Priya PatelTL;DR:
- Smaller organizations are now required to report material cyber events to the SEC as of June 15, 2024.
- Materiality determination is complex, but leveraging quantitative loss thresholds can help streamline the process.
In the article “Cyber Materiality Reporting for Smaller Companies,” smaller reporting companies are now subject to the SEC’s material cyber event reporting regulations. Determining materiality can be challenging, but utilizing quantitative loss thresholds, such as one basis point of revenue, can aid in efficiently deciding whether an event is material or not. Kovrr’s Materiality Analysis feature within the on-demand cyber risk quantification (CRQ) platform can help stakeholders calculate these thresholds and ensure compliant disclosures.
In March 2022, the SEC introduced cybersecurity regulations that smaller companies thought should exempt them due to high costs. However, the SEC did not provide exemptions but granted an additional 180 days for smaller entities to comply with material cyber event reporting. The article emphasizes the struggles larger companies have faced in complying with the regulations and how smaller organizations can leverage frameworks and quantitative values to streamline materiality determinations.
Determining materiality requires assessing various consequences like financial loss, data compromise, operational impacts, and reputational damage. Utilizing quantitative loss benchmarks can provide a structured framework for stakeholders to make informed decisions and ensure compliance with SEC regulations. Through Kovrr’s CRQ platform, organizations can calculate materiality thresholds and streamline disclosures for Form 8-K and Form 10-K reports.
By using quantitative values as a starting point for the materiality determination process, companies can efficiently decide whether an event is legally considered material or not. Even if the thresholds are not surpassed, they provide a solid basis for explaining reporting decisions both to the SEC and investors. Developing a standardized materiality determination framework can help smaller entities avoid compliance issues and enhance transparency in cybersecurity reporting.
Ultimately, leveraging quantitative benchmarks and frameworks can aid organizations, regardless of size or industry, in complying with SEC regulations, maintaining investor trust, and efficiently managing cyber risks.
