Is there a dollar threshold for materiality?

No. Materiality is qualitative and contextual. The SEC explicitly rejected numeric thresholds in adopting Item 1.05, emphasizing that both quantitative and qualitative factors must be considered together.

Who determines materiality?

The company determines materiality, typically with input from the CFO, CISO, General Counsel, outside counsel, and the disclosure committee or board. The determination process should be documented and consistent across incidents.

When must the materiality determination be made?

Without unreasonable delay after discovery of the incident. The SEC Item 1.05 four-business-day clock starts on the materiality determination, not on detection. The expectation is that companies make the determination promptly but not before they have enough information.

What factors are relevant to cyber incident materiality?

Nature and scope of affected systems and data, operational disruption, financial impact, reputational harm, regulatory and litigation exposure, competitive consequences, and effects on segments or specific business operations. The analysis is the same qualitative test applied to any other material event.

Materiality - SEC Disclosure Standard

Q: What is the materiality standard?

Materiality is the U.S. federal securities law standard for disclosure. A fact is material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision. It was established in TSC Industries v. Northway (1976) and Basic v. Levinson (1988).

Materiality is the U.S. federal securities law standard that governs what public companies must disclose. A fact is material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision. The standard was established by the U.S. Supreme Court in TSC Industries v. Northway (1976) and refined in Basic v. Levinson (1988), and it is the trigger for SEC Form 8-K Item 1.05 cybersecurity incident disclosure.

Source: TSC Industries, Inc. v. Northway, Inc., 426 U.S. 438 (1976); Basic Inc. v. Levinson, 485 U.S. 224 (1988); SEC adopting release for Item 1.05.

The Reasonable Investor Standard

Materiality is qualitative and contextual, not numeric. There is no dollar threshold that automatically triggers disclosure. The test asks whether, considering all the facts and circumstances, a reasonable investor would consider the information important when deciding whether to buy, sell, or hold the security. Both quantitative and qualitative factors are relevant.

Quantitative and Qualitative Factors

SEC Staff Accounting Bulletin No. 99 (SAB 99) identifies qualitative factors that may make a quantitatively small misstatement or event material:

Effect on regulatory compliance
Effect on loan covenants or contractual requirements
Effect on management compensation
Effect on segments or significant business operations
Whether the event involves illegal acts
Whether the event affects trend analysis or earnings consensus
Effect on reasonable investor expectations

Cyber Incident Materiality

The SEC adopting release for Item 1.05 emphasized that cyber incident materiality is a qualitative, contextual judgment. Factors specific to cyber incidents include the nature and scope of the affected systems and data, operational disruption, financial impact, reputational harm, regulatory and litigation exposure, and competitive consequences. Companies must document the determination process so it can be evaluated later.

Document the materiality determination

IR-OS captures the materiality determination process, evidence, and timing in a defensible record ready for SEC review.

Start free

Materiality - SEC Disclosure Standard

The Reasonable Investor Standard

Quantitative and Qualitative Factors

Cyber Incident Materiality

Related Terms

Document the materiality determination