By: Olivia Woodmansee
In July 2023, the Securities and Exchange Commission (“SEC”) voted to adopt a final rule on cybersecurity disclosure for public companies.[1] The rule is predicted to fundamentally alter most, if not all, public companies’ incident response processes.[2] The SEC now requires companies to disclose material cybersecurity incidents via Form 8-K within four (4) business days of the determination that the cybersecurity incident was material.[3] The materiality standard, established in TSC Industries, Inc. v. Northways, Inc.[4], requires disclosure of a cybersecurity incident if there is a “substantial likelihood that a reasonable shareholder would consider it important” to vote or make an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.”[5] This inquiry is typically fact specific.[6]
While the SEC designed the rule to protect investors, it has faced criticism for the its complexity and potential for divergent implementation.[7] In fact, even the SEC noted that companies will struggle to identify which cybersecurity incidents rise to the level of “material”.[8] Companies are at risk of disclosing too much (leading to attackers gaining more information) or not disclosing enough (giving rise to SEC enforcement and potential investor lawsuits).[9] Since “cybersecurity incident” should be construed broadly, companies and courts will be frequently challenged to determine whether an incident reaches a “material” level.[10]
Although the fact finder will typically be charged with determining materiality, a court may resolve the matter “if the adequacy of the disclosure or the materiality of the statement is so obvious that reasonable minds could not differ.”[11] As courts begin to apply the materiality test to cybersecurity incidents, they should look to industry standards to determine whether an event was material. [12] Cybersecurity, as a field, is constantly evolving, with new technological advances happening almost daily.[13] Without some guideposts other than the beliefs of a “reasonable shareholder,” courts are likely to disproportionately apply the materiality standard.
Prior to July 2023, the Ninth Circuit Court of Appeals issued a ruling that generic statements about a company’s cybersecurity problems were necessarily materially misleading.[14] Relying on a company memo which outlined vulnerabilities that clearly violated the General Data Protection Regulation (GDPR) and other cybersecurity best practices, the court found that omissions about such vulnerabilities violated the Securities Exchange Act requirements regarding material statements and omissions.[15] Without this framework guiding the Court, much of the analysis would have been spent on the particulars of the attack, potentially challenging the Court to determine the level of materiality of an attack before they could analyze the statements and omissions.
This decision also relied on the SEC’s Statement and Guidance on Public Company Cybersecurity Disclosures.[16] This guidance, published in 2018, notes that “[t]he materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations.”[17] The language of the guidance, by itself, does not assist a company in determining what event would be material. Companies need to look to more specific information in order to discern whether an event was material.[18] A court, when challenged with reviewing a case brought by an investor against a company, must be able to objectively determine whether the incident was material. The SEC’s requirements, alone, do not provide the information necessary to do this, which is why they should turn to industry standards.
Since cybersecurity is a constantly evolving field, public companies are now tasked with keeping board members and directors at a proficient literacy level while maintaining a steady measure for determining a material incident.[19] The previous SEC cybersecurity requirements left a “regulatory grey area.” [20] The new materiality standard, with an additional expedited timeline, will prove challenging to the financial and business communities unless courts adopt a uniform standard to assess the materiality of cybersecurity incidents. In order to do this effectively, courts should adopt industry standards, so that businesses will have a clear path forward as they implement the new SEC guidelines.
[1] 17 C.F.R. pt. 229, 232, 239, 240, 249 (2023); see Press Release, Securities and Exchange Commission, SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (July 26, 2023) (on file with author) (announcing the new rules).
[2] See Matthew Dolloff et. al., SEC Adopts new Rules on Cybersecurity Disclosure for Public Companies, Gibson Dunn(July 31, 2023), https://www.gibsondunn.com/sec-adopts-new-rules-on-cybersecurity-disclosure-for-public-companies/.
[3] 17 C.F.R. pt. 229, 232, 239, 240, 249.
[4] 426 U.S. 438 (1976) (applying the material standard within the context of securities fraud).
[5] Id. at 449; accord Basic, Inc. v. Levinson, 485 U.S. 224, 232 (1988) (restating the material standard); Matrixx Initiatives, Inc. v. Siracusano, 563 U.S. 27, 38 (2011) (same).
[6] Matrixx Initiatives, 563 U.S. at 38.
[7] See Betsy Atkins, SEC Adopts new Cybersecurity Disclosure Rules, Forbes (July 27, 2023), https://www.forbes.com/sites/betsyatkins/2023/07/27/sec-adopts-new-cybersecurity-disclosure-rules/?sh=5e81d48ebf2b(“Some companies believe that the rules are a positive step, while others believe that the rules are too complex or could discourage companies from reporting cybersecurity incidents.”).
[8] See 17 C.F.R. pt. 229, 232, 239, 240, 249 (“We remind registrants, as the Commission did in the Proposing Release, that ‘[d]oubts as to the critical nature’ of the relevant information ‘will be commonplace’ and should ‘be resolved in favor of those the statute is designed to protect,’ namely investors.”).
[9] See Atkins, supra note 7.
[10] Howard Hirsch & Liuying Wu, SEC Adopts New Cybersecurity Disclosure Requirements, Nat’l L. Rev. (Sept. 5, 2023), https://www.natlawreview.com/article/sec-adopts-new-cybersecurity-disclosure-requirements#:~:text=The%20Securities%20and%20Exchange%20Commission,and%20governance%20by%20public%20companies.
[11] Khoka v. Orexigen Therapeutics, Inc., 899 F.3d 988, 1014 (9th Cir. 2018).
[12] See S.E.C. v. Dain Rauscher, Inc., 254 F.3d 852 (9th Cir. 2001) (rejecting the SEC’s contention that the court should look beyond the industry standard in determining a standard of care); see e.g. Cybersecurity Framework, Nat’l Inst. of Standards and Tech. (Apr. 16, 20118); Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (1996), https://www.govinfo.gov/app/details/PLAW-104publ191; EU General Data Protection Regulation, Regulation 2016/679 2016 O.J. (L. 119/1).
[13] Vasu Jakkal, Cybersecurity Threats are Always Changing – Staying on Top of Them is Vital, Getting Ahead of Them is Paramount, Microsoft (Feb. 9, 2022), https://www.microsoft.com/en-us/security/blog/2022/02/09/cybersecurity-threats-are-always-changing-staying-on-top-of-them-is-vital-getting-ahead-of-them-is-paramount/.
[14] In Re Alphabet, Inc. Securities Litigation, 1 F.4th 687, 694 (9th Cir. 2021).
[15] Id.
[16] 17 C.F.R. pt. 229, 249 (2018).
[17] Id.
[18] Compare id. (“The materiality of cybersecurity risks and incidents . . . includes harm to a company’s reputation, financial performance, and customer and vender relationships . . .”) with Cybersecurity Framework, supra note 12 (setting guidelines in terms of “Framework Implementation Tiers” that cover risk management, external participation, risk tolerance, and cybersecurity outcomes).
[19] See Courtney Vien, Be Ready to Comply with the SEC’s new Cybersecurity Regs, CFO Brew (Sept. 14, 2023), https://www.cfobrew.com/stories/2023/09/14/be-ready-to-comply-with-the-sec-s-new-cybersecurity-regs; Atkins, supranote 3.
[20] Tom McKay, Here’s What to Know About SEC’s new Cybersecurity Disclosure Requirements, IT Brew (Sept. 21, 2023), https://www.itbrew.com/stories/2023/09/21/here-s-what-to-know-about-the-sec-s-new-cybersecurity-disclosure-requirements.