New rules governing when publicly traded companies must report serious cyberattacks to financial regulators center on materiality. Executives disagree on whether the concept is as simple as it seems. The U.S.
Securities and Exchange Commission adopted final rules last week that require companies listed on stock exchanges to report cyberattacks no later than four days after they determine a hack will have a material impact. Most companies must start reporting such attacks starting Dec. 18, in an 8-K form.
“Materiality questions are not easy questions at all," said Lona Nallengara, a partner at law firm Shearman & Sterling, who previously served as chief of staff for former SEC chair Mary Jo White. Unlike a factory fire that immediately knocks out production, a cyberattack’s fallout might not be apparent right away, said Michael Oberlaender, an independent consultant and former chief information security officer who serves on the board of the greater Houston chapter of Isaca, a technology governance training organization. What looks like a minor breach of 100 customer records might be discovered to be one million as an investigation continues.
It is common to see companies disclose a pileup of attack costs with each quarterly financial statement, he added. “Impact comes to light over weeks and months," he said. The SEC’s central argument is that investors should be informed about cyber incidents that can affect a company’s financial health and performance.
Read more on livemint.com