The cyberevent disclosure rules1 introduced by the US Securities and Exchange Commission (SEC) in July 2023 have sparked a wave of concern among cybersecurity professionals and boards of directors (BoDs). The rules include several new or expanded requirements, but what has appeared to cause the most concern is the mandate that material cybersecurity incidents must be publicly disclosed to the SEC. This is required to happen within 4 days of determining that an event is material. However, these rules and their enforcement are predicated on being able to determine what a material cyberincident is. Hence, it is helpful to understand how to jumpstart the process for determining materiality in an organization.
Recently published research on this topic helps clarify.2 Researchers investigated what auditors have historically considered to be material risk. There is a rich history of two-factor tests being used to determine materiality. To conduct this test, an auditor begins with a quantitative assessment of financial transactions to determine whether they would have a sizable impact on an enterprise’s balance sheet, revenue, net income or asset valuation. These varying financial measures are referred to as benchmarks. The establishment of a value using a benchmark is known as its threshold. Auditors often establish certain thresholds and benchmarks to assess the financial health and risk of an organization. These may include 5% of pre-tax income, 0.5% of total assets, 1% of equity or 0.5% of total revenue. If financial changes exceed these thresholds, it could indicate significant shifts that must be addressed.
In an earlier work, one of the researchers sought to determine whether some of the highest cybersecurity fines ever imposed would be considered material given traditional materiality threshold values.3 In short, the answer was no. In fact, such fines would have had to have been as high as US$2 billion. Due to the relatively low reported loss amounts compared to the enterprises’ financial performance and the fluctuating nature of those financials, revenue was found to be the most effective benchmark upon which to judge cyberimpacts.
This finding laid the groundwork for a new line of inquiry. Researchers hoped to recreate that study but with a different focus: What would a materiality threshold value look like for cyberrisk? They analyzed the most significant cyberincidents and tested a variety of threshold values. It was found that a reasonable value would be 0.01% of an enterprise’s revenue as reported in its most recent financial report. Such adjustments to the threshold values are supported in practice by auditors, because it is not possible for an organization to have nothing that is considered material. Consequently, even in large organizations, auditors must select a threshold value that generates some preliminarily material values.
This first part of the two-factor test is important. The process of comparing an incident’s costs to a threshold and benchmark value will yield a preliminary materiality assessment. If found to be quantitatively material in this way, it will be difficult for organizations to argue that an incident is not material. However, the converse is not true. For incidents with costs falling below this threshold, the second factor to evaluate is more qualitative. The organization must determine whether a reasonable investor would find a cyberimpact meaningful to their investment decisions. Even a transaction that falls below the threshold benchmark could be considered material when evaluated using this second test. An example of this scenario is the test on the cybersecurity fines mentioned above. If the fine exceeds the threshold value, then it is likely material (subject to a final determination by the enterprise and its attorneys). However, even if an enterprise only receives a minor fine, it would still be meaningful for an investor to know that it was fined for cybersecurity violations.
The organization must determine whether a reasonable investor would find a cyberimpact meaningful to their investment decisions.
SEC guidance also requires disclosure of material risk, which involves different thresholds. First, the organization must make a distinction between risk factors and incidents. Risk factors are useful for forecasting future events, whereas incidents revolve around a current event as it is unfolding. The researchers propose additional metrics for determining quantitative material or cyberrisk in two ways: rate of change materiality (RoCM) and forecast accuracy materiality (FAM). RoCM focuses on the need for organizations to assess risk scenarios quantitatively and track changes in that loss exposure over time. Reporting those changes can surpass materiality thresholds such as the existing ones outlined by auditors (the researchers recommend using 5% of revenue to test this).
Alternatively, FAM focuses on a post-incident review of an incident’s financial impact and a comparison to the forecasted risk amount. This provides valuable insight to the investment community as to how well attuned the cyberrisk management function is and how reliable its risk forecasts are. Similarly, the variance of key values (such as the mode or max value) in excess of 5% can be considered preliminary material.
The researchers summarized their findings in a materiality heuristic that helps provide clarity for organizations dealing with uncertainty as they seek to integrate the SEC’s new compliance requirement into their governance operations. The heuristic mirrors the two-factor test that has historically been used for financial auditing purposes. The overall process consists of 3 steps:
- Assess the risk or incident using a quantitative threshold. Use 0.01% of revenue for incidents and 5% of revenue for risk-based metrics (RoCM and FAM). If the value meets or exceeds such thresholds, then the risk or incident can be considered preliminarily material. Incidents and risk, whether preliminarily deemed material or not, are advanced to the second stage for further evaluation.
- The risk or incident undergoes a qualitative review to determine whether a reasonable investor would find it material to their decision making. Such qualitative factors can include data types involved, regulatory impact, business models or market share. If the enterprise’s executive management deems it so, the risk or incident should be considered preliminarily material.
- A final materiality determination is made by the organization’s executive management, BoD and legal representation prior to disclosure to the SEC.
It is expected that the new SEC rules will be difficult to implement for many enterprises. Speculation abounds that organizations will over-disclose to avoid the ire of the SEC.4 One of the silver linings to reasonable compliance will be the establishment of a defensible framework for determination, reporting and disclosure. The guidance presented here will be critical to organizations building their own frameworks to establish cybersecurity reporting and disclosure.
Endnotes
1 US Securities and Exchange Commission, “SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies,” USA, 26 July 2023
2 Freund, J.; N. Jorion; “Determining Cyber Materiality in a Post-SEC Cyber Rule World,” ISSA Journal, vol. 21, iss. 9, 2023
3 Freund, J.; Engineering Economic Externalities: Methods for Determining Material Cybersecurity Fines, SIRAcon, 2020
4 Alexis, A.; “Chamber of Commerce Urges SEC to Delay Cyber Rule Implementation,” Cybersecurity Dive, 15 August 2023
Jack Freund, Ph.D., CISA, CISM, CRISC, CGEIT, CDPSE, NACD.DC
Is the chief risk officer for Kovrr, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, ISSA Distinguished Fellow, FAIR Institute Fellow, IAPP Fellow of Information Privacy, ISC2 2020 Global Achievement Awardee and the recipient of ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award.
