United States: A Deep Dive Into The SEC’s Materiality Trigger For Cybersecurity Incident Disclos…>
– Andrew Pak
The article highlights the concept of materiality in relation to cybersecurity incidents.
Materiality refers to the significance or importance of information that could potentially influence an investor’s decision.
In the context of cybersecurity incidents, materiality can be determined by assessing whether the incident reveals a discrepancy between an organization’s representations about its security practices and the actual state of its cybersecurity.
The passage provides practical tips for businesses to navigate materiality assessments in relation to cybersecurity incidents:
1.
Identify, assess, and manage representations about security: Organizations should carefully manage and review the affirmative statements they make about their security practices in public filings and marketing materials.
By aligning their representations with the actual state of their security, they can reduce the potential delta between the two and minimize materiality concerns.
2.
Understand the implications of internal escalation processes: Businesses should review their internal escalation processes, including incident severity labels and frameworks.
It is important to ensure that these processes align with materiality assessments and involve the appropriate resources and escalations for timely evaluations.
3.
Assess the importance of cybersecurity to the business model: Organizations should consider how crucial cybersecurity is to their business model.
By understanding the significance of cybersecurity in their industry, they can better evaluate the potential impact of a cybersecurity incident on investor expectations and materiality.
4.
Prevent legal determinations from being solely technical: Legal teams should not rely solely on technical staff for making determinations of materiality.
Materiality assessments should be translated into organization-specific metrics that can act as proxies for potentially material events.
The guidance suggests taking a broad view to consider a range of incidents, with the expectation that not all assessments will ultimately be deemed material.
Overall, by following these practical tips and engaging in collaboration between legal counsel, frontline incident responders, stakeholders, and attorneys familiar with materiality standards, organizations can effectively navigate materiality assessments related to cybersecurity incidents.
Link: https://www.mondaq.com/unitedstates/security/1365052/a-deep-dive-into-the-secs-materiality-trigger-for-cybersecurity-incident-disclosures