Insights

Fresh thinking and actionable insights that address critical issues your organization faces.

Learn more

Resources

Services

KPMG's multi-disciplinary approach and deep, practical industry knowledge help clients meet challenges and respond to opportunities.

Services to meet your business goals

Technology Alliances

KPMG has market-leading alliances with many of the world's leading software and services vendors.

View all Alliances

Industries

Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more
Relevant Results
Sorry, there are no results matching your search.
Autocomplete suggestions are available. Use up and down arrows to review and enter to select.
See more results

SEC cybersecurity disclosure rules: Cracking the code on materiality and reporting

February 27, 2024
Download PDF
Share

Navigating materiality considerations and cybersecurity reporting

As public companies face increasing threats from malicious actors targeting their information systems and proprietary data, cybersecurity has become a key agenda item for boards[1] and audit committees[2] in 2024. Against this backdrop, the US Securities and Exchange Commission (SEC) implemented new rules, effective December 18, 2023, requiring public companies to disclose material cybersecurity incidents on Form 8-K within four business days. Additionally, detailed information regarding their cybersecurity risk management and governance must be included on Form 10-K.[3] These rules demonstrate the SEC’s focus on the criticality of cybersecurity disclosures in formal financial reporting.

However, the implementation of the new rules has raised many questions specific to materiality. The SEC defines a material incident as a matter to which “a reasonable shareholder would consider it important” in making an investment decision.[4] In other words, an incident is material if it significantly impacts a company’s operations, financial position, reputation, or legal obligations.

This definition of materiality presents challenges for companies in assessing the significance of cybersecurity incidents and, in turn, supporting disclosure decisions to regulators and other interested parties. Establishing a clear process for determining the materiality of a cyber incident and ensuring proper mechanisms are in place to aid in this determination are crucial for fostering trust in the business, its cybersecurity, and the capital markets.

Identifying triggers for material cybersecurity incidents

It is up to each company to consider an array of factors surrounding a cyber incident to determine whether it meets the materiality threshold. Importantly, these factors must take into account both the actual and expected impacts of the cyber event.

One of the key difficulties that companies are encountering in assessing materiality is the need to consider qualitative factors in addition to the quantitative factors that they may be more accustomed to in financial reporting. Additionally, cybersecurity reporting requires that the information technology (IT) function play an integral role in assessing materiality—a task that is traditionally assigned to the finance or controller function.

As a starting point for assessing the materiality of a cyber incident, consider the following factors:

 

 

These factors are not exhaustive and may vary depending on the specific circumstances of each incident, but they provide a starting point for identifying and assessing the quantitative and qualitative impact of a breach. Importantly, these factors leave room for interpretation, necessitating further due diligence before determining materiality.

Applying new and existing materiality frameworks to cyber incident reporting

Quantitative and qualitative factors are a solid starting point for assessing materiality. However, it would be more sophisticated and prudent to leverage a combination of these factors and an established materiality framework. Most organizations already have established structures and processes for determining the severity of an operational incident. These existing frameworks, such as Enterprise Risk Management (ERM) programs, business impact assessments, Business Continuity and Disaster Recovery (BCDR) strategies, incident response strategies, and data governance and data privacy strategies, can serve as a foundation for a basic materiality framework when applied to cyber incidents.

In addition to internal frameworks, companies are starting to leverage publicly available external frameworks for assessing materiality in cyber and other accounting topics. One example is the Factor Analysis of Information Risk (FAIR) Institute Materiality Framework, based on the FAIR™ model.[5] This framework offers a detailed taxonomy of loss categories and expands the loss magnitude factor, enabling companies to quantify the impact of cyber incidents, report financial risk, and track the total cost.

Ultimately, companies should choose the framework that best suits their functions, whether it is internally developed, externally sourced, or a combination of the two. Regardless of the chosen framework, it is crucial to properly document all cyber incident materiality processes and decision points in a manner that regulators can easily interpret.

Integrating cyber response and disclosure teams

A common mistake in evaluating materiality is looking at a cyber incident solely from the perspective of the impacted company. Instead, materiality must be determined objectively and through the lens of outside stakeholders. In other words, companies must carefully determine whether an investor would consider the information related to a cyber event material to their investment decision.

In an effort to bring this multistakeholder lens to cybersecurity, many organizations are developing cross-functional disclosure committees consisting of C-suite executives, general counsel, board representatives, and finance personnel who are responsible for assessing cyber incident fact patterns and, ultimately, making the materiality determination. Integrating representatives from the existing cyber response team into the disclosure committee can facilitate a swift and comprehensive response.

The disclosure committee should be prepared to discuss various aspects of the incident and response. Consider the following questions as a starting point:

  • What is the nature of the cyber incident (e.g., data breach, ransomware attack, and system compromise)?
  • What is the extent of the incident’s impact on our systems, data, and operations? Did the incident impact systems related to financial reporting and internal controls over financial reporting?
  • Does the incident involve sensitive or regulated data (e.g., personal information and financial data)?
  • Are there regulatory obligations or compliance requirements associated with the affected data?
  • What strategies have we employed to contain and rectify the incident? How are we communicating with internal and external stakeholders who may have been impacted?
  • How are we calculating the financial ramifications of the incident? How are we accounting for related expenses and liabilities?
  • Have we evaluated the accounting considerations around software expense capitalization, particularly if the remediation efforts result in enhancements?
  • Once the incident is resolved, how should we revise our risk disclosures and financial statements accordingly?
  • How are we adhering to the SEC disclosure requirements and other relevant laws and regulations? Have we assessed potential legal risks and impending lawsuits?
  • Have we documented our materiality considerations at the right level of detail?

Navigating Form 8-K and Form 10-K disclosures

If a cyber incident is deemed material, then the company must disclose it on Form 8-K within four business days of making this determination.

On Form 10-K, in accordance with SEC guidelines, companies are required to disclose material information, and the evolving threat landscape of cybersecurity is increasingly recognized as a material factor. Therefore, companies must assess and disclose the impact of cybersecurity risks and incidents on their financial position, operations, and reputation. This disclosure should encompass the nature and scope of cyber threats faced, potential financial ramifications, management oversight, board governance, and the effectiveness of the organization’s cybersecurity measures.

Cybersecurity in the new regulatory environment

The sophistication of cyber threats is only increasing, and in turn, regulation is ramping up. To navigate this new terrain successfully, companies must reevaluate their cyber response strategies while prioritizing materiality considerations. While this may seem like a daunting task, fortunately, companies can leverage existing operational processes and frameworks related to materiality and apply them to cybersecurity scenarios. Additionally, fostering cross-functional collaboration and maintaining thorough documentation can enable companies to better address cyber risks today while remaining nimble for potential incidents in the future.

Footnotes

  1. KPMG Board Leadership Center, On the 2024 Board Agenda, December 7, 2023.
  2. KPMG Board Leadership Center, On the 2024 Audit Committee Agenda, December 7, 2023.
  3. Matthew Johnson, Doron Rotman, and Maksim Vander, “Navigating the SEC’s New Cybersecurity Disclosure Rules,” News and Perspectives, September 2023.
  4. KPMG LLP, “SEC Staff Issues New C&DIs on Cybersecurity Rules,” December 2023.
  5. “An Introduction to the FAIR Materiality Assessment Model,” Fair Institute, accessed February 2, 2024.
  6. This graphic depicts possible activities corresponding to the preparation of Form 8-K Item 1.05 and is not part of the rule.
  7. The information in this graphic is not all inclusive.
  8. This graphic depicts possible activities corresponding to Regulation S-K Items 106(b) and 106(c) and is not part of the rule.
close
Contributors
See moreSee more
close
Media contacts
See moreSee more

Download the document:

SEC cybersecurity disclosure rules

Download PDF

Explore more

Insight
Webcast Replay Webcast Upcoming Listen Now

SEC doubles down on cyber risk management accountability

KPMG and ServiceNow detail how new rules apply to public companies and provide tips to avoid gambling with cyber risk disclosure.

Read more
Insight
Webcast Replay Webcast Upcoming Listen Now

Corporate Controller & CAO Hot Topics: Cybersecurity Reporting Spotlight

Emerging regulations mean that bolstering a company’s cybersecurity capabilities is no longer an option, but a requirement.

Read more
News
Webcast Replay Webcast Upcoming Listen Now

AI's Role in Enhancing Trust in Financial Reporting & Capital Markets

AI is set to revolutionize financial reporting and audit, with many financial reporting functions adopting AI and generative AI.

Read more
News
Webcast Replay Webcast Upcoming Listen Now

Navigating Enhanced Cybersecurity Regulations

As regulatory requirements around cybersecurity increase and threats become more severe, it will be crucial to manage risks by ensuring governance is in place to protect sensitive information.

Read more
News
Webcast Replay Webcast Upcoming Listen Now

Navigating the SEC’s new cybersecurity disclosure rules

The SEC finalized its cybersecurity disclosure rules for public companies, and now the race to comply is on.

Read more

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2024 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline