Question: How should cybersecurity leaders address the U.S. Security and Exchange Commission (SEC) regulations regarding cybersecurity information disclosures related to material cyber events and risks?

Yakir Golan, CEO and co-founder of Kovrr: While what constitutes a material cyber risk or incident is by definition contextual, the room for interpretation provided by the SEC has led to glaring inconsistencies in reporting between both Forms 8-K and 10-K. In some cases, shareholders are rightly provided with sufficient detail to make informed investment decisions, while in other cases they are significantly deficient.

On one occasion, the SEC was forced to issue a follow-up to a seemingly sparse 8-K disclosing a material cyber event, reiterating the original requirements and requiring additional information on the impact to be provided as soon as possible in an amendment. While there have not yet been harsher, more punitive consequences for these insubstantial disclosures, it is only a matter of time before the grace period expires.

Generating materiality frameworks with loss thresholds

One of the most concrete guidelines the SEC provides to registrants for materiality reporting is to consider the “financial conditions and operating results (ROO),“Both are clearly quantified outcomes, providing organizations with a practical framework upon which to build their materiality assessment frameworks. By examining these specific ramifications and calculating the resulting harms, CISOs can significantly support stakeholders in their disclosure practices and ensure compliance.

There are no universally agreed upon loss thresholds to categorically determine the materiality, potential or realization of a cyber incident. However, after conducting extensive research and examining various thresholds against cybersecurity event loss data from global organizations across multiple industries, found that a 0.01% loss of the company’s annual turnover is a suitable preliminary starting point.

In other words, any cyber event that causes an organization to lose 0.01% or more of its revenue could be material and therefore should be evaluated more thoroughly.

Exploring financial loss scenarios with key stakeholders

Despite its logic, this one basis point of revenue (0.01%) should not be considered a strict rule for determining materiality. Rather, it serves as a starting point for organizations that may otherwise be confused or overwhelmed by the process. That’s why CISOs should reach out to key stakeholders well in advance of an event to explore at least three or four other financial loss thresholds before agreeing on final parameters.

What may be considered an appropriate percentage of material financial loss for one company may not be for another. Ultimately, leaders must align this monetary threshold with the organization’s risk appetite and tolerance levels and update it as necessary.

Exploring other types of operational loss benchmarks

While percentage of revenue loss is one of the most commonly used thresholds for establishing frameworks for determining materiality, organizations can also use operational loss metrics, such as the number of compromised data records or total hours of downtime, to tentatively determine what constitutes a material cyber event.

For example, within the cyber insurance market, historical claims intelligence suggests that an organization will suffer significantly when between 1% and 10% of its total data records are compromised. Executive risk managers may therefore request that the CISO explore various loss scenarios within these percentage limits, using the later agreed threshold to support decision-making on materiality.

Calculation of the Probable Threshold Exceedance for Form 10-K, Line 1C

Once these internal benchmarks for materiality frameworks are established, CISOs can quantify the likelihood that these loss values ​​will be exceeded in the event of a cyber incident. This information is particularly valuable for complying with the new cybersecurity Part 1C on Form 10-K.

1C requires registrants to describe their processes “for assessing, identifying and managing material (cyber) risks” and specifically report how these risks will impact “results of operations or financial condition.”

The quantified thresholds and the likelihood of exceeding them enable senior executives to easily meet the stated regulatory obligations, giving both the SEC and investors deep insight into the organization’s cyber risk landscape and the tangible harm the organization is experiencing as a result.

Utilizing Quantitative Thresholds for Form 8-K, Line 1.05

Long before the SEC’s cybersecurity regulations were implemented, business leaders were overwhelmed by the sheer volume of tasks they had to handle after a cyber event. Starting in December 2023, organizations will also have to evaluate the impact of an incident.without undue delay“and then report within four days the extent of the damage, including financial and operational losses, if considered material.

Rather than spending critical time examining all the far-reaching implications (which can quickly become overwhelming), risk managers and executives can use the material quantitative thresholds to guide the assessment, first asking themselves, “Did the event result in losses that exceeded our limits?”

The rapid availability of these parameters makes for a much more efficient process.

Furthermore, these clearly defined loss figures allow stakeholders to easily justify their disclosure choices to the SEC, explaining in detail why they do or do not consider the incident to be material.

Including qualitative effects in the mix

It is important to note that while quantitative thresholds provide the basis for discussions about materiality, disclosures would not be compliant if organizations did not also consider the more qualitative outcomes of a cyber event or risk. Qualitative implications might include the impact of the cyber event on key customers or markets, whether it significantly delayed a new product launch, or whether it resulted in a regulatory fine or investigation.

Such binary parameters can be included as evaluation criteria on top of the quantified impact of such events. In general, it will be harder to argue that something is qualitatively immaterial if it exceeds your quantitative thresholds for material disclosure. The converse is less true.

Fortunately, now that numerical benchmarks are in place, stakeholders have the time to evaluate these less obvious qualitative factors. These factors contribute to a material determination and provide investors with an appropriate information framework.

Ultimately, to provide shareholders with the transparent and consistent detail the SEC expects, it is most practical to adopt a standardized methodology for material assessments based on quantified thresholds.