The Securities and Exchange Commission (SEC) in the United States approved their cyber rules on July 2023, originally proposed in March 2022 for public comments (SEC, 2022; 2023). This has sparked many conversations about how the board of directors and executive management should think about cybersecurity and to what extent public disclosures should be made about cybersecurity incidents and risks. Most notable among them is the requirement that material cyber incidents be reported within four days. Under this new rule, affected companies have to file on Form 8-K the details of the potential effects of the incident.
This has brought significant focus to what constitutes a material incident. This paper will outline the history of what constitutes a material event and its applicability to the cyber world. We will end with specific, quantitative guidance on how firms can assess a material impact suitable for SEC disclosure. This approach to determining financial materiality may be helpful in responding to SEC cyber disclosure rules. Readers should keep in mind that there are also non-financial triggers for materiality that must be considered, which is outlined in the heuristic below.