Question: How should cybersecurity leaders navigate the US Security and Exchange Commission’s (SEC) cybersecurity disclosure regulations regarding material cyber events and risks?
Yakir Golan, CEO and co-founder, Kovrr: Although what constitutes a material cyber-risk or incident is, by definition, contextual, the room for interpretation given by the SEC has resulted in striking reporting inconsistencies among both Forms 8-K and 10-K. In some instances, shareholders are rightly provided with enough detail to make informed investment decisions, while in others they’re left considerably wanting.
Already on one occasion, the SEC was compelled to issue a follow-up to an ostensibly sparse 8-K disclosing a material cyber event, reiterating the original requirements and demanding that additional information regarding the impact be promptly submitted in an amendment. While there have not yet been harsher, more punitive consequences for these insubstantial disclosures, it’s only a matter of time until the grace period ends.
Generating Materiality Frameworks With Loss Thresholds
One of the most concrete pieces of guidance the SEC offers registrants for materiality reporting is to consider the “financial conditions and results of operation (ROO),” both of which are plainly quantified outputs. Organizations are thus practically being handed the structure on which to base their materiality assessment frameworks. By exploring these specific ramifications and calculating the ensuing damage, CISOs can support stakeholders significantly in their disclosure practices and ensure compliance.
There are no universally agreed-on loss margins for categorically determining a cyber incident’s materiality, potential or realized. However, after conducting extensive research and examining various thresholds against cybersecurity event loss data from global organizations across multiple industries, Kovrr found that a 0.01% loss of company annual revenue is an apt preliminary starting point.
In other words, any cyber event that results in an organization losing 0.01% or more of its revenue may be material and should, therefore, be evaluated more in-depth.
Exploring Financial Loss Scenarios With Key Stakeholders
Despite its logicality, this single basis point of revenue (0.01%) should not be considered a strict rule for determining materiality. Rather, it serves as a starting point for organizations that are otherwise confused or overwhelmed by the process. Consequently, CISOs should engage with key stakeholders well before an event occurs to explore at least three or four other financial loss thresholds before agreeing on the final parameters.
What may be considered an appropriate material financial loss percentage at one business may not be so for another. Ultimately, executives should align this monetary threshold with the organization’s risk appetite and tolerance levels and update it as needed.
Examining Other Types of Operational Loss Benchmarks
While a percentage of revenue loss is one of the more commonly used thresholds adopted to establish materiality determination frameworks, organizations can likewise leverage operational loss metrics, such as the number of data records compromised or total hours of outage time, to preliminarily define what constitutes a materially impactful cyber event.
For example, within the cyber insurance market, historical claims intelligence suggests that an organization significantly suffers when 1% to 10% of its total number of data records have been compromised. Executive risk managers, therefore, may request that the CISO explore various loss scenarios within these percentage boundaries, using the subsequently agreed-on threshold to aid materiality decision-making.
Calculating Likely Threshold Exceedance for Form 10-K, Line 1C
Once these internal materiality-framing benchmarks have been established, CISOs can quantify the likelihood of these loss values being exceeded in the event of a cyber incident — information that is particularly valuable for complying with the new cybersecurity line item, 1C, on Form 10-K.
1C requires registrants to describe their processes “for assessing, identifying, and managing material [cyber] risks” and report, specifically, how these risks will affect “results of operations or financial conditions.”
The quantified thresholds, coupled with their likelihood of exceedance, equip high-level executives to easily fulfill the said regulatory obligations, offering the SEC and investors alike an in-depth understanding of the organization’s cyber-risk landscape and the tangible harms it faces as a result.
Harnessing Quantitative Thresholds for Form 8-K, Line 1.05
Well before the SEC’s cybersecurity regulations were enacted, business leaders were already inundated by the sheer amount of tasks they needed to handle following a cyber event. As of December 2023, organizations must also evaluate an incident’s impact “without unreasonable delay” and subsequently report the scope of damage, including financial and operational losses, within four days if determined to be material.
Instead of spending critical time attempting to examine all of the far-reaching implications — which can quickly become overwhelming — risk managers and executives can harness the material quantitative thresholds to guide the assessment, first asking themselves, “Did the event result in losses that exceeded our limits?”
The quick availability of these parameters renders a much more efficient process. Moreover, by having these clearly defined loss metrics, stakeholders can readily justify their disclosure choices to the SEC, explaining in detail why they did or did not deem the incident material.
Factoring Qualitative Impacts Into the Mix
It’s important to note that while quantitative thresholds provide the groundwork for materiality discussions, disclosures would not be compliant if organizations didn’t consider the more qualitative outcomes of a cyber event or risk. Qualitative implications may include the impact of the cyber event on key customers or markets, whether it would significantly postpone a new product launch, or whether it has resulted in a regulatory fine or investigation.
Such binary parameters can be included as evaluation criteria on top of the quantified impact of such events. Generally speaking, it will be more difficult to argue that something is not material qualitatively if it surpasses your quantitative thresholds for material disclosure. The reverse is less true.
Fortunately, because the numerical benchmarks are in place, stakeholders have the time to devote to evaluating these less straightforward qualitative factors that contribute to a material determination and provide investors with an appropriate scope of information.
Ultimately, to offer the shareholders the transparent, consistent details the SEC wants them to have, adopting a standardized methodology for material assessments based on quantified thresholds is the most practicable approach.
Source: www.darkreading.com