How the SEC Views Materiality

The Securities and Exchange Commission (SEC) has adopted a new rule that requires public companies to disclose any material cybersecurity incidents they experience, as well as the impact of those incidents on their business. Registrants must disclose any cybersecurity incident they experience that is determined to be material, and describe the material aspects of its:

• Nature, scope, and timing; and
• Impact or reasonably likely impact
• This filing must occur within four business days of determining an incident was material.

The ambiguity around what it means for an incident to be material, or how to make that determination, now needs to be a key consideration as part of an organization’s incident response and business continuity planning. Ultimately, what it means for an incident to be material will differ for each organization.

Here are some of the factors to consider when trying to define materiality for your organization:

• Does the incident directly, or indirectly, affect the company financially?
• Does the incident affect the companies’ operations or ability to provide products or services?
• Does the incident have the ability to have an adverse impact on the companies’ reputation?
• Does the incident affect the confidentiality, integrity, or availability of information, whether it be its own, its customers or its third parties?

With these factors in mind, let’s look at a few scenarios, and think about the potential impact they have on your organization and how that may affect making the determination of materiality.

Scenario 1

A member of your organization’s accounts payable team has fallen victim to a phishing attack and their credentials were compromised. After investigation, it was determined that the threat actor was successfully able to access the users account and send fraudulent invoice notices to over 100 recipients before terminating the unauthorized access. At this point in the investigation there is no evidence of funds being transferred via the instructions provided in the fraudulent email.

Scenario 2

Post-pandemic, only 25% of your organization’s workforce has returned to the office full time. A Distributed Denial of Service (DDOS) attack against the organization impacted the ability of those working in the office to communicate externally with business partners for a full business day.

Scenario 3

Your organization utilizes a third-party Software-as-a-Service (SaaS) solution to manage employee payroll. The third-party has notified your organization that their platform will not be accessible for the next 72 hours. Due to the outage, payroll processing for your organization will have to be delayed by one business day.

The ultimate impact of each one of these scenarios could be drastically different based on an organization’s size, the services being provided and the organization’s incident response and business continuity capabilities.

How can your organization prepare?

The first step is defining the parameters of materiality for your organization, which is easier said than done. However, waiting for an incident to occur to make these determinations is a recipe for disaster. Here are some ways to get this thought process started:

• Review previous incident reports and details. Use this information to aid in determining the potential impacts to your organization.
• Conduct a Business Impact Analysis (BIA). Knowing what your organization’s critical business functions, processes and services are, and the potential impact an incident or disruption would have is a key component of determining materiality. The BIA can also be utilized to build out your organizations’ risk registry that helps to define materiality and methods of mitigation.

Once materiality has been defined, these parameters should be thoroughly documented, put into practice and tested. The process for determining materiality should be incorporated into your organization’s incident response plan documentation and testing activities.

Whether your organization regularly performs incident response tabletop exercises or not, this is a great opportunity to put all the preparation into action. Utilize a tabletop exercise to put an emphasis on determining the materiality, understanding roles and responsibilities, and making sure that disclosure processes are established and understood. If we were to taken into consideration the scenarios provided above, a tabletop exercise would help to clarify the details to gain a better understanding of material impact of each unique situation.

As Benjamin Franklin famously said, “By failing to prepare, you are preparing to fail.”