MONTH-IN-BRIEF (Dec 2023)
Incident Reporting for Material Cybersecurity Incidents Goes into Effect on December 18, 2023
December 18, 2023 is the effective date for new Item 1.05 of Form 8-K, which requires companies to disclose, within four business days after determining that an incident is material, any cybersecurity incident that a company experiences that is determined to be material, describing the material aspects of its: (i) nature, scope, and timing; and (ii) the impact or reasonably likely impact of the incident on the company, including on the company’s financial condition and results of operations. But don’t expect a flood of Item 1.05 Form 8-Ks, because the materiality qualifier is the critical element of Item 1.05. And when I think about materiality in the Form 8-K context, I always go back to the Securities and Exchange Commission’s characterization of the items selected for disclosure in Form 8-K in the 2004 adopting release (which brought us a significantly expanded Form 8-K), and that is the notion that Form 8-K is intended to address the “unquestionably or presumptively material events” that a company faces. The most difficult part that I think we can all acknowledge is assessing whether a particular cybersecurity event is in fact material. To that end, I share with you some of my experiences from the “trenches” of determining whether cybersecurity events are material:
- Beware of the Titanic Effect —When I was in college, I decided to drive my VW Rabbit up one of those enormous snow mounds that accumulate in parking lots during the winter (an astute reader/listener might ask themselves why I was driving a VW Rabbit, but that is a whole other story). My friend tried to discourage me from this endeavor, but I said to him something to the effect of “What could go wrong, it is only a little snow?” In response, he delivered the deadpan line, “Tell that to the Titanic.” I proceeded to try to drive into (not up) the snow mound, and it turned out to be rock-hard ice that ripped the front bumper and driving lights off the Rabbit. The moral of the story, other than that no one in their right mind should have ever given me a driver’s license, is that nothing is ever quite as it seems, particularly in the context of cybersecurity breaches. The Titanic effect is real in many cybersecurity breaches, in that one can easily misperceive the giant iceberg lurking under the surface as just some harmless floating ice. In many of the situations that I have observed over the years, the breach appears to be innocuous in the beginning, and then, as more investigation occurs, a much wider threat is identified, including situations where threat actors may still be active in a company’s systems. These evaluations do not happen overnight, so the materiality assessment must be ongoing as new facts come in. Parties involved in the evaluation—including management, directors, and outside advisors—need to make objective assessments of the risks associated with the breach and the potential consequences, and do so as quickly as possible. The last thing anyone wants to have happen is that a material cybersecurity incident is disclosed too late in the SEC’s eyes, simply because the Titanic effect clouded everyone’s judgment as to the size and scope of the breach.
- The Benefit of Hindsight — As has become evident from the cybersecurity enforcement cases that the SEC has brought over the years and those investigations that remain ongoing, the SEC looks at the current disclosure of cybersecurity incidents with the benefit of 20/20 hindsight. The timing of disclosure decisions can invariably raise eyebrows when evaluating the situation two or three years later, after everyone has already observed what happened next after the breach was discovered. Therefore, I think it is always important to conduct a materiality assessment through this lens, trying to evaluate how this disclosure decision will look to future investigators under the range of possible scenarios. I recognize that this is a departure from focusing on the pure materiality considerations that we are all familiar with, but it is just a practical reality of where we are with this issue today.
- Do Your Homework — I believe that one of the most important things that a company can do now to prepare itself for a potential Item 1.05 of Form 8-K disclosure situation is to draft a materiality framework that is specific to the company and can be applied to any potentially material cybersecurity breach that comes along. I have seen this approach work successfully in the past, because often it is difficult in the heat of a cybersecurity incident to come up with an approach to assessing materiality that works for that particular company. This does not have to be a lengthy policy or procedure—what I envision is a few pages of questions that can be asked to objectively assess the materiality of the circumstances.
- Process Is Critical — It has been drilled into our heads from the SEC’s cybersecurity enforcement efforts that controls are king. This is an area where the SEC Staff expects to see robust disclosure and internal controls that are designed to get to the right result, i.e., timely and accurate disclosure of material cybersecurity incidents. I am by no means suggesting that companies go to extreme lengths to establish these controls—in a way, I think it is a mistake to treat Item 1.05 differently than any other Form 8-K disclosure item. Rather, I believe it is important to have in place measured and demonstrable controls that are designed to surface potentially material cybersecurity incidents to the decision-makers within the organization and to provide those decision-makers with the information they need to make correct disclosure decisions. This is something we have been doing with the many other Form 8-K items for the almost two decades since the SEC substantially expanded current reporting on Form 8-K.
- Human, All Too Human — In my experience, perhaps the biggest impediment to timely and accurate cybersecurity incident disclosure is human nature. I am not trying to blame anyone here, but time and time again I have come across scenarios where folks in the IT function tend to want to downplay or delay telling anyone about a cybersecurity incident, because they have an honest belief that it is not so bad and that they can fix it before any harm is done. This approach is not surprising, given that the cybersecurity staff is inundated with attacks from all manner of threat actors all day, every day, so their natural reaction is to just deal with them and not overreact to the situation. It is this natural impulse that the disclosure controls need to overcome, so that information can “bubble up” through the organization about potentially material cybersecurity incidents. This is not an easy thing to solve for, and it takes a top-down, organization-wide approach to try to overcome the human nature element that threatens your timely material cybersecurity incident reporting.