that went into effect in December 2023 were clarified in June 2024. The guidelines require public companies to report “material” breaches within four business days of the materiality determination and document their processes “for assessing, identifying, and managing material risks from cybersecurity threats” in annual filings.
Money can be recovered or written off. Critical systems can go offline and cause significant short-term disruption, but they can be restored. Data can’t be unbreached.Today’s NYT Mini Crossword Clues And Answers For Tuesday, July 30 The possible legal consequences and the difficulty of determining materiality would naturally incentivize some CISOs to report cyber incidents whether or not they had been deemed “material.” Not surprisingly, in June 2024, the SEC clarified the guidelines to avoid investor confusion that would come with overreporting.
To determine materiality, today's most important question is: “Was any sensitive or regulated data stolen and/or lost?” Unfortunately, this question is harder to answer than most executives, boards—and even expensive incident response services—realize.