{"id":4889,"date":"2024-08-15T16:52:09","date_gmt":"2024-08-15T21:52:09","guid":{"rendered":"https:\/\/www.darkreading.com\/cyber-risk\/how-can-organizations-navigate-sec-cyber-materiality-disclosures"},"modified":"2024-08-15T16:52:09","modified_gmt":"2024-08-15T21:52:09","slug":"how-can-organizations-navigate-secs-cyber-materiality-disclosures","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/08\/15\/how-can-organizations-navigate-secs-cyber-materiality-disclosures\/","title":{"rendered":"How Can Organizations Navigate SEC’s Cyber Materiality Disclosures?"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

Question: How should cybersecurity leaders navigate the US Security and Exchange Commission’s (SEC) cybersecurity disclosure regulations regarding material cyber events and risks?<\/span><\/span><\/p>\n

Yakir Golan, CEO and co-founder of Kovrr: <\/span><\/span>Although what constitutes a material cyber risk or incident is, by definition, contextual, the room for interpretation given by the SEC has resulted in striking reporting inconsistencies among both Forms 8-K and 10-K. In some instances, shareholders are rightly provided with enough detail to make informed investment decisions, while in others, they\u2019re left considerably wanting.<\/span><\/p>\n

Already on one occasion, the SEC was compelled to issue a follow-up to an ostensibly sparse 8-K disclosing a material cyber event, reiterating the original requirements and <\/span>demanding that additional information regarding the impact be promptly submitted<\/a><\/span> in an amendment. While there have not yet been harsher, more punitive consequences for these insubstantial disclosures, it\u2019s only a matter of time until the grace period ends.<\/span><\/p>\n

Generating Materiality Frameworks With Loss Thresholds<\/h2>\n

One of the most concrete pieces of guidance the SEC offers registrants for materiality reporting is to consider the \u201c<\/span>financial conditions and results of operation (ROO),<\/a><\/span>\u201d both of which are plainly quantified outputs. Organizations are thus practically being handed the structure on which to base their materiality assessment frameworks. By exploring these specific ramifications and calculating the ensuing damage, CISOs can support stakeholders significantly in their disclosure practices and ensure compliance.<\/span><\/p>\n

There are no universally agreed-upon loss margins for categorically determining a cyber incident\u2019s materiality, potential or realized. However, after conducting extensive research and examining various thresholds against cybersecurity event loss data from global organizations across multiple industries, found that a <\/span>0.01% loss of company annual revenue<\/a><\/span> is an apt preliminary starting point.<\/span><\/p>\n

In other words, any cyber event that results in an organization losing 0.01% or more of its revenue may be material and should, therefore, be evaluated more in-depth.<\/span><\/p>\n

Exploring Financial Loss Scenarios With Key Stakeholders<\/h2>\n

Despite its logicality, this single basis point of revenue (0.01%) should not be considered a strict rule for determining materiality. Rather, it serves as a starting point for organizations that are otherwise confused or overwhelmed by the process. Consequently, CISOs should engage with key stakeholders well before an event occurs to explore at least three or four other financial loss thresholds before agreeing upon the final parameters.<\/span><\/p>\n

What may be considered an appropriate material financial loss percentage at one business may not be so for another. Ultimately, executives should align this monetary threshold with the organization\u2019s risk appetite and tolerance levels and should update it as needed.<\/span><\/p>\n

Examining Other Types of Operational Loss Benchmarks<\/h2>\n

While a percentage of revenue loss is one of the more commonly used thresholds adopted to establish materiality determination frameworks, organizations can likewise leverage operational loss metrics such as the number of data records compromised or total hours of outage time to preliminarily define what constitutes a materially impactful cyber event.<\/span><\/p>\n

For example, within the cyber insurance market, historical claims intelligence suggests that an organization significantly suffers when between 1% and 10% of the total number of data records have been compromised. Executive risk managers, therefore, may request that the CISO explore various loss scenarios within these percentage boundaries, utilizing the subsequently agreed-upon threshold to aid materiality decision-making.<\/span><\/p>\n

Calculating Likely Threshold Exceedance for Form 10-K, Line 1C<\/h2>\n

Once these internal materiality-framing benchmarks have been established, CISOs can quantify the likelihood of these loss values being exceeded in the event of a cyber incident, information that is particularly valuable for complying with the new cybersecurity line item, 1C, on Form 10-K.<\/span><\/p>\n

1C requires registrants to describe their processes \u201cfor assessing, identifying, and managing material [cyber] risks\u201d and report, specifically, how these risks will affect \u201cresults of operations or financial conditions.\u201d<\/span><\/p>\n

The quantified thresholds, coupled with their likelihood of exceedance, equip high-level executives to easily fulfill the said regulatory obligations, offering the SEC and investors alike an in-depth understanding of the organization\u2019s cyber risk landscape and the tangible harms it faces as a result.<\/span><\/p>\n

Harnessing Quantitative Thresholds for Form 8-K, Line 1.05<\/h2>\n

Well before the SEC\u2019s cybersecurity regulations were enacted, business leaders were already inundated by the sheer amount of tasks they needed to handle following a cyber event. As of December 2023, organizations must also evaluate an incident\u2019s impact \u201c<\/span>without unreasonable delay<\/a><\/span>\u201d and subsequently report the scope of damage, including financial and operational losses, within four days if determined to be material.<\/span><\/p>\n

Instead of spending critical time attempting to examine all of the far-reaching implications\u2014which can quickly become overwhelming\u2014risk managers and executives can harness the material quantitative thresholds to guide the assessment, first asking themselves, \u201cDid the event result in losses that exceeded our limits?\u201d<\/span><\/p>\n

The quick availability of these parameters renders a much more efficient process.<\/span><\/p>\n

Moreover, by having these clearly defined loss metrics, stakeholders can readily justify their disclosure choices to the SEC, explaining in detail why they did or did not deem the incident material. <\/span><\/p>\n

Factoring Qualitative Impacts Into the Mix<\/h2>\n

It\u2019s important to note that while quantitative thresholds provide the groundwork for materiality discussions, disclosures would not be compliant if organizations didn\u2019t likewise consider the more qualitative outcomes of a cyber event or risk. Qualitative implications may include the impact of the cyber event on key customers or markets, whether or not it would significantly postpone a new product launch, or whether it has resulted in a regulatory fine or investigation.<\/span><\/p>\n

Such binary parameters can be included as evaluation criteria on top of the quantified impact of such events. Generally speaking, it will be more difficult to argue that something is not material qualitatively if it surpasses your quantitative thresholds for material disclosure. The reverse is less true.<\/span><\/p>\n

Fortunately, because the numerical benchmarks are in place, stakeholders have the time to devote to evaluating these less straightforward qualitative factors that contribute to a material determination and provide investors with an appropriate scope of information. <\/span><\/p>\n

Ultimately, to offer the shareholders the transparent, consistent details the SEC wants them to have, adopting a standardized methodology for material assessments based on quantified thresholds is the most practicable approach.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Question: How should cybersecurity leaders navigate the US Security and<\/p>\n","protected":false},"author":12,"featured_media":4890,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-4889","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/how-can-organizations-navigate-secs-cyber-materiality-disclosures.jpg?fit=1800%2C1013&ssl=1",1800,1013,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/how-can-organizations-navigate-secs-cyber-materiality-disclosures.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/how-can-organizations-navigate-secs-cyber-materiality-disclosures.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/how-can-organizations-navigate-secs-cyber-materiality-disclosures.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/how-can-organizations-navigate-secs-cyber-materiality-disclosures.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/how-can-organizations-navigate-secs-cyber-materiality-disclosures.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/how-can-organizations-navigate-secs-cyber-materiality-disclosures.jpg?fit=1800%2C1013&ssl=1",1800,1013,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/how-can-organizations-navigate-secs-cyber-materiality-disclosures.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/how-can-organizations-navigate-secs-cyber-materiality-disclosures.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/how-can-organizations-navigate-secs-cyber-materiality-disclosures.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/how-can-organizations-navigate-secs-cyber-materiality-disclosures.jpg?fit=1800%2C1013&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4889","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=4889"}],"version-history":[{"count":1,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4889\/revisions"}],"predecessor-version":[{"id":4900,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4889\/revisions\/4900"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/4890"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=4889"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=4889"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=4889"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}