By: Sue Bergamo and Brian Walker —
The new SEC cybersecurity disclosure rules require public companies to publicly disclose material cybersecurity incidents. Each material incident is to be disclosed using an SEC 8-k and will be part of a broader recurring disclosure requirement using 10k forms that disclose the oversight and governance processes associated with cyber risk, including the roles and responsibilities of the board at-large, board committees, and the management team. A common thread throughout is the definition of materiality – what’s material and what’s not? One way to frame the answer is as part of the overall model for measuring risk and for defining the parameters of risk tolerance.
The SEC specifically avoided providing a one-size-fits-all definition of materiality. That responsibility remains with companies – just as it does for non-cyber incidents. Being able to determine the materiality of a cyber incident in the midst of the fight will be much easier with a previously-agreed and unambiguous expression of the parameters of risk – how much risk is a company willing to accept, how much do they seek to transfer, and how much do they seek to mitigate. This articulation is an outcome of the risk governance process and requires that companies be proficient at discussing and agreeing on how to manage a risk – and continuously reviewing those definitions on an evergreen basis.
A natural element of defining cyber risk tolerance is defining the parameters that contribute to the shareholder risk of a cyber incident. Normal characteristics that define levels of cyber risk often include size of data lost, sensitivity of that data (personal information, pricing, contract terms, etc.), and financial costs associated with recovery of operations. During an incident, these characteristics will provide a framework for collaboration across the board and management and will dramatically accelerate the determination of materiality.
To show how quickly a risk conversation can become complex, here are a couple of examples of real-life cybersecurity threats:
SCENARIO #1: The accounting team has fallen prey to an email phishing campaign. Ostensibly the CEO sent an email requesting urgent review of customer information in anticipation of upcoming meetings. Knowing that the CEO is traveling, a team member clicks on an attachment and unleash ransomware, which traverses the network and shuts down global operations. The cybercriminal is demanding a large payment to decrypt the company’s data. The company is unable to fulfill orders or manage financials – rendering it effectively offline. Who should determine the materiality of this incident? What process is defined and tested to support making such a determination? How many days offline is sufficient to be defined as ‘material’? Does the board to be notified? Included in the decision to pay the ransom?
SCENARIO #2: A new product has been released that required significant investment to develop and contains new features that would significantly increase revenue. After release, a high severity vulnerability is discovered that exposes the product to cybercriminals and a potential attack. Source software in the product is publicly linked to significant ransomware incidents that are increasingly visible in the media. While no attack has been recognized at this point, technical experts advise that the vulnerability could be exploited by a cybercriminal at any time and key indicators point to increased unknown activity in the new product. Since an incident hasn’t occurred, should the company notify customers of the potential risk? Should it disable the new product while rapid remediation is conducted? Is this risk handled solely by management or should the board be involved? Should the board be advised in real-time or only if an incident ultimately occurs?
These simple examples demonstrate the complexity involved in determining materiality of incidents in real-time. This has always been complex, but the new SEC disclosure requirements will put additional pressure on companies. The expectation for disclosing ‘material’ incidents is new, and the four day disclosure window is aggressive. These new requirements become effective in December - just 3 short months from now. Time is short and the deadline isn’t moving, so it’s time to prepare.