Industries

Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

SEC cybersecurity disclosure rules: Cracking the code on materiality and reporting

February 27, 2024

Navigating materiality considerations and cybersecurity reporting

As public companies face increasing threats from malicious actors targeting their information systems and proprietary data, cybersecurity has become a key agenda item for boards[1] and audit committees[2] in 2024. Against this backdrop, the US Securities and Exchange Commission (SEC) implemented new rules, effective December 18, 2023, requiring public companies to disclose material cybersecurity incidents on Form 8-K within four business days. Additionally, detailed information regarding their cybersecurity risk management and governance must be included on Form 10-K.[3] These rules demonstrate the SEC’s focus on the criticality of cybersecurity disclosures in formal financial reporting.

However, the implementation of the new rules has raised many questions specific to materiality. The SEC defines a material incident as a matter to which “a reasonable shareholder would consider it important” in making an investment decision.[4] In other words, an incident is material if it significantly impacts a company’s operations, financial position, reputation, or legal obligations.

This definition of materiality presents challenges for companies in assessing the significance of cybersecurity incidents and, in turn, supporting disclosure decisions to regulators and other interested parties. Establishing a clear process for determining the materiality of a cyber incident and ensuring proper mechanisms are in place to aid in this determination are crucial for fostering trust in the business, its cybersecurity, and the capital markets.

Identifying triggers for material cybersecurity incidents

It is up to each company to consider an array of factors surrounding a cyber incident to determine whether it meets the materiality threshold. Importantly, these factors must take into account both the actual and expected impacts of the cyber event.

One of the key difficulties that companies are encountering in assessing materiality is the need to consider qualitative factors in addition to the quantitative factors that they may be more accustomed to in financial reporting. Additionally, cybersecurity reporting requires that the information technology (IT) function play an integral role in assessing materiality—a task that is traditionally assigned to the finance or controller function.

As a starting point for assessing the materiality of a cyber incident, consider the following factors:

 

 

These factors are not exhaustive and may vary depending on the specific circumstances of each incident, but they provide a starting point for identifying and assessing the quantitative and qualitative impact of a breach. Importantly, these factors leave room for interpretation, necessitating further due diligence before determining materiality.

Applying new and existing materiality frameworks to cyber incident reporting

Quantitative and qualitative factors are a solid starting point for assessing materiality. However, it would be more sophisticated and prudent to leverage a combination of these factors and an established materiality framework. Most organizations already have established structures and processes for determining the severity of an operational incident. These existing frameworks, such as Enterprise Risk Management (ERM) programs, business impact assessments, Business Continuity and Disaster Recovery (BCDR) strategies, incident response strategies, and data governance and data privacy strategies, can serve as a foundation for a basic materiality framework when applied to cyber incidents.

In addition to internal frameworks, companies are starting to leverage publicly available external frameworks for assessing materiality in cyber and other accounting topics. One example is the Factor Analysis of Information Risk (FAIR) Institute Materiality Framework, based on the FAIR™ model.[5] This framework offers a detailed taxonomy of loss categories and expands the loss magnitude factor, enabling companies to quantify the impact of cyber incidents, report financial risk, and track the total cost.

Ultimately, companies should choose the framework that best suits their functions, whether it is internally developed, externally sourced, or a combination of the two. Regardless of the chosen framework, it is crucial to properly document all cyber incident materiality processes and decision points in a manner that regulators can easily interpret.

Integrating cyber response and disclosure teams

A common mistake in evaluating materiality is looking at a cyber incident solely from the perspective of the impacted company. Instead, materiality must be determined objectively and through the lens of outside stakeholders. In other words, companies must carefully determine whether an investor would consider the information related to a cyber event material to their investment decision.

In an effort to bring this multistakeholder lens to cybersecurity, many organizations are developing cross-functional disclosure committees consisting of C-suite executives, general counsel, board representatives, and finance personnel who are responsible for assessing cyber incident fact patterns and, ultimately, making the materiality determination. Integrating representatives from the existing cyber response team into the disclosure committee can facilitate a swift and comprehensive response.

The disclosure committee should be prepared to discuss various aspects of the incident and response. Consider the following questions as a starting point:

  • What is the nature of the cyber incident (e.g., data breach, ransomware attack, and system compromise)?
  • What is the extent of the incident’s impact on our systems, data, and operations? Did the incident impact systems related to financial reporting and internal controls over financial reporting?
  • Does the incident involve sensitive or regulated data (e.g., personal information and financial data)?
  • Are there regulatory obligations or compliance requirements associated with the affected data?
  • What strategies have we employed to contain and rectify the incident? How are we communicating with internal and external stakeholders who may have been impacted?
  • How are we calculating the financial ramifications of the incident? How are we accounting for related expenses and liabilities?
  • Have we evaluated the accounting considerations around software expense capitalization, particularly if the remediation efforts result in enhancements?
  • Once the incident is resolved, how should we revise our risk disclosures and financial statements accordingly?
  • How are we adhering to the SEC disclosure requirements and other relevant laws and regulations? Have we assessed potential legal risks and impending lawsuits?
  • Have we documented our materiality considerations at the right level of detail?

Navigating Form 8-K and Form 10-K disclosures

If a cyber incident is deemed material, then the company must disclose it on Form 8-K within four business days of making this determination.

On Form 10-K, in accordance with SEC guidelines, companies are required to disclose material information, and the evolving threat landscape of cybersecurity is increasingly recognized as a material factor. Therefore, companies must assess and disclose the impact of cybersecurity risks and incidents on their financial position, operations, and reputation. This disclosure should encompass the nature and scope of cyber threats faced, potential financial ramifications, management oversight, board governance, and the effectiveness of the organization’s cybersecurity measures.

Cybersecurity in the new regulatory environment

The sophistication of cyber threats is only increasing, and in turn, regulation is ramping up. To navigate this new terrain successfully, companies must reevaluate their cyber response strategies while prioritizing materiality considerations. While this may seem like a daunting task, fortunately, companies can leverage existing operational processes and frameworks related to materiality and apply them to cybersecurity scenarios. Additionally, fostering cross-functional collaboration and maintaining thorough documentation can enable companies to better address cyber risks today while remaining nimble for potential incidents in the future.

Footnotes

  1. KPMG Board Leadership Center, On the 2024 Board Agenda, December 7, 2023.
  2. KPMG Board Leadership Center, On the 2024 Audit Committee Agenda, December 7, 2023.
  3. Matthew Johnson, Doron Rotman, and Maksim Vander, “Navigating the SEC’s New Cybersecurity Disclosure Rules,” News and Perspectives, September 2023.
  4. KPMG LLP, “SEC Staff Issues New C&DIs on Cybersecurity Rules,” December 2023.
  5. “An Introduction to the FAIR Materiality Assessment Model,” Fair Institute, accessed February 2, 2024.
  6. This graphic depicts possible activities corresponding to the preparation of Form 8-K Item 1.05 and is not part of the rule.
  7. The information in this graphic is not all inclusive.
  8. This graphic depicts possible activities corresponding to Regulation S-K Items 106(b) and 106(c) and is not part of the rule.
close
Contributors
close
Media contacts

Download the document:

SEC cybersecurity disclosure rules

Download PDF

Explore more

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Headline