traded companies to disclose impactful—or more specifically, “material”—cybersecurity events, leaving many organizations running to both dictionaries and legal teams to learn the definition.

Understanding the term will be an important aspect of pre-incident planning, according to legal experts and industry pros who spoke with IT Brew, but what’s “material” for one company may be “immaterial” for another. IT pros are huddling up on frameworks and agreed-upon principles to determine which events require reporting to the SEC and which do not.

SEC ya soon. The SEC rules require registrants to disclose “any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.”

According to the SEC, a cybersecurity incident material-izes if “there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision.”

A material example: A company might know immediately that an event is “material,” said Kari Rollins, partner in the intellectual property practice group at the law firm Sheppard Mullin. Say a ransomware attack encrypts an entire network and brings a company to a standstill.

“By day two, you may say, ‘Yes, this is going to have a big impact on our immediate and long-term finances. It could have an impact on our brand perception, on our customer relationships, because they can’t place the orders, or they can’t get their products, or the ransomware has impacted their ability to ship and or produce goods,’” Rollins told IT Brew.

A close, but probably not material example: But ransomware doesn’t have to be considered material, said Rollins, if the theoretical org, for example, experienced a limited, encryption-only event and had safeguards in place.

“It may actually not be material because you had good backups; you could bring them up quickly. You didn’t need to pay the ransom. It didn’t result in the exfiltration of personal data. And so, though it seems scary, because it was sort of a ransomware and encryption and extortion event, it may not actually be material in the larger context of the facts and the organization’s ability to continue to operate,” Rollins told IT Brew.

Write new material! Kaylee Cox Bankston, partner in the data, privacy, and cybersecurity practice at the firm Goodwin, has clients who are grappling with the definition; part of Bankston’s job is to understand the unique materiality-affecting drivers at a given business.

“What is material for one company will not be material for another organization, and it’s really fact-dependent. So if you have significant financial impacts, significant operation shutdown, potential massive business interruption: Those are factors that you could consider, but not necessarily determinants of,” said Bankston.

The level of interpretation was enough for Merritt Baer, field CISO at the cloud-security company Lacework, to get 30-or-so security colleagues on a Zoom call to discuss agreed-upon determinations for the term.

Their resulting framework, completed in November, included questions like:

• Does compromised data put your company, employees, or customers at risk?
• Did a substantial service outage occur?
• Have any contractual obligations been broken

“I wanted to also take an opportunity to turn it into something that we could own as a security community, and feel some comfort that it was benchmarked in line with how our peers are thinking about it,” Baer told IT Brew.

The effort, early steps perhaps toward an industry standard, are an attempt to define materiality…on their terms.