SEC Assessment Three Months into Enforcement of Cybersecurity Disclosure Regulations
In the ever-evolving landscape of cybersecurity, the importance of timely and accurate reporting of incidents has become increasingly significant. This is particularly true for publicly traded companies, which are now required to adhere to the Securities and Exchange Commission's (SEC) cyber incident reporting rule.
Fidelity National Financial, a prominent financial services company, found itself in this spotlight when it disclosed a cyberattack in an 8-K filing with the SEC in mid-November. The AlphV/BlackCat ransomware gang claimed responsibility for the attack, but Fidelity National Financial did not expect the attack to have a material impact on earnings. However, the company disclosed additional details about the attack in an amended January filing.
The SEC's reporting rule mandates that companies report an incident within four business days of determining materiality. This determination involves considering a mix of qualitative and quantitative factors.
Quantitative factors, such as financial impact and operational disruption, are crucial in assessing materiality. Financial impact can include direct costs like ransomware payments, estimated losses, and revenue effects. Operational disruption might involve the length of service interruptions. Using sensitive financial thresholds, like a 0.5% or 0.01% revenue impact benchmark, can help flag material incidents.
On the other hand, qualitative factors are equally important. These include the sensitivity and type of data involved, potential impact on company reputation, probable future impacts, contextual considerations, and whether the incident is part of a series of related unauthorized occurrences. For instance, breaches involving personally identifiable information (PII), trade secrets, or data related to national security are more likely to be material.
In the case of Fidelity National Financial, it was reported that 1.3 million customers were potentially impacted by the attack. This, along with other qualitative factors, could have contributed to the company's decision to disclose additional details in its amended January filing.
Other companies have faced similar challenges in determining materiality. MGM Resorts, for example, disclosed a cyberattack against the company during September, which was expected to have a $100 million financial impact on its Las Vegas area properties. The company is currently facing investigations from state and federal regulators.
The complex nature of materiality assessments has led to concerns in the past, with some companies concealing ransomware attacks due to fears of reputational damage and investor and customer liability. However, as Erik Gerding, director of the SEC's division of corporate finance, explained, companies often need time to gather information from third-party forensic investigators and understand the full impact of an attack.
In conclusion, companies should use a combined quantitative-qualitative framework to evaluate current and anticipated impacts on financial condition, operations, and business reputation to meet SEC disclosure requirements. This approach, often aided by heuristics, can help companies navigate the complex landscape of cybersecurity incident reporting and maintain transparency with their investors and the public.
- The timely and accurate reporting of cybersecurity incidents, as required by the Securities and Exchange Commission (SEC), is crucial, particularly for publicly traded companies like Fidelity National Financial.
- Fidelity National Financial, in an 8-K filing with the SEC, disclosed a cyberattack and the AlphV/BlackCat ransomware gang claimed responsibility, but the company did not expect the attack to have a material impact on earnings.
- In determining materiality, companies must consider both quantitative factors, such as financial impact and operational disruption, and qualitative factors, including the sensitivity and type of data involved, potential impact on company reputation, and whether the incident is part of a series of related unauthorized occurrences.
- Companies should use a combined quantitative-qualitative framework to evaluate current and anticipated impacts on financial condition, operations, and business reputation to meet SEC disclosure requirements and maintain transparency with investors and the public.
