Exploring SEC's Cybersecurity Rules - Material Cybersecurity Incident (Part 3)

In today's digitally driven world, where cyber threats are becoming increasingly sophisticated and prevalent, organizations must prioritize robust cybersecurity management and transparent incident disclosure practices. The new SEC Cybersecurity Management and Incident Disclosure Rules underpin these efforts with the concept of "material cybersecurity incident.” This term, often used in legal and regulatory contexts, is pivotal in shaping an organization's response to cybersecurity incidents and their subsequent disclosure to stakeholders. 

Significance in Incident Disclosure:

1. Transparency and Trust: Transparently disclosing a material cybersecurity incident showcases an organization's commitment to its stakeholders' interests. By promptly sharing information about the incident, its scope, and the steps taken to mitigate the damage, the organization can maintain trust and credibility.
2. Legal and Regulatory Obligations: Organizations may have legal obligations to disclose material cybersecurity incidents depending on the jurisdiction and industry. Such disclosures ensure that regulatory authorities are informed and can take appropriate action.
3. Stakeholder Communication: Organizations need to communicate the incidents not only to regulatory bodies but also to affected customers, partners, and investors. Providing clear and accurate information can help stakeholders understand the situation and make informed decisions

In this blog, we will explore how material cybersecurity incidents specifically pertain to the requirements of a cybersecurity incident disclosure and why understanding this concept is crucial for public companies (registrants).

Defining Material Cybersecurity Incident:

A cybersecurity incident involves the compromise of sensitive information or critical systems of a registrant that could impact an organization's operations, reputation, or financial stability. 

So, what is a material cybersecurity incident, and what is the new reporting requirement?  It is important to note that what constitutes a material cybersecurity incident may vary based on the industry, the nature of the data or systems compromised, and relevant legal and regulatory frameworks.

The new SEC regulation entitled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure has added provisions that required a modification to Form 8-K, incorporating Item 1.05, titled "Material Cybersecurity Incidents." This change mandates that a registrant must submit a Form 8-K within four business days of determining that a cybersecurity incident is material. A registrant may delay filing if the United States Attorney General (‘‘Attorney General’’) determines immediate disclosure would pose a substantial risk to national security or public safety. [Note that a foreign issuer (FPI), other than a foreign government, may have other reporting obligations (e.g., Form 20-F and Form 6-K); however, that is beyond the scope of this article].

Once a cybersecurity incident has occurred, a registrant must proceed as soon as reasonably practical after discovery of the incident to determine whether it is material. This requirement also obligates the registrant to account for incidents occurring both internally and within third-party service providers, including cybersecurity incidents that can arise unintentionally or because of a deliberate attack.  Reporting should include a description of the nature, scope, and timing of the incident and the impact or reasonably likely impact.  Registrants must amend a prior Item 1.05 Form 8–K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8–K filing.

Item 1.05 of Form 8-K references 17 CFR 229.106 (item 106), which defines a cybersecurity incident as an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.  Furthermore, the SEC Cybersecurity disclosure final rule defines "information systems" as electronic information resources owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations. 

When evaluating materiality, the registrant must maintain objectivity and consider all pertinent quantitative and qualitative factors. The SEC explains  that the  "materiality" standard to be applied should be consistent with the numerous cases on the subject, including but not limited to:

• Matrixx Initiatives, Inc. v. Siracusano (563 U.S. 27 (2011))
• Basic, Inc. v. Levinson (485 U.S. 224, 232 (1988))
• TSC Industries, Inc. v. Northway, Inc. (426 U.S. 438, 449 (1976))

Additionally, consideration should also be given to the standards outlined in 17 CFR 230.405 (‘‘Securities Act Rule 405’’) and 17 CFR 240.12b–2 (‘‘Exchange Act Rule 12b–2’’). That is, information is material if ‘‘there is a substantial likelihood that a reasonable shareholder would consider it important’’ in making an investment decision or if it would have ‘‘significantly altered the ‘total mix’ of information made available.’’ ‘‘Doubts as to the critical nature’’ of the relevant information should be ‘‘resolved in favor of those the statute is designed to protect,’’ namely investors.  Certainly, a matter is material if there is evidence that a shareholder or investor would consider it important in making an investment decision and if disclosing the information would have altered the investor's views or decisions. Suggesting the importance of any compromised information should be considered, along with the impact it would have on the company's operations and profitability.

Factors to consider when assessing materiality should include matters such as the following:

• Registrant's reputation and competitive position
• The potential for legal action or regulatory investigations
• The possibility of an adverse outcome
• The potential degree and/or consequence of the loss
• Continued trust by both customers and vendor relationships

Enter CimTrak - Strengthening Cybersecurity Defenses (Preventative)

CimTrak, an advanced cybersecurity management and compliance tool, is designed to proactively safeguard an organization's IT environment. It does so by continuously monitoring for changes and vulnerabilities across systems, networks, and applications. It has been concluded that CimTrak can drive down the industry average of detection cybersecurity incidents/breaches from a staggering 204 days down to seconds and minutes, providing proactive cybersecurity risk mitigation. CimTrak's key features include:

1. Real-time Monitoring: CimTrak detects changes, deviations, and unauthorized activities in real-time, allowing security teams to promptly identify potential threats, risks, and vulnerabilities before malicious actors can exploit them.
2. Configuration & Change Management: CimTrak maintains a detailed inventory of configurations, ensuring that any unauthorized or unexpected changes are immediately identified and addressed. This capability is crucial in preventing attackers from gaining access through misconfigurations or changes resulting from malicious or unintentional modifications.
3. Policy Enforcement: CimTrak helps organizations enforce cybersecurity policies by ensuring that systems and applications adhere to predefined security configurations and policies. This minimizes the risk of security gaps and reduces the attack surface.
4. Vulnerability Management: By continuously identifying and assessing vulnerabilities, CimTrak assists security teams in prioritizing patching and remediation efforts. This is essential for staying ahead of potential breaches.

Cybersecurity Incident Disclosure (Audit & Analysis)

In the unfortunate occurrence of a cybersecurity incident, swift and accurate disclosure is essential. Organizations are now legally bound to promptly inform affected parties, customers, and regulators. This is where CimTrak's robust audit capabilities become invaluable:

1. Timely Detection: CimTrak's real-time monitoring capabilities enable organizations to identify and mitigate breaches promptly. This quick detection is vital for initiating an effective response and ensuring timely disclosure.
2. Forensic Analysis: CimTrak's data and logs can be instrumental in conducting a thorough forensic analysis in the aftermath of a cybersecurity incident. This analysis aids in understanding the scope of the breach, the vulnerabilities exploited, and the potential impact.
3. Documentation for Compliance: Regulatory bodies often require organizations to demonstrate their efforts to maintain cybersecurity controls and promptly disclose incidents. CimTrak's comprehensive monitoring and reporting features provide the necessary documentation to meet these compliance requirements.
4. Minimized Impact: The ability to detect and mitigate breaches swiftly helps reduce the potential damage caused by the incident. This, in turn, contributes to preserving the organization's reputation, customer trust, and financial impact.

In summary, CimTrak’s real-time forensic, change management, and auditing capabilities provide critical information that can assist your organization in determining the materiality of a breach.

Conclusion

Material cybersecurity incident is a critical concept that holds immense importance in the realm of incident disclosure. Its impact extends beyond technical considerations, encompassing legal, regulatory, financial, and reputational aspects. 

In an era where the threat of cybersecurity incidents looms large, organizations must leverage robust cybersecurity management tools like CimTrak to bolster their cybersecurity defenses and enhance their incident disclosure and auditing capabilities. By offering real-time monitoring, change/configuration management, auditing, compliance, and vulnerability assessment, CimTrak empowers organizations to detect, respond, recover, and disclose cybersecurity incidents effectively. As the cybersecurity landscape continues to evolve, having a comprehensive solution like CimTrak becomes a strategic advantage and a fundamental necessity for safeguarding sensitive data, preserving reputations, and ensuring business continuity and resiliency.

For more information on how CimTrak can help Organizations needing to adhere to the new SEC requirements, see the CimTrak Technical Summary.

Get the Full Story

Quick links to the rest of our series on the SEC Cybersecurity Ruling:

Part 1 - Enhancing Investor Confidence

Part 2 - The Role of Integrity

Part 4 - Coming Soon!

Disclaimer: This blog article is only a brief summary of the new Cybersecurity Risk SEC rule and does not constitute legal advice. Should you encounter a situation that constitutes a Cybersecurity Incident or any matter touched upon in this article, you should consult with legal counsel having experience in this area of the law and not rely on the information provided in this article.