The Securities and Exchange Commission (SEC) has recently published new guidance aimed at helping public companies comply with its cybersecurity disclosure rule. This rule, finalized in July 2023, mandates that U.S. exchange-listed companies report material cybersecurity incidents within four days. It also requires annual disclosures of risk management strategies and governance structures related to cybersecurity. 

The SEC’s new guidance, released on June 24, 2024, provides five compliance and disclosure interpretations (C&DIs) that clarify how companies should assess and disclose material cybersecurity events. This guidance underscores the importance of conducting thorough materiality assessments for all cybersecurity incidents, regardless of their immediate financial impact. 

One of the key takeaways from the SEC’s guidance is that companies must determine the materiality of a cybersecurity incident even if the incident is resolved quickly or if a ransom payment is covered by insurance. The guidance also notes that small incidents, when considered collectively, may be deemed material if they are related or exploit the same vulnerability. 

Materiality assessments are crucial in determining whether a cybersecurity event needs to be disclosed to investors. The SEC emphasizes that these assessments should be conducted after every cyber incident, with input from outside securities counsel and corporate boards. This ensures that companies are meeting their disclosure responsibilities under the SEC rule. 

For businesses, this guidance highlights the need for robust materiality assessment processes as part of their overall ESG and sustainability strategy. It also reinforces the importance of proactive cybersecurity risk management to mitigate potential financial and reputational impacts. 

With the SEC’s increasing focus on cybersecurity disclosure, public companies must prioritize materiality assessments to ensure compliance and transparency in their reporting practices. 

Sources: 

https://global.lockton.com/us/en/news-insights/new-sec-cybersecurity-compliance-and-disclosure-interpretations-put-focus-on 

https://kpmg.com/us/en/media/news/sec-cybersecurity-disclosure-rules-2024.html