Key Point: The decision making processes to determine whether a cybersecurity incident is material or not, should include documenting the factors behind each determination and should be practiced before an incident occurs.

In Parts I and II of this blog series, we discussed the compliance dates and the new definitions in the U.S. Securities Exchange Commission’s (the “SEC”) final rules (the “adopting release”) for cybersecurity disclosures and offered registrants suggestions for preparing the new disclosure required in their annual reports. In Part III, we offer planning suggestions for determining whether a cybersecurity incident is material and needs to be disclosed on a Current Report on Form 8-K, or whether the incident is not material.

The SEC’s 2018 Interpretative Guidance required registrants to inform the SEC when the entity had been the target of a material cyber incident. However, the 2018 guidance did not spell out a timetable for doing so. The instructions associated with new Item 1.05 of Form 8-K now state that registrants must make their materiality determination “without unreasonable delay.”  

While the SEC acknowledged in its responses to public comments that materiality determinations necessitate informed and deliberative processes, the SEC is requiring companies to avoid stalling or turning a blind eye to cyber incidents. A registrant should not delay a determination of materiality solely due to the need for continued investigation regarding the incident, and the SEC has warned registrants that actions such as intentionally delaying a board meeting necessary to determine materiality or revising incident procedures to support a delayed materiality determination would constitute an unreasonable delay. 81 Fed. Reg. 51906. If a cybersecurity incident is determined to be material, that determination starts the clock to file an Item 1.05 Form 8-K with the SEC within four business days.

It is important to note that the four-business-day clock does not begin running when the incident is discovered, but rather when the incident has been determined to be material. The SEC has stated that in most cases, the registrant will likely be unable to determine materiality the same day the incident is discovered, and that “disclosure becoming due less than a week after discovery should be uncommon.” Instead, the registrant will continue to acquire and develop information after discovery until it is sufficient to facilitate a materiality analysis. The disclosure requirements as adopted focus on an incident’s basic identifying details and its material impact or reasonably likely material impact, as the SEC believes the registrant should have the information required to be disclosed under this rule as part of conducting the materiality determination.

The pain point for corporate leaders, now that there is a firm deadline to notify the SEC, is what does the company (and the SEC) consider to be a material cybersecurity incident and what is a non-material incident? Materiality decisions are subjective by nature, will vary by industry sector and company size, and can be influenced by the timing of when the incident began and its discovery. As with other compliance enforcement regimes, consistent handling of similar events tends to be viewed more favorably than inconsistent responses.

To satisfy this four-day disclosure requirement, it is incumbent upon the cybersecurity experts to inform senior management of the known facts, the areas of uncertainty, and the items that remain unknown to help senior management make a materiality determination and draft the disclosure.

Suggestion 9: Registrants should develop decision trees or playbooks that provide examples of both material and non-material cybersecurity incidents that can guide corporate leaders on future decisions. Granted a future incident will not neatly fall into pre-conceived scenarios, but if the playbooks are used as decision guides during an actual event, corporate leaders can respond to an SEC inquiry from a defensible position that had been formulated without the stress of facing an actual cybersecurity incident and the time constraints associated with it. 

Suggestion 10: It will behoove companies to have an escalation process and maintain activity/response logs that memorialize the steps taken in response to each incident, including the closure and conclusion that a particular incident was not material. Registrants should perform mock incident sessions with the incident response team at least annually, to ensure familiarity with the incident response plan and to sharpen any inefficiencies. The SEC has recently brought enforcement actions against companies for inadequate disclosure controls and procedures involving cybersecurity incidents in which there was a breakdown in communication between the IT and financial reporting functions, leading to inaccurate disclosures to investors. Clear processes and chains of command will be necessary to ensure coordination between reporting functions and that neither activity is impeded by the other. During these tabletop exercises and other training events involving cybersecurity, registrants should consider incorporating these questions into the processes:

  • Periodically ask “if the incident is not material, why is that?” and document the reasons.
  • Periodically ask “What will the 8-K disclosure say if we had to write it now?”
  • Periodically ask “Should we be talking to our regulator / agency partner?”  

The last question ties into one of two limited exceptions[1] to the SEC’s four-day deadline. Per the instructions to new Item 1.05 of Form 8-K, if the US Attorney General determines that disclosing the material cybersecurity incident poses a substantial risk to national security or public safety and notifies the SEC of that determination in writing, the disclosure may be delayed for an initial period of up to 30 days following the date when the disclosure was otherwise required to be provided (with such delay able to be extended for additional periods in certain circumstances).

The SEC rejected a multitude of suggestions from public commenters to accept extensions granted by other law enforcement entities or the regulatory agencies with responsibility for various industry sectors. Instead, the adopting release notes that the US Attorney General may take into consideration other federal or law enforcement agencies’ findings. However, it might be a universal truth that such interagency coordination cannot be completed in the four business days after a company determines an incident was material. The Department of Justice (“DOJ”) is taking steps to overcome this challenge. On August 11, 2023 the FBI updated its cybercrime website to inform the public that the FBI is working with DOJ to develop additional guidance for the private sector on the intake and evaluation process for such requests. The FBI will update their website as the guidance is developed.

Suggestion 11: In the absence of contrary guidance from the FBI in the future, if a registrant’s cybersecurity incident might pose a risk to national security or public safety, to allow the requisite time for interagency coordination, it behooves the registrant to contact the local FBI office or the agency’s Sector Risk Management Agency (“SRMA”) if part of a critical infrastructure sector and ask for their assistance contacting the AG’s office and beginning the coordination process if an extension might be needed. 

From a planning perspective, a likely precursor to a registrant asking a law enforcement or SRMA partner for help coordinating an extension with the US Attorney General is that the registrant have some type of pre-existing relationship with that FBI field office or SRMA before the incident occurs.

Suggestion 12: As part of their tabletop exercises and planning processes, registrants should identify events that will trigger secondary consequences or additional compliance requirements. For example, the disclosure of a material cybersecurity incident within four business days of the materiality determination most likely will precede the data breach notices that must be sent to individuals (and potentially effected business partners, customers, and clients) and the applicable state attorneys general offices. This type of disclosure may spark an influx of attention from external stakeholders before corporate leaders have a chance to allocate the resources needed to support customer service teams. The same disclosure will likely prompt plaintiffs’ attorneys and class action advocates to commence litigation based on the Form 8-K disclosure before the full scope of the incident is known. It will be ironic if the legacy of the SEC’s four-day deadline becomes premature corporate disclosures, followed by an influx of premature lawsuits, that result in a waste of corporate resources – all to the detriment of the investors the SEC seeks to protect.

There is no dispute that some (or many) of these suggestions may not be applicable or useful to a particular company’s precise situation. We recognize that every cybersecurity event is fact-specific, but it is the planning, preparation and rehearsing that allow an organization to properly respond to a cybersecurity event. In the words of General Eisenhower, “Plans are nothing; planning is everything.” It is the process of preparing for a cybersecurity incident that brings the benefits to the incident response. 

[1] In addition to the permitted delay in filing in connection with national security, companies that are subject to the Federal Communications Commission’s (“FCC”) notification rule for breaches of customer proprietary network information (“CPNI”) may delay making the Form 8-K disclosure up to seven business days following notification to the U.S. Secret Service and the Federal Bureau of Investigation, as specified by the FCC rule.