Cyberattack reporting requirements lack strength
New cyberattack disclosure requirements are designed to help publicly traded companies determine when they need to disclose that they have been the target of a cyberattack. But will they be effective?
You have undoubtedly seen the headlines about the Security and Exchange Commission’s (SEC) new cyberattack disclosure requirements. The new requirements help publicly traded companies determine when they need to disclose that they have been the target of a cyberattack. The new requirements basically force publicly traded companies in the United States to report cyber incidents that could have a material influence on their business. The recent SEC guidance is an expression of the relative significance a cyberattack has on an organization.
In the cyberattack context, material impact can be generally defined as a cyber incident of significance that is likely to have a negative influence on the organization to the level where it will influence the company’s stock. At this time, there appear to be several rules that have been used in practice and academia to quantify or measure materiality. Two common methods of determining this are a percentage of the company’s total assets and a percentage of the company’s total revenue.
So let’s examine this for a moment. If a $2 billion company was hit by a cyberattack and materiality was defined as a mere five percent of the organization’s revenues, then the total cost of the attack would need to be $100 million for it to be reported. Imagine if the value of the company was the size of major defense contractors such as General Dynamics or Northrop Grumman. Both are worth tens of billions of dollars and both have been victims of cyberattacks in the last two years, according to media reports. Because of this, I don’t think we will be seeing many disclosures due to the reporting requirement.