The US Securities and Exchange Commission released its final rule, effective Sept. 5, 2023, on cybersecurity risk management, strategy, governance, and incident disclosure. Investors, registrants, and other market participants should take special notice of two key terms in the regulations: “materiality” and the “reasonable investor.”
The SEC has deemed disclosures, cybersecurity risk management, and governance to be material to both the market and to a reasonable investor.
A close look at these terms—and how the SEC and courts have interpreted them—will be a useful guide to those affected by the new rule.
The “material” impact of a cyber incident on a registrant is central to the determination of whether to notify the SEC with a Form 8-K, and in turn the market and investors.
Materiality is a core consideration in determining whether any risk from cybersecurity threats exist, including as a result of any previous cybersecurity incidents. Legal counsel, cybersecurity consultants, and the registrants should use industry standards such as the National Institute of Standards and Technology and other laws such as HIPAA or GDPR to ascertain whether an event or lack of safeguards is material.
If a disclosure is required, they should accurately state the facts and circumstances in SEC filings and in any other public disclosures, such as on the company’s website.
Incidents that have affected or are reasonably likely to affect an organization, including its business strategy, results of operations, or financial condition are considered material. This could lead to potential violations under SEC Rule 17(a) or Rule 10(b)-5, which relate to material commissions and omissions in relation to disclosures.
The US Supreme Court has provided a roadmap in its cases addressing materiality in securities laws, including TSC Industries, Inc. v. Northway, Inc., Basic, Inc. v. Levinson, and Matrixx Initiatives, Inc. v. Siracusano, coupled with the SEC’s rules, 17 C.F.R. § 230.405 and 17 C.F.R. § 240.12b-2.
The law, whether affirmed by the Supreme Court or maintained in regulations, indicates that information “is material if there is a ‘substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision, or if it would have significantly altered the ‘total mix’ of information made available.”
Information is material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision, or if it would have significantly altered the “total mix” of information made available.
This leads to the reasonable investor, which can be compared to the legal definition of a reasonable person. A reasonable person is a “hypothetical person who exercises qualities of attention, knowledge, intelligence, and judgment that society requires of its members for the protection of their own interest and the interests of others.”
This concept isn’t new. The renowned 1837 English court of common pleas case, Vaughn v. Menlove, established that in the common law, the reasonable person standard is that of “a man of ordinary prudence” thereby making the standard objective.
This common law standard has been used as the basis of both state and federal common law in the US. In a securities law case, the Supreme Court in Omnicare Inc. v. Laborers District Council Construction Industry Pension Fund held that the inquiry into whether an omission of a material fact makes a statement misleading must be viewed from the reasonable investor’s perspective, much like the determination of materiality.
Companies required to make disclosures and disclose their cybersecurity risk management and governance must consider what is material to a reasonable investor. This increases the level of language granularity and simplicity that persons should use as the materiality bar is lower for the reasonable investor than for sophisticated or institutional market investors.
Importantly, what is disclosed must be balanced with providing too much information, which could make the entity more vulnerable to an attack or other form of exploitation.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Rachel V. Rose is an author, presenter, and attorney who handles complex compliance, transactional, and litigation matters involving healthcare, cybersecurity, securities law, and the False Claims Act.
Andy Watkin-Child is a global cybersecurity and risk management compliance professional who has built and led both first and second lines of defense for blue chip companies, both as a CISO and head of cyber risk.
Ted Dziekanowski is a veteran of cybersecurity with over 40 years’ experience of the design, delivery, oversight, and assurance of cybersecurity and risk management systems.
Write for Us: Author Guidelines