I think how and why the breach occurred matters more than what information was accessed. In asset management, for example, when you’re dealing with an error you don’t just look at the dollar amount. Maybe the error only cost a couple thousand dollars today (or maybe it even made money!) but the exact same error on another trading day could just have easily been ten, or a hundred, or even a thousand times more costly. That the error happened at all is the material event. And that’s why there’s no such thing as a de minimus trading error. Sometimes you just get lucky in the magnitude of the impact. Even if it didn’t cost you anything you still need to address the weak point that allowed the error to happen in the first place.
So even if a system with absolutely no information was breached if your other system(s) use(s) the same or similar security then it doesn’t really matter that nothing was taken. The breach could still material (and require disclosure) because it’s exposed a material security vulnerability.
So even if a system with absolutely no information was breached if your other system(s) use(s) the same or similar security then it doesn’t really matter that nothing was taken. The breach could still material (and require disclosure) because it’s exposed a material security vulnerability.