Since our earlier article about changes to the SEC’s rules for cyber breach disclosure and the inclusion of new information about cyber risk management in company annual reports, we have been thinking more about the nature of materiality, by which we mean the threshold over which a company must disclose that their cyber security has been compromised.
Materiality is not a definition or determination of the company itself alone can make: the Supreme Court has held that a fact is material if there is:
“A substantial likelihood that the….fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available”
Therein lies the problem. In the past, stockholders appear to have acted both precipitously and negatively to news of a cyber breach; some companies’ stock price has fallen 30% overnight, and there is research that suggests that breached companies’ stock price tends to recover more slowly than their peers for a long period after a breach has been announced.
The SEC leaves it up to the company to determine the time duration between discovery of a breach and a determination of materiality, only saying that delay should not be unreasonable. Once that determination has been reached, US domiciled companies have four days to issue an 8-k statement. If a foreign corporation, they must release a 6-f statement (the foreign company position is slightly nuanced: the SEC expects them to disclose no less information than they were disclosing to their domestic market): this will vary by jurisdiction quite considerably.
So, whilst internal auditors, management and investor relations people may have a fairly good grip on what matters to their investors from a financial point of view, they have little or no experience of understanding investors attitudes towards cyber risk and therefore the risk to the company of an adverse stockholder reaction is significant (even if company response was world-class).
Cyber breach disclosure is not the same as a financial disclosure: the full extent of the damage may not be known for weeks or months; initial estimates may be wrong. And multiple 8-K updates may further alienate stockholders because they do not understand the pathology of a breach.
It is important to note that this requirement for enhanced disclosure is an important step for transparency, and is to be welcomed. There may however be unintended consequences: poorly managed companies might fall prey to short sellers and aggressive investor behaviour, rendering them more vulnerable to predatory takeover attacks, for example. While one might think that this would be an incentive for companies to invest more in cyber security to avoid such an eventuality, there is still quite a gap between company rhetoric and reality on the ground and investors are well placed to challenge management on the seriousness of their approach to cyber security.
In our view, companies do better by being fully transparent about what has happened and what they are doing to remedy the situation. Appropriate insurance cover is one means of mitigating downside risk. Cyber insurance will support the companies in managing any cyber claims but as importantly will protect the balance sheet of the company and therefore offer protection to the investor stakeholders. Therefore, cyber Insurance plays an important Function in the consideration of materiality for the board.
The one thing that is sure is that a protracted breach and a difficult recovery are colossal consumers of management time, costs an enormous amount and undoubtedly will affect a company’s financial performance. Prepare well and most cyber attacks will not make the material threshold at all.
As always, we are here if you wish to discuss the above or any other cyber related topic.