Question: How should cybersecurity leaders navigate the US Security and Exchange Commission’s (SEC) cybersecurity disclosure regulations regarding material cyber events and risks?
Yakir Golan, CEO and co-founder, Kovrr: Although what constitutes a material cyber-risk or incident is, by definition, contextual, the room for interpretation given by the SEC has resulted in striking reporting inconsistencies among both Forms 8-K and 10-K. In some instances, shareholders are rightly provided with enough detail to make informed investment decisions, while in others they’re left considerably wanting.
Already on one occasion, the SEC was compelled to issue a follow-up to an ostensibly sparse 8-K disclosing a material cyber event, reiterating the original requirements and demanding that additional information regarding the impact be promptly submitted in an amendment. While there have not yet been harsher, more punitive consequences for these insubstantial disclosures, it’s only a matter of time until the grace period ends.
Generating Materiality Frameworks With Loss Thresholds
One of the most concrete pieces of guidance the SEC offers registrants for materiality reporting is to consider…
