The Securities and Exchange Commission yesterday adopted new rules requiring registrants to disclose on Form 8-K any cybersecurity incident which they determine to be material. The new Item 1.05 of Form 8-K requires description of the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. In addition, new Item 106(b) of Regulation S-K requires registrants to describe their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats, and to describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition.
The problem with these requirements is that the phrase "reasonably likely" is so ambiguous as to be essentially meaningless. Does "likely" mean that the impact or effect has a better chance of occurring than not or that the impact or effect is merely possible? The fact that "likely" requires a modifier - the adverb "reasonably" - underscores the imprecision of the phrase. However, the adverb "reasonably" is equally imprecise. Whether the likelihood of an event is considered to be "reasonable" depends upon a person's assessment of the situation. A traveler may deem flying to be unreasonably risky if she is advised that there is a 1 in 4 chance of a fatal crash. A patient with an incurable disease, on the other hand, may deem the risk of an experimental treatment to be reasonable if she is advised that there is a 1 in 4 chance of a cure. In each case, the probabilities are the same, but the characterizations of the probabilities are different.