Identifying a ‘Material Cyber Event’
Today we continue our series of posts examining the Securities and Exchange Commission’s proposed rules for expanded disclosure of cybersecurity issues, with a look at the one idea perhaps most relevant to CISOs’ daily lives.
The SEC wants publicly traded companies to disclose “material cybersecurity incidents” within four days of determining that an incident would indeed be material to investors.
So, um, what does that mean?
After all, any number of cybersecurity incidents could qualify as material. The answer depends on details such as how the attack happened, what damage was done, and what regulatory consequences might befall the company next. CISOs need to evaluate all those factors (and more) to understand how the company should proceed.
That, again, is why a close read of the SEC’s proposals is so useful. An ability to understand the significance of a cybersecurity event is important for any organization, regulated by the SEC or not.
Defining a ‘Material Incident’
We can begin with a look at what the SEC proposals say about materiality. The text offers this advice:
A materiality analysis is not a mechanical exercise, nor should it be based solely on a quantitative analysis of a cybersecurity incident … When a cybersecurity incident occurs, registrants would need to carefully assess whether the incident is material in light of the specific circumstances presented by applying a well-reasoned, objective approach from a reasonable investor’s perspective based on the total mix of information.
If the above advice sounds rather vague, that’s because the legal standard for materiality is rather vague. The U.S. Supreme Court has said that a piece of information is material to investors when its disclosure “would be viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”
Lawyers have been arguing about what that means in practice for years. For CISOs, the important point is that evaluating the materiality of a cybersecurity incident should be a disciplined process — one that depends on gathering as many relevant facts as possible, and then exercising good judgment.
The more rigorous and fact-based your decision process is, the better you’ll be able to defend your conclusions about the seriousness of a cybersecurity event. That’s important whether you’re defending your decisions in an SEC filing, to anxious private equity investors, or to business partners wondering whether your cybersecurity practices are as sound as they’d like to see.
All that murky legal language aside, however, the fundamental question CISOs want to answer is simply, “Is this cybersecurity incident a big deal?”
And from there, we can start to reverse-engineer the information and capabilities you and your compliance team will need so you can provide an answer.
What You Need to Evaluate Materiality
Foremost, CISOs will need the right resources to detect and assess the damage from an attack. That is, before you even get to the question of whether the attack is material, you need to know what happened (or is still happening, as the case may be).
In practice, that means tools for intrusion detection, data monitoring, and alerting, so that your security team can investigate anomalous behavior. You’ll also need tools and systems to diagnose how the attack happened. For example, you would need audit logs to trace whether an unauthorized transfer of data was due to a phishing attack. You would also want thorough records of software patch management, to determine whether an unpatched vulnerability in your ERP software was exploited to, say, execute a wire transfer overseas.
Beyond those IT forensic capabilities, however, the CISO also needs to understand what’s mission-critical to your business — because without that context, you can’t still answer the question from above: “Is this cybersecurity incident a big deal?”
That’s a very different process of working with senior management and leaders of First Line operating units to define what those mission-critical systems, processes, and data are; and how critical they are.
For example, a retailer’s order fulfillment system is certainly mission-critical, but you would also need a sense of how much revenue is lost for each hour or day that system is offline, as well as how much revenue the finance team was expecting for the quarter. Only then could you do the math to say, “If the fulfillment system is offline for three weeks in a ransomware attack, we lose 5% of expected revenue, and that’s material.”
To evaluate the materiality of cyber incidents, CISOs will need proficiency in both realms: IT forensics and business processes. That means developing the right tools, analytics, and cross-enterprise relationships to bring all those details forward; and then deciding (with your legal team and senior management) about whether to disclose the event.
Make Your Organization Ready
So what should companies have in place before an attack happens, so you’ll be ready to analyze it and make good decisions about disclosure as quickly as possible? Three answers come to mind:
1. Strong Security Monitoring and Forensics
You can’t make any decision about the materiality of an attack unless you know what has happened, and how it happened. Plus, the faster you can discover an attack, the less damage it’s likely to cause.
2. Keen knowledge of regulatory requirements.
The compliance consequences of a cybersecurity attack — notifying harmed consumers, wrangling with regulators, and potentially even paying monetary penalties — are huge drivers of an attack’s total cost. The better you understand what those compliance obligations are, the more quickly you can determine whether those costs rise to the threshold of materiality.
3. Business continuity planning, including scenario testing.
Especially for ransomware attacks, executives need to understand how the disruption will affect routine operations: sales not closed and revenue lost; employee time squandered while they sit idle, or reconstruction costs to duplicate business processes the attack locked down.
Ultimately, understanding the materiality of a cybersecurity incident is a team sport — but CISOs will play an indispensable role, as one of the few leaders who can translate cyber events into a business context.
So as much as this task will be a challenge, it’s an opportunity too.
Get the Latest on Compliance Operations.
Matt Kelly is editor and CEO of RadicalCompliance.com, a blog and newsletter that follows corporate governance, risk, and compliance issues at large organizations; it includes the Compliance Jobs Report, a weekly update on compliance professionals moving around the industry. He also speaks on compliance, governance, and risk topics frequently.
Kelly was named as ‘Rising Star of Corporate Governance’ by Millstein Center for Corporate Governance in inaugural class of 2008; and named to Ethisphere’s ‘Most Influential in Business Ethics’ list in 2011 (no. 91) and 2013 (no. 77). In 2018 he won a Reader’s Choice award from JD Supra as one of the Top 10 authors on corporate compliance.
Kelly previously was editor of Compliance Week, a newsletter on corporate compliance, from 2006 through 2015. He lives in Boston, Massachusetts, and can be reached at mkelly@RadicalCompliance.com or on Twitter at @compliancememe.