SEC statement clarifies material cybersecurity incident disclosure requirement
In July 2023, the US Securities and Exchange Commission (SEC) finalized its rule requiring public companies to disclose material cybersecurity incidents under Item 1.05 of Form 8-K. Though materiality is not a new concept in SEC regulations, in the context of cybersecurity incidents, materiality assessments and disclosure practices are evolving areas with little practical precedent or guidance to draw upon. Fundamentally, an incident is considered material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision.1 This includes assessing all relevant qualitative and quantitative factors, such as reputation, customer and vendor relationships, and competitiveness, in addition to financial and operational impacts, as well as potential litigation and regulatory actions.