Meredith recently blogged on statements made by Corp Fin Director Erik Gerding on materiality determinations and SEC disclosures about cyber incidents at publicly-traded companies. Meredith said companies should assess “all relevant factors” and not limit that assessment to the incident’s impact on the company’s financial condition and results of operation.
“[C]ompanies should consider qualitative factors alongside quantitative factors.” For example, companies should consider whether the incident will “harm . . . [its] reputation, customer or vendor relationships, or competitiveness.” Companies also should consider “the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and Federal Governmental authorities and non-U.S. authorities.”
Echoing a key comment from SEC Speaks, the statement also adds the following (which is contemplated by Instruction 2 to Item 1.05):
There also may be cases in which a cybersecurity incident is so significant that a company determines it to be material even though the company has not yet determined its impact (or reasonably likely impact). In those cases, the company should disclose the incident in an Item 1.05 Form 8-K, include a statement noting that the company has not yet determined the impact (or reasonably likely impact) of the incident, and amend the Form 8-K to disclose the impact once that information is available.
While not immediately apparent, SEC’s cyber incident disclosure may cover some environmental incidents.
In March, EPA promulgated sweeping changes to the Risk Management Plan (RMP) rules that apply to facilities that hold specific “regulated substances” in excess of threshold quantities. In the rule’s preamble, passing references were made to cyber risk but EPA didn’t acknowledge the true relevance to potential chemical releases. This is an odd oversight, especially since EPA is aware of such events: two weeks ago, EPA issued an Enforcement Alert on cyber security and risks at drinking water treatment plants, which – along with wastewater treatment plants – have been hacked in the past. EPA mentioned, “Foreign governments have disrupted some water systems with cyberattacks and may have embedded the capability to disable them in the future.”
Most (but not all) water and wastewater treatment plants are municipal entities and not subject to SEC reporting, but the RMP rules cover a broad range of facilities regardless of whether they are owned/operated by municipalities or private companies. In cyber breaches resulting in an EPA-regulated matter, reporting companies will have to thoroughly assess the “qualitative factors alongside quantitative factors” related to the release/incident, including the possibility of litigation, to determine if the event also triggers SEC disclosure. Companies with an RMP that experience a release resulting from a cyber incident can look to that document’s Off-site Consequence Analysis (OCA). The OCA can be instructive for potential SEC cyber incident disclosures (if needed) as the OCA contains data about the significance/impact of a release, and it offers insight into the potential for litigation based on the community and businesses that are impacted.
If you aren’t already subscribed to our complimentary ESG blog, sign up here: https://practicalesg.com/subscribe/ for daily updates delivered right to you.
