On July 26, 2023, the SEC adopted rules requiring registrants to disclose “material cybersecurity incidents” and to disclose every year “material information regarding their cybersecurity risk management, strategy, and governance.” This session will answer questions for infosec professionals, legal teams, CISOs, and the board dealing with the concept of materiality and these disclosures. In a storytelling format, I will explain the concept of “materiality” by examining: - TSC Industries, Inc. v. Northway, Inc., - Basic, Inc. v. Levinson, - Matrixx Initiatives, Inc. v. Siracusano, - Securities Act Rule 405, and - Exchange Act Rule 12b-2. Then, we will look at some hypothetical examples (based on real-life companies) to ask (1) whether the incident or information is material, (2) what should be disclosed, and (3) when.