The Problem with "Material Impact" in the SEC's Cybersecurity Guidelines: Why Letting Companies Decide Makes No Sense
Few terms are as significant and slippery in corporate regulation as "material impact." This phrase, baked into the U.S. Securities and Exchange Commission's (SEC) regulations, is crucial in determining what companies must disclose to investors. While "materiality" is a well-worn concept in financial disclosures, its application in the context of cybersecurity breaches is fraught with challenges, contradictions, and, frankly, a lack of sense.
In the SEC's recent guidance on cybersecurity risk disclosure, companies are tasked with determining whether a cyber incident has had a "material impact" on their business. This means companies decide if a cyber breach is significant enough to be shared with investors. The problem is that leaving this decision in the hands of companies—especially in an industry as complex and fast-evolving as cybersecurity—opens the door to inconsistencies, downplayed disclosures, and, ultimately, a lack of transparency for stakeholders. Let's break down why this is a severe issue.
What Is "Material Impact"?
The term "material impact" is a legal and financial concept used by the SEC to determine when a company must disclose information to investors. Generally, something is considered material if there's a substantial likelihood that a reasonable investor would consider it important when making investment decisions. In simpler terms, investors have the right to know if something happens that could affect a company's stock price.
In cybersecurity, material impact could theoretically apply to many cyber incidents—from minor phishing attacks to massive breaches of sensitive customer data. However, the problem lies in who decides what is material.
The SEC's 2023 cybersecurity guidelines require companies to disclose material cyber risks and incidents. However, the wording leaves it up to companies to determine when a breach is serious enough to be "material." The underlying assumption here is that companies can reliably self-assess the importance of a cyber incident and act in the best interests of investors.
And therein lies the issue.
The Flawed Logic of Self-Assessment in Cybersecurity
Allowing companies to define "material" in cybersecurity is like letting a fox to guard the henhouse. This approach is problematic for several reasons.
Incentives to Downplay Breaches
Companies have an inherent conflict of interest when reporting cyber incidents. No one wants to be the following big headline for a data breach. Publicly disclosing a major cybersecurity failure can tank stock prices, ruin consumer trust, and invite regulatory scrutiny. When a company can determine what constitutes "material impact," it's no surprise that they might lean toward underreporting breaches or minimizing their significance.
Any business's primary motivation is to protect its bottom line. Therefore, if a cyber breach can be handled quietly without public disclosure, many companies might opt to downplay the incident—labeling it as "non-material"—to avoid fallout. This selective reporting can lead to investors being kept in the dark about significant cybersecurity risks, undermining the purpose of the SEC's disclosure requirements.
Cybersecurity is a Complex and Evolving Threat Landscape
Cybersecurity incidents are notoriously challenging to evaluate regarding impact, especially at the outset. The damage from a breach isn't always immediate or obvious. For example, sensitive customer data or intellectual property might be stolen. Still, the full implications—like customer lawsuits, regulatory penalties, or lost business—could take months or even years to manifest. When a company determines an incident is material, it could be too late for investors to react appropriately.
The complexity of cybersecurity threats also means that even well-intentioned companies may need help to assess the long-term impact of an incident accurately. For instance, how do you quantify the material impact of a ransomware attack that was stopped before data was stolen but forced the company to shut down operations for several days? The costs include lost revenue, reputational damage, and the expense of beefing up security. However, because these costs are more complex to pin down, a company might decide the impact isn't material and withhold the information from investors.
Lack of Standardization in Assessing Material Impact
Different industries, companies, and boards of directors may have vastly different interpretations of what constitutes "material." For some, a minor disruption in operations caused by a malware attack might be considered minor and not worth disclosing. For others, the same incident could trigger a significant stock dip and thus be considered material.
This lack of standardization creates a gray area in reporting. With clear, uniform guidelines on what types of cyber incidents must be disclosed, companies are able to make judgment calls that could lead to consistency across the market. For example, a breach at a financial institution might have far-reaching implications because of the sensitive data involved. In contrast, a similar breach at a manufacturing company might be deemed less material due to the nature of its operations. However, both incidents could pose severe risks to investors, depending on how the fallout unfolds.
"Not Material": A Get-Out-of-Jail-Free Card
One of the most problematic aspects of the SEC’s guidance is the way the phrase “not material” can be used by companies reporting breaches. If a company labels a cybersecurity incident as "not material," it essentially gives itself a get-out-of-jail-free card. Here’s why this is a major issue:
Recommended by LinkedIn
When companies report a breach as "not material," they can avoid the scrutiny that typically follows a major data breach disclosure. If investors or the public don’t hear about the breach, there's no panic, no drop in stock price, and no hit to the company's reputation. This provides a perverse incentive for companies to downplay or outright hide breaches that may still pose significant risks in the long term.
For example, a company might suffer a breach in which hackers access sensitive customer data. If the company decides this breach isn’t material because it doesn't immediately affect its finances, they might not disclose it. However, this doesn't mean that the breach won’t eventually lead to lawsuits, regulatory fines, or lost customer trust—all of which could hit the company hard later. The “not material” label becomes a shield to avoid immediate responsibility and kick the can down the road.
Worse, it leaves investors in the dark. If a company determines a breach isn’t material, stakeholders may never find out that customer data was exposed or that intellectual property was stolen—until it’s too late. It’s a dangerous loophole that allows companies to essentially sweep significant incidents under the rug.
The Real Impact: What About the Individuals Affected?
One of the biggest blind spots in the SEC’s “material impact” framework is the lack of consideration for the individuals affected by a cyber breach. While the concept of materiality focuses on what is significant to a company’s financials, it entirely ignores the potential impact on individuals whose data has been compromised.
Take, for example, a breach that exposes the personal information of thousands of customers. For the company, this might not immediately affect its bottom line—there may be no noticeable stock dip, and operations could continue as usual. But for the people whose Social Security numbers, credit card information, or personal health records are exposed, the impact is immense. Identity theft, financial loss, and privacy violations are very real consequences for individuals, even if the company itself doesn’t feel an immediate sting.
The idea that a company can decide whether a breach is “material” based solely on its own business perspective completely disregards the very real, personal impact on those whose data is compromised. This disconnect highlights a major flaw in the SEC’s reliance on companies to define materiality in the context of cybersecurity.
While a breach may not seem material to the business, it could still have devastating consequences for those affected. Yet, under the current system, these people may never even find out their information was exposed if the company deems the breach "not material."
Why the SEC Needs to Clarify Cyber Materiality
The SEC's goal in requiring disclosures about cybersecurity risks is to provide investors with enough information to make informed decisions. However, if companies can determine materiality independently, we end up with a system where potentially significant cyber risks are swept under the rug.
So, what can be done to fix this?
One solution is for the SEC to establish more precise guidelines for when a cyber incident must be disclosed. Rather than leaving materiality entirely up to the company, the SEC could implement a set of thresholds—based on factors like the number of records exposed, the nature of the data compromised, or the duration of the disruption—that would trigger mandatory disclosure. This would help eliminate the guesswork and ensure consistency across companies and industries.
Another potential fix is requiring third-party assessments to determine the materiality of cybersecurity incidents. Independent cybersecurity auditors could evaluate a breach's impact and determine whether it meets the threshold for disclosure. This would reduce the conflict of interest that arises when companies make the call themselves and add an additional layer of oversight to the process.
In some industries, like financial services, there are already requirements for real-time incident reporting to regulators. Extending this model to cybersecurity across all sectors could help ensure timely disclosure. Rather than waiting for companies to decide whether an incident is material, the SEC could require reporting all cyber incidents above a certain threshold—leaving it to regulators to decide materiality.
Conclusion
Cybersecurity is one of the most significant risks businesses face today, and investors deserve transparency. Allowing companies to decide what is "material" in the context of cyber incidents introduces too much subjectivity, inconsistency, and potential for underreporting. The SEC must provide more straightforward guidelines and oversight mechanisms to ensure investors are informed about the real risks companies face in the ever-evolving world of cyber threats.
Without these changes, the term "material impact" will continue to serve as a loophole for companies to downplay or hide significant cybersecurity incidents from investors—leaving stakeholders in the dark about risks that could have long-term consequences.
I agree with everything you said, but I had a slightly different take. I think the SEC is not sure what to do so they are reading every company's definition of materiality so they can come up with a better definition. They have a relatively small group of lawyers (for the task) and creating the definition is not easy.
CEO & Founder (High-Tech Cyber-innovator), Boardmember, Trusted Advisor, Teacher @ higher Education, Keynote Speaker
2moHow to avoid these issues … go Prevent & Protect. It’s where deperimeterization, ZT, SDP, SSE, Comply-to-Connect, guard-railed micro-perimeter based security principles meet up … …. in one platform. If you haven’t tried a Prevent & Protect solution, you have no idea how a non-intrusive, non-invasive and non-interruptive - controlled protected digital environment, works. There are NO 3rd party security dependency of any kind. You are welcome to try breach it …. we even grant you the right in our license terms …. and you cannot add any security to a Prevent & Protect model that makes it more secure. It’s actually very simple … you can keep on spending a fortune on the Detect & Response reactive sec. model - now you have it, keep it for your infrastructure … but let Prevent & Protect take care of your data-protection. Get back in control - well, that’s your call. Sorry, John K and Chase C … I hear you constantly say ZT is a transition, not a product. It isn’t a product, but you can create a holistic platform that enforces and have these principles bolted in. You could also just read our patent from 2005 - 5 years before ZT was defined. I’ll send it if you want.
Founder at Spektrum Labs, equipping cyber resilience innovators.
2moThe SEC’s scope is financial impact and financial materiality, which is well defined and documented in the accounting and finance disciplines. That is not the scope of your article, so this is mismatching the need for cyber disclosure with the enforcement body, and their objectives. The SEC needs to stay focused on financial materiality only. “Since our founding in 1934 at the height of the Great Depression, we have stayed true to our mission of protecting investors, maintaining fair, orderly, and efficient markets, and facilitating capital formation.” https://www.sec.gov/about/mission