Photo credit: www.darkreading.com
Question: How can cybersecurity leaders address the US Security and Exchange Commission’s (SEC) regulations concerning the disclosure of material cyber events and risks?
Yakir Golan, the CEO and co-founder of Kovrr, emphasizes that the interpretation of what constitutes a material cyber risk or incident varies based on context. This variability has led to significant inconsistencies in reporting shown in both Forms 8-K and 10-K. While some shareholders receive sufficient detail to make informed investment choices, others are left with inadequate information.
The SEC has already found itself in a position where it needed to follow up on a poorly detailed 8-K regarding a material cyber event. In response, the commission reminded entities of their obligations and requested that they submit more detailed information about the impact of the incident in an amended filing. Although there haven’t been severe penalties for insufficient disclosures yet, it seems inevitable that the leniency will not last forever.
Creating Materiality Frameworks with Loss Thresholds
One of the clear recommendations from the SEC for materiality reporting involves analyzing the financial conditions and operational results, which are quantifiable metrics. This guidance effectively provides organizations a systematic approach through which they can develop their own frameworks for assessing materiality. By investigating the potential impact of cyber events and calculating associated losses, Chief Information Security Officers (CISOs) can aid their stakeholders in enhancing their disclosure practices and achieving compliance.
Even though there is no universally accepted standard for defining the materiality of a cyber incident in terms of potential or actual losses, extensive research across various sectors has found that a starting point of 0.01% of annual revenue loss is a reasonable threshold.
Thus, any cyber event causing a revenue loss of at least 0.01% should be considered material and warrant a deeper evaluation.
Assessing Financial Loss Scenarios with Key Stakeholders
This 0.01% revenue loss is not a definitive guideline; rather, it serves as a foundation for organizations feeling uncertain about how to establish materiality benchmarks. Therefore, it is crucial for CISOs to collaborate with vital stakeholders prior to any incident, identifying three to four additional loss thresholds to decide on a comprehensive final standard.
What might be considered an acceptable threshold for financial loss can differ from one organization to another. Ultimately, it is important for executives to align these thresholds with their organization’s risk appetite and tolerance and adjust them as necessary over time.
Reviewing Additional Operational Loss Metrics
While revenue loss percentage is a frequently employed metric for determining materiality, organizations should also consider operational benchmarks such as the number of compromised data records or total hours of downtime to preliminarily assess a cyber event’s impact.
For instance, insights from the cyber insurance market indicate that organizations face significant repercussions when between 1% and 10% of data records are compromised. Consequently, risk managers may instruct CISOs to examine scenarios within these percentages, using the resulting thresholds to inform materiality decisions.
Measuring Potential Threshold Exceedance for Form 10-K, Line 1C
Once internal benchmarks for materiality are set, CISOs can assess the likelihood of these loss thresholds being surpassed in the case of a cyber incident. This information is crucial for addressing the new cybersecurity line item, 1C, on Form 10-K.
Form 10-K, Line 1C, mandates that registrants outline their methods for “assessing, identifying, and managing material [cyber] risks” and report specifically on how these risks could impact “results of operations or financial conditions.”
With established thresholds and their likelihood of exceedance, executives can better meet regulatory requirements, providing the SEC and investors with a thorough understanding of the organization’s cyber risk landscape and the real consequences it faces.
Utilizing Quantitative Thresholds for Form 8-K, Line 1.05
Before the SEC’s cybersecurity regulations were implemented, business leaders were already overwhelmed by the tasks that follow a cyber incident. As of December 2023, organizations must assess the incident’s impact “without unreasonable delay” and report the extent of damage, including financial and operational losses, within a four-day timeframe if assessed as material.
Rather than getting bogged down in the complicated ramifications of an incident, risk managers can utilize established quantitative thresholds to streamline the evaluation process, starting by asking, “Did the incident lead to losses that exceeded our established limits?”
With these parameters easily accessible, the assessment process becomes significantly more effective.
Moreover, having clearly defined loss metrics enables stakeholders to justify their disclosure decisions to the SEC, elaborating on why they deemed an incident material or not.
Incorporating Qualitative Factors
It is essential to recognize that while quantitative thresholds lay the foundation for discussions around materiality, disclosures will not meet compliance standards unless organizations also consider the qualitative outcomes of a cyber event or risk. Qualitative factors might encompass the effect of the cyber incident on critical clients or markets, delays in product launches, or the occurrence of regulatory fines or investigations.
These parameters can be integrated as part of the evaluation criteria alongside the quantifiable impacts of these events. Generally, it will be harder to argue against the materiality of an incident that surpasses the established quantitative thresholds. Conversely, the opposite is not always true.
Fortunately, when numerical benchmarks are established, stakeholders can allocate sufficient time to analyze the more complex qualitative aspects that contribute to making materiality determinations, thereby providing investors with comprehensive insights.
Ultimately, to meet the SEC’s demand for transparency and consistency in disclosures, adopting a standardized methodology for material assessments grounded in quantitative thresholds represents the most effective strategy.
Source
www.darkreading.com