Unraveling the ‘Materiality’ Mystery of SEC Compliance

The Securities and Exchange Commission recently enacted cybersecurity regulations aimed at boosting investor protection and transparency. However, the initial disclosures by major corporations are raising concerns about the rule's effectiveness in providing a clear view of an organization's cybersecurity posture. 

A central issue revolves around the lack of specific guidance on materiality in the context of cyber breaches. Materiality refers to information an investor would consider important for investment decisions. While the SEC defines materiality at this high level, it lacks concrete details. This ambiguity creates a difficult situation for companies: Disclose potentially damaging information about a security incident, or risk misleading investors by staying silent. Compounding this challenge, many organizations still express doubts about their compliance readiness, with only 40% feeling confident their organization has made the necessary investments.  

Understanding the Question of Materiality  

The murky definition of materiality in cybersecurity creates a major dilemma for companies. On one hand, some may err on the side of extreme caution and report every single breach, regardless of severity. On the other hand, companies with a firmer grasp of the threat landscape might understand the difference between various attack vectors and prioritize reporting only the truly impactful incidents. This ambiguity creates a troubling scenario -- inconsistent reporting across companies. Investors seeking a clearer picture of a company's cybersecurity posture and risk profile may be presented with an inaccurate view.  

Related:A New Era for CISOs: Navigating Regulations and Unprecedented Threats

We know the basics of what should be considered material. While personally identifiable information (PII) breaches are widely considered material, the line gets blurrier when it comes to unauthorized access. For some companies, any compromised employee email might trigger a disclosure, while others might only consider senior or executive access as material. Others might focus solely on the potential financial impact of the breach. Did the company only lose a few minutes of downtime, or did production suffer significant disruptions that could have long-term consequences? The cost difference between these two scenarios can be huge. 

Ambiguity Versus Oversharing  

So far, we have seen several larger companies file early, which may just mean these companies have a tight cybersecurity strategy in place, demonstrating preparedness to share information freely. It could also mean they are trying to set the bar for what is considered material. As a cybersecurity leader, I cannot fault them for this tactic, as the water will begin to muddy as more filings are submitted. But we cannot afford to run the risk of a few large companies setting the bar for industry-wide transparency.  

Related:6 Months Under the SEC’s Cybersecurity Disclosure Rules

A rush to disclose everything isn’t the answer, as investors seeking a clear picture of a company's cybersecurity posture might easily be bogged down by excessive detail, hindering the ability to focus on the most critical risk and being able to make informed decisions. This information overload can also contribute to further desensitization of the public when it comes to the constant barrage of cyberattack headlines in the media. This has serious consequences, as it diminishes the perceived severity of these events. 

Furthermore, a race to the bottom in disclosure practices could emerge. As more and more filings are submitted, the initial transparency from some companies might be overshadowed by others seeking to minimize the impact of incidents. This could lead to a situation where even significant breaches are downplayed, eroding investor confidence and potentially creating a false sense of security within the market. It’s a bit of the cry-wolf syndrome.  

Related:Will Smaller Companies Buckle Under the SEC's New Requirements?

Looking Ahead 

Finding common ground between transparency and protecting sensitive information is a key challenge for businesses adapting to these new cybersecurity disclosure regulations. Businesses understandably worry about revealing highly technical details that could be a roadmap for bad actors. However, complete transparency remains vital. Without a clear view of an organization's cybersecurity posture and risk profile, investors lack crucial information for informed decisions.  

Automation can greatly assist in this process by collecting evidence and timelines, enhancing collaboration between siloed teams, and facilitating war-gaming and tabletop exercises. These exercises can validate common scenarios and playbook actions, ultimately helping determine the materiality of incidents and guide disclosure decisions. 

The SEC must work with industry leaders to establish clear and consistent "materiality" guidelines. This will empower companies to meet their disclosure obligations while minimizing the risk of unwittingly handing attackers a playbook. Only through such collaboration can these regulations achieve their intended goals: fostering investor confidence and fortifying the overall cybersecurity landscape.