Whose Material Is This? Objective Subjectivity in SEC Cyber Disclosures

 Posted by Paul StaffordThe U.S. Government, through several agencies and in conjunction with state governments and international governing bodies, has assumed the duty to regulate and to facilitate various aspects of commerce in a matter that minimizes economic uncertainty and promotes fairness in the market. As part of the government’s regulatory “contract” with the public, investors, and potential investors, the U.S. Securities and Exchange Commission (“Commission”) states as its mission the protection of investors; the maintenance of fair, orderly, and efficient markets; and the facilitation of capital formation. To carry out this mission, the Commission requires public companies to disclose information about the security of the public company’s cyber infrastructure and data, especially personally identifiable information, as well as information about incidents, and breaches that are “material” and that may affect shareholder decisions about investing in those companies.Consequently, the Commission has promulgated a series of cybersecurity pronouncements and documents, including the CF Disclosure Guidance: Topic No. 2 – Cybersecurity (“2011 Guidance,” Oct. 13, 2011) issued by the Commission’s Division of Corporation Finance (the “Division”), and the Commission Statement and Guidance on Public Company Cybersecurity Disclosures (“2018 Guidance,” February 26, 2018). The 2018 Guidance reinforces and expands upon the 2011 Guidance by providing “interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.” The 2018 Guidance also addresses two topics not developed in the Division’s 2011 Guidance: the importance of cybersecurity policies and procedures, and the application of insider trading prohibitions in the cybersecurity context to deter selective disclosures and to prevent directors, officers, and corporate insiders from trading in a public company’s securities while in possession of “material non-public information.” But what is “materiality”?When there is a “material cybersecurity risk or incident,” the Commission considers public companies to have a duty to disclose the material cybersecurity risk(s) or incident(s) to the Commission, and therefore to the public and the company’s investors and potential investors. The Commission encourages companies to “take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack” (2018 Guidance, p.4), and believes that public companies should disclose “the most significant factors that make investments in the company’s securities speculative or risky” (2018 Guidance, p.13). Such interpretive guidance on the term “material” not only encourages companies to develop procedures for determining “materiality” for disclosures of actual risks and incidents, but also protocols for determining prospective risks. As the 2018 Guidance (p.11) states, “[T]he materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations,” and such information may include “personally identifiable information, trade secrets or other confidential business information, the materiality of which may depend on the nature of the company’s business, as well as the scope of the compromised information.”The Commission’s 2018 Guidance (p.11) also states that “[T]he materiality of cybersecurity risks and incidents also depends on the range of harm that such incidents could cause,” with footnote 34 indicating that a company’s materiality analysis “should consider the indicated probability that an event will occur and the anticipated magnitude of the event in light of the totality of the company activity Basic v. Levinson, 485 U.S. 224, 238 (1988) (citing SEC v. Texas Gulf Sulphur Co., 401 F.2d 833, 849 (2d Cir. 1968))” and that within this analysis, “no ‘single fact or occurrence’ is determinative as to materiality, which requires an inherently fact-specific inquiry. Basic, 485 U.S. at 236.”The Commission’s 2018 Guidance clearly illustrates that the legal construct of “materiality” is, by its nature, imprecise and flexible. The concept of “materiality” is contextual, requiring what the Commission terms a “tailored” approach (2018 Guidance, p.13) – and perhaps even, at times, subjectivity on the part of public companies based upon the factors, procedures, and protocols utilized in preventing and responding to cybersecurity incidents or in determining a company’s susceptibility to cybersecurity risks. Stated differently, for SEC purposes, an event that is material for one company may not be material for another.Such subjectivity becomes more apparent when comparing and contrasting the disclosure obligations of the Commission with contract law or tort law principles. For example, the Restatement (2d) of Contracts Section 1 defines a “contract” as a “promise or set of promises for the breach of which the law gives a remedy, or the performance of which the law in some way recognizes a duty.” The determination of whether there is a breach is a question of law; however, a breach must be “material” to be actionable and compensable for foreseeable injuries or equitable relief. Some breaches are “material” as a matter of law (e.g., when a contract specifies that time is of the essence, failure to timely perform is a “material breach”); however, in most instances, the determination of whether a breach is “material” is a question of fact, and non-performance may be excused or damages may be awarded based upon a finding of materiality. As the court stated in Henderson v. Wells Fargo Bank, N.A., 974 F.Supp.2d 993, 1005, 1006 (N.D.Tex.2013), the question of whether a breach was sufficiently material to excuse a party’s performance under a contract is a question of fact for a jury to decide based on an analysis of the factors set out in the Restatement Second of Contracts 241 and 242. Accordingly, materiality in contract law is often determined by a finder of fact within a narrow context that considers performance, acts, and omissions precipitating the alleged material breach and tends towards a presumption of permitting the contract to survive and the contracting parties to perform.By contrast, a determination of materiality within the context of disclosures to the Commission is the responsibility of the public company that is subject to the cyber risk(s) or incident(s), with the Commission and the courts serving as the ultimate arbiters (i.e., “finders of fact”) of the materiality of those cyber risk(s) or incident(s). The disclosure requirements in Commission Regulation S-K and Regulation S-X make no specific mention of cybersecurity risks and incidents; however, several of the requirements impose an obligation (i.e., “duty”) on public companies to disclose such risks and incidents depending on a company’s particular circumstances. Examples include: periodic reports, including Form 10-K annual reports, Form 10-Q quarterly reports, and Form 20-F disclosures by foreign private issuers; current reports, including Form 8-K or Form 6-K reports; and Securities Act and Exchange Act obligations, including registration statements that (consistent with Section 11, 12, and 17 of the Securities Act, as well as Section 10(b) and Rule 10b-5 of the Exchange Act) must adequately disclose all material facts required to be stated therein or necessary to make the statements therein not misleading. In addition to the information expressly required (or interpreted to be required) by Commission regulations, a public company is required to make a subjective determination and to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading,” pursuant to Rule 408 of the Securities Act, Rule 12b-20 of the Exchange Act; and Rule 14a-9 of the Exchange Act. This interpretation of materiality regarding omissions is akin to the Texas Deceptive Trade Practices-Consumer Protection Act, Section 17.46 (b)(24), which addresses the “failure to disclose information concerning goods or services known at the time of the transaction if such failure to disclose such information was intended to induce the consumer into a transaction into which the consumer otherwise would not have entered had the information been disclosed.”The Commission considers omitted information to be material “if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.” (This is the standard established by the U.S. Supreme Court in TSC Industries v. Northway, 426 U.S. 438, 449 (1976)). The Commission’s articulation of materiality of omitted (non-disclosed) information illustrates that when determining materiality the Commission adopts a less subjective, and perhaps arguably objective, approach.So the inquiry as to “materiality” then becomes not only, “What is material?” but “Who is asking?” and “Who is determining?” Accordingly, through the Commission’s articulated 2018 Guidance, the determination of “materiality” within the context of disclosures to the Commission can be seen as subjective when determined by the public company and perhaps objective when determined by the Commission, particularly regarding omitted (non-disclosed) information. Consequently, and in contrast to a contractual, tort, or litigation context, in a public company’s continuing effort and duty to timely provide the Commission information available as to the company’s actual or potential cyber risk(s) and incident(s), public companies should consider determining and defining “materiality” more broadly when providing disclosures to the Commission.