Further to our prior posts here and here, yesterday, Corp Fin staff published an additional cybersecurity disclosure rule C&DI regarding whether a company’s consultation with the DOJ about a delayed disclosure for “national security” or “public safety” reasons itself make an incident “material.”
Question 104B.04
Question: Would the sole fact that a registrant consults with the Department of Justice regarding the availability of a delay under Item 1.05(c) necessarily result in the determination that the incident is material and therefore subject to the requirements of Item 1.05(a)?
Answer: No. As the Commission stated in the adopting release, the determination of whether an incident is material is based on all relevant facts and circumstances surrounding the incident, including both quantitative and qualitative factors, and should focus on the traditional notion of materiality as articulated by the Supreme Court.
Furthermore, the requirements of Item 1.05 do not preclude a registrant from consulting with the Department of Justice, including the FBI, the Cybersecurity & Infrastructure Security Agency, or any other law enforcement or national security agency at any point regarding the incident, including before a materiality assessment is completed. [December 14, 2023]
Referencing the C&DI in a speech yesterday about the rule, Corp Fin Director Erik Gerding elaborated:
I hope this underscores that the rule does not create a disincentive for public companies to consult with law enforcement or national security agencies about cybersecurity incidents. Indeed, I would encourage public companies to work with the FBI, CISA, and other law enforcement and national security agencies at the earliest possible moment after cybersecurity incidents occur. I believe this timely engagement is in the interest of investors and the public. While this is not within the Commission staff’s purview, companies and government agencies may find that such timely engagement could assist them in a later determination of whether to seek a delay from the DOJ.
Consultations with national security and law enforcement agencies may, of course, help companies to better understand the impact or severity of a particular incident and thus to assess whether the incident is material. But ultimately it is the company’s responsibility to make a materiality determination based on a consideration of all relevant facts and circumstances. In this regard, it’s worth bearing in mind that the analyses of cybersecurity incidents by these other agencies may take into account factors other than a focus on a reasonable investor. This is consistent with the CDI above. And, as I noted previously, the Commission did not establish a fixed timeline for making a materiality determination, and a company’s consultation with any national security or law enforcement does not change this and start the clock on a fixed timeline with respect to a cybersecurity incident. Again, instead of a fixed timeline, the Commission included Instruction 1 to Item 1.05, which states that “[a] registrant’s materiality determination regarding a cybersecurity incident must be made without unreasonable delay after discovery of the incident.”