Numerous car dealerships across the U.S. reported having their operations impacted by the sweeping ransomware attack against automotive software provider CDK Global to the Securities and Exchange Commission but such an incident was not filed by CDK Global's parent firm Brookfield Business Partners due to the lack of "material impact," according to CyberScoop.
Such a dichotomy was noted by cybersecurity experts to indicate the need to better define materiality in the SEC's breach reporting rules. "Based on my understanding of the ransomware attack on CDK, yes, I believe a reasonable investor would want to know about it because of the nature of the attention it has gotten and the tail that will happen because of that attention. It creates a ton of uncertainty about the kind of scrutiny that's going to follow from this," said Exiger Senior Vice President of Critical Infrastructure Bob Kolasky, who was an assistant director at the Cybersecurity and Infrastructure Security Agency. On the other hand, Recorded Future threat intelligence analyst Allan Liska questioned the lack of materiality determined by Brookfield Business Partners considering the extent of the incident.