The SEC's Four-Day Reporting Rule Presents a Critical New Need to Define Materiality

This IDC Perspective discusses SEC's four-day reporting rule that presents a critical new need to define materiality. Wall Street's top regulator, the U.S. Securities and Exchange Commission, has adopted new cybersecurity rules that require companies to disclose a material cyberbreach within four days of determining that the breach is material. Until now, breach notification has been driven primarily by regulations or industry rules requiring notification "without unreasonable delay," which affords a fair amount of bandwidth within which to understand and assess a situation and then determine the most appropriate path forward. The new SEC rules raise the bar for publicly traded companies, not only demanding that they know that an incident has occurred but also requiring their boards to quickly get fact based regarding where there is significant potential impact on the company's financial position, operations, customer relationships, or reputation. "Assessing and reporting based on materiality of an incident adds a new and critical level of analysis for CIOs and CISOs in publicly traded companies," says Alizabeth Calder, adjunct research advisor for IDC's IT Executive Programs (IEP). "We need to arm ourselves with the best possible interpretation and guardrails in advance of an incident, so we don't get caught in situational urgency where the 96-hour rule undermines prudent decisions about whether the incident is actually material and thus reportable. We look forward to learning more as the SEC rules are absorbed and will sharpen our thoughts and guidance as more details emerge."