Key Point: The decision making processes to determine whether a cybersecurity incident is material or not, should include documenting the factors behind each determination and should be practiced before an incident occurs.
In Parts I and II of this blog series, we discussed the compliance dates and the new definitions in the U.S. Securities Exchange Commission’s (the “SEC”) final rules (the “adopting release”) for cybersecurity disclosures and offered registrants suggestions for preparing the new disclosure required in their annual reports. In Part III, we offer planning suggestions for determining whether a cybersecurity incident is material and needs to be disclosed on a Current Report on Form 8-K, or whether the incident is not material.