Several auto dealers affected by the CDK breach have felt compelled to notify the SEC, indicating that the attack significantly impacted their operations. However, Brookfield Business Partners, CDK’s parent company, took a different route. They declared on July 3rd that they don’t expect the incident to impact their business materially.
Materiality, according to the SEC, hinges on whether a “reasonable investor” would want to know about an incident before making an investment decision. This sounds straightforward, but in practice, it’s anything but that. For instance, Bob Kolasky, a former top official at CISA, pointed out that what material is for one company might not be for another. He noted the significant attention and uncertainty the CDK attack generated, suggesting it could be deemed material information.
Then there’s Allan Liska from Recorded Future, who didn’t mince words. He called Brookfield’s assessment a term we won’t mention here🙀 and argued that the disruption caused by the attack should definitely make it material. However, he also acknowledged that large, dominant companies might weather such financial hits more easily, making the breaches seem less impactful.
Consider this: the CDK breach affected nearly 15,000 auto dealerships, disrupting sales operations for weeks.
The SEC guidelines clearly state that the size of the ransomware payment alone doesn’t determine materiality. Brian Finch from Pillsbury Public Policy noted that Brookfield’s $25 million ransom payment was minor relative to their $96 billion revenue last year. However, he also warned that SEC investigations are serious and that companies might over-disclose to avoid potential penalties.
The reality is that we’re still defining the boundaries of materiality in cyber incident reporting. David Oliweinstein, a former member of the SEC enforcement division, suggested that SEC actions and case law will eventually provide clarity. For now, the CDK Global hack exposes the gap between cybersecurity experts and corporate legal interpretations of SEC guidelines.