A Deep Dive Into the SEC’s Materiality Trigger for Cybersecurity Incident Disclosures

Here is a Client Update from data security lawyers Andrew Pak and Rebecca Engrav that might help you when it comes to assessing the "materiality" of a cybersecurity incident under the SEC's new Item 1.05 of Form 8-K. The Client Update analyzes some real-world incidents that should help guide how you might update your disclosure controls, as well as provides a number of practical tips. [Don't forget our upcoming September 28th webcast: "The SEC's New Cyber Disclosure Rules – What To Do Now."]

Here is an excerpt to consider: "The SEC's comments illustrate that the focus of any materiality assessment should be 'through the lens of the reasonable investor.' In other words, materiality is not limited to a quantifiable amount of access that occurred, or how likely it is that such access would affect consumers, but includes any information connected to an incident that a reasonable investor would want to be aware of, or that would otherwise significantly alter the "total mix" of available information. So, while incident responders may typically think of the risk of incident-related harm as the risk that a bad actor might misuse the information to the detriment of data subjects, harm in this context can mean selling a "cybersecurity bill of goods" to the reasonable investor. This means that certain events, even if the specific occurrence does not seem especially significant or harmful, may still be viewed as harming potential investors if the incident is evidence of bad security practices in general. In other words, if an incident reveals a weakness in an organization's security safeguards, but the organization 'got lucky' in the incident itself, that 'luckiness' does not absolve it of the need to assess whether the weaknesses demonstrated are material when considered more holistically."