Show me the incentive; I’ll show you the outcome.
Charlie Munger
The SEC requirement for US public companies to disclose, in an 8K form, any cyber attacks that will have a material impact on the business went into effect in November, 2023.
Unsurprisingly this has led to “abundance of caution” disclosures of cyber incidents that either were never material or not yet determined to be material. Why? The incentive is to avoid fines, shareholder lawsuits, and prosecution by disclosing anything that could be viewed by anyone as potentially being material.
To the SEC’s credit, they put out a clear statement on May 21st that said:
- An 8K with Item 1.05 should only be submitted after the cyber incident has been determined to be material
- The SEC is not discouraging disclosure of non-material cyber incidents, but this should be done via Item 1.01 so investors can tell the difference between the disclosure of material and non-material cyber incidents.
- The determination of materiality should consider “all relevant factors” and not be limited to impact on “financial condition and results of operation”.
While this is clear, the incentive is still to disclose a cyber incident as material unless you are certain it isn’t. That is until SEC fines or otherwise pursues a company that discloses something as material that was not material. They hinted at this in the statement:
By contrast, if all cybersecurity incidents are disclosed under Item 1.05, then there is a risk that investors will misperceive immaterial cybersecurity incidents as material, and vice versa.
The answer is to have a credible formal process for evaluating the materiality of cyber incidents, ready in advance,, and document the results.
The uncertainty and lack of perfection in the regulation on day one is normal inside and outside of cybersecurity. Over the first two years there will be test cases and lessons learned until a common understanding of the way to meet the regulation is understood. For example, companies are likely to develop formal processes that may be considered lacking when challenged. And all the other companies will learn when these companies pay the price.
The other incentive post SolarWinds / SEC action is to provide little or no information on the security incident. It happened. It may have a material impact. Full stop. From an investor standpoint this is sufficient. It is instructive that Clorox earnings calls post incident were primarily about when deliveries would resume and when lost shelf space would be recovered. There was not detail on the cyber attack or new security measures that will be put in place.
We will have to watch what the SEC does regarding the detail necessary in the annual disclosure of cybersecurity risk management, strategy, and governance. If you read non-cybersecurity risk disclosures it’s not encouraging that we will see a candid discussion and useful sharing.