Materially Missing the Mark With Cyber Event Disclosure Rules

A little over a year ago, the US SEC’s rules on cybersecurity incident disclosures were enacted, mandating that all publicly traded companies report material cyber events within four days after they had been determined as such unless exempted for national security or safety reasons. The rationale behind these rulings was that they would provide investors and relevant stakeholders with the information necessary to make more informed decisions, thereby leading to more realistically priced options. 

‍

Unfortunately, while these event disclosures may have started to help make the marketplace a more transparent place vis-a-vis cyber risk, they have failed to reflect the true, resounding impact that cyber events can have on broader economic stability. An examination of the past year’s incident reports on Form 8-K reveals that the SEC’s requirements for registrants only to consider an event’s materiality from the internal perspective leaves a significant portion of the story untold. 

‍

Their narrow reporting framework leaves investors lacking crucial insights regarding the wider implications of cyber incidents, including their cascading effects on connected industries, supply chains, and overall market and consumer dynamics. 

‍

The SEC’s Requirements for Material Incident Reporting

‍

The pivotal regulations instituted several new requirements for SEC registrants, not least of which was to disclose cyber events deemed materially impactful. This stipulation fostered considerable pushback from the business community, primarily due to “material’s” ambiguous definition: that point at which a reasonable shareholder would consider it important. 

‍

Once deemed material, the organization is then meant to describe the event’s nature, scope, and timing. However, the rulings explicitly state that this level of incident only needs to be disclosed if the company experiences it first-hand, financially, operationally, or otherwise. The specification to only provide the immediate, first-party consequences effectively excludes external impacts from the record. 

‍

The Case for Capturing External Impacts in Cyber Disclosures

‍

For investors to fully grasp the implications of a cyber event, they must be provided with details that extend beyond what happened to the organization that experienced the direct impact, allowing them to examine the broader ripple effects. For instance, in the case of Progress Software's MOVEit data breach, in which a single file transfer program vulnerability compromised thousands of organizations, including governments, healthcare providers, and financial institutions, the third-party economic fallout far exceeded any threshold for materiality. 

‍

Nevertheless, if the rules had been in effect at the time of the incident, investors, if not for the media, would have remained woefully unaware of the true scale and systemic nature of the breach, as such information would not have been required to submit. To close this gap, regulators must prioritize the disclosure of the broader external impacts a cyber incident will have, ensuring it is factored into the materiality determination process. 

‍

This process means organizations would have to analyze and report on interdependencies between their entity and others and, similarly, include these relationships when detailing the scope of the event. By incorporating these dimensions into its disclosure frameworks, the SEC would simultaneously demonstrate a deeper understanding of the nature of cyber risk and enable investors to make informed decisions. 

‍

Without these insights made available to the public, the market remains vulnerable to hidden risks and mispriced options, undermining the transparency the SEC aims to achieve.

‍

The CrowdStrike Business Outage: Billions of Dollars Lost Worldwide

‍

CrowdStrike's faulty Falcon software update, which caused more than 8.5 million Microsoft Windows-powered devices to crash, sending businesses into chaos, stands as a stark example of the SEC's current materiality reporting framework's failure to capture the real-world significance of a cyber event. Airlines, banks, and healthcare institutions, among other essential entities, were unable to serve their customers for hours, sometimes days, resulting in a market loss of billions of dollars. 

‍

Despite these catastrophic consequences (Delta alone claims it lost hundreds of millions), the outage's materiality status remains officially undetermined. According to Item 8.01 on CrowdStrike's Form 8-K, the incident has yet to be classified as "material," as they, as of July 2023, are still monitoring the fallout. That said, although the company's stock suffered in the immediate impact, its value, as of December 2024, has nearly recovered to what it was pre-event, meaning that, in the long run, given the SEC's requirements, the event did not have material consequences. 

‍

This paradox underscores the need for a more nuanced approach to materiality determinations, one that accounts for both the impact the event has on the organization as well as on the wider marketplace. Without such reform, consumers and investors remain blind to third-party relationships and deprived of the transparency necessary to accurately assess the risks associated with such incidents. 

‍

The Live Nation Data Breach: Ongoing Customer Ticket Theft

‍

Live Nation's disclosure of the May 2024 Ticketmaster data breach likewise illustrates the misunderstanding the SEC has of the broader marketplace consequences of cyber incidents. Although Live Nation acknowledged the compromise of their cloud environment, which saw the exposure of sensitive data belonging to roughly 560 million customers, the company's regulatory filing under Item 8.01 on Form 8-K claimed that the breach was "not reasonably likely to have a material impact" on its financial condition or operations. 

‍

While the assessment may be accurate, it ostensibly neglects the more extensive implications of the breach. Beyond the initial data compromisation, the stolen information has fueled an ongoing wave of ticket theft, with customers discovering their profiles had been hacked and tickets for major performances transferred to unknown accounts. These instances have left consumers extremely frustrated, facing lengthy recovery processes, and, in some cases, unable to attend the events they had paid for. 

‍

Indeed, already strained due to the data breach and longstanding complaints over pricing practices and virtual queues, public trust in Ticketmaster has continued to erode months after the initial publicly disclosed cyber event. This reputational damage risks driving new customers away, potentially motivating shareholders to pull their investments and transfer them to a more reliable stock option, even if the immediate financial and operational hit to Live Nation was negligible.

‍

Moreover, the breach's cascading effects have disrupted numerous events, impacting venues, artists, and attendees—none of which are accounted for under the SEC's current materiality criteria. By focusing solely on Live Nation's internal losses, the reporting framework fails to account for the systemic impacts of the breach, leaving investors and the public without a full understanding of the risk and, again, underscoring the need for disclosure standards that reflect the true scope of cyber events.

‍

Regulatory Gaps in Other Cyber Disclosures Leave Investors Uninformed

‍

The systemic effects being excluded from cyber incident disclosures aren't limited to CrowdStrike or Live Nation. Numerous other corporations have reported breaches or other types of cyber incidents under the SEC's 2023 cybersecurity laws. However, given the SEC’s current reporting framework, these organizations have legally avoided labeling them as material, leaving shareholders unaware of the broader implications. For instance, Microchip Technology Inc., a company that manufactures integrated circuits for countless other companies, disclosed an event, claiming it was not material to its operations. 

‍

Newpark Resources Inc., servicing the energy sector with various technologies and solutions, and Globe Life Inc., providing financial and insurance services across the market, have likewise submitted 8-Ks stating that their respective data breaches were immaterial internally, raising unanswered questions about how their customers, and potentially entire connected industries, were impacted, meaning investors will have to discover this crucial information on their own. 

‍

When Materiality Falls Short: The SEC’s Flawed Cyber Risk Framework

‍

In its current state, the US SEC's materiality reporting framework is fundamentally ill-suited to the realities of modern cybersecurity. While debates over the ambiguous definition of "materiality" have dominated disclosure discussions, a more critical flaw lies in the legislation's too-narrow scope. In only requiring organizations to consider the financial and operational consequences they've faced internally in the wake of an event, the SEC neglects the broader market effects entirely. 

‍

This oversight has created a dangerous blind spot for investors, not only undermining the original goal of fostering market transparency but also informed decision-making. True reform demands the SEC to expand its reporting requirement to include both the direct and systemic impacts of cyber incidents, be they malicious or otherwise. Only with this shift will the marketplace be able to assess and price the risks associated with cyber events accurately, ensuring the stability and integrity of the modern economic landscape.

‍

To learn more about materiality reporting, addressing third-party cyber risk, and deciphering the US SEC’s cybersecurity regulations, contact one of Kovrr’s cyber risk management experts today.