Blog Post
June 18, 2024
TL;DR
In March 2022, when the not-so-new-anymore SEC cybersecurity regulations were initially drafted, some argued that smaller reporting companies, defined by having a public float of less than $250 million or an annual revenue of less than $100 million, should be exempt, given the "outsized costs" they faced. Others proposed that these smaller organizations should have a longer disclosure deadline, helping to alleviate the chances of non-compliance.
The US SEC made no such exemptions. The governing body did, however, agree to allot an additional 180 days, giving the smaller entities until June 15, 2024, to prepare to comply with Item 1.05 of Form 8-K. The novel line item is the now infamous regulation that mandates an organization to disclose any material cyber event that is determined to be "material" within four days.
Given the larger organizations' (legally accountable as of December 2023) demonstrable struggle to comply with these new cybersecurity disclosure guidelines, the extra preparation time smaller entities received was apparently well warranted. However, as of this month, these smaller entities, too, must be ready to quickly assess the impact of any cyber incident and definitively decide whether it meets materiality thresholds.
Such a process can be significantly streamlined by quantifying an organization's unique cyber risk landscape and calculating preliminary loss benchmarks based on one basis point of revenue. These benchmarks provide stakeholders with objective parameters that can be used to steer ensuing discussions, minimizing the time it takes to determine materiality, thus ensuring compliance with the SEC's disclosure requirements.
Defined as the level at which there is a "substantial likelihood that a reasonable shareholder would consider it important," materiality is inherently ambiguous and depends on various factors, including annual revenue and industry. Ergo, what may be considered a "material" consequence for one organization may be a mere inconvenience for another.
Despite the ample room for interpretation, the SEC still expects organizations to determine materiality "as soon as reasonably practicable" after a cyber event is discovered and to report it in Form 8-K in no more than four days if it is positively classified as such. Still, with so many important elements that may comprise materiality, a respective analysis in its entirety can be a formidable task.
Indeed, driven by fears of non-compliance and confused by the regulations' ambiguity, many larger companies have disclosed incidents that, at the date of filing, had not yet been determined to have had a material impact on operations. The high frequency of this disclosure misapplication even prompted Erik Gerding, SEC Division of Corporation Finance Director, to issue a clarifying statement, reminding organizations that if events have not yet been deemed material, they should not be freely reported in Item 1.05.
The extra half a year, coupled with the SEC's slew of feedback on material event reporting, has thus provided smaller organizations with the information necessary to adhere to reporting requirements. Ultimately, one crucial piece of insight has become clear: these entities need a structured framework to help stakeholders quickly determine materiality and justify reporting decisions.
Determining materiality is a complex process that requires a significant time investment. In the wake of a cyber event, stakeholders must assess several potential consequences, such as financial loss, data record compromise, outage times, operational implications, vendor relationships, reputational damage, and more. The sheer number of factors constituting materiality is undoubtedly one of the reasons why smaller entities received an extension to prepare for disclosures.
However, given the multitude of other tasks that need to be handled following a cyber attack, on top of the surmounting stress and four-day reporting deadline, executives would do well to develop clearly defined frameworks to guide materiality decisions. In fact, by leveraging quantified loss thresholds within these frameworks, disclosures become more efficient and defensible, benefits that will prove themselves to be paramount for ensuring SEC compliance and maintaining investor trust.
The SEC's cybersecurity regulation specifically requires registrants to consider the quantitative and qualitative impacts when evaluating the materiality of a cyber event, both of which are crucial to investors. Still, because the qualitative inherently demands more interpretation, frameworks that harness quantitative values as baseline determination parameters are much more commonly used.
One of the few explicit instructions the regulating entity provides vis-a-vis materiality is for organizations to assess the "financial conditions and result of operations" after a cyber attack ensues. These two consequences are plainly quantitative outputs, offering reasonable investors high-priority information. After all, these shareholders are primarily concerned with achieving positive returns, and any monetary changes to the organization will have the most direct effect on that outcome.
While preliminary loss thresholds depend on a registrant's specific risk appetite and tolerance levels, extensive research has found that most companies — also subject to materiality reporting in contexts outside of cyber — begin their materiality determination process at one basis point of revenue. Consequently, stakeholders use this benchmark to decide quickly whether an 8-K material disclosure is advisable. If losses exceed 0.01% of annual revenue, it's a solid indication that the event may be legally considered material.
Utilizing the one basis point of revenue loss as a starting point for materiality thresholds, Kovrr’s on-demand cyber risk quantification (CRQ) platform provides risk managers with objective insights regarding material events, including related event statistics and the likelihood of experiencing such an incident within the upcoming year.
.png)
For example, with Kovrr’s CRQ Materiality Analysis, one organization not only discovered $200 million to be their preliminary threshold for determining materiality but also found a 1.43% likelihood that they will experience such a significant event within the upcoming year. Moreover, this event, which exceeds the initial loss benchmarks, will typically result in a loss of $212.3 million, last roughly 9 hours, and compromise 1 million data records.
The Material Analysis platform likewise offers an exceedance curve for financial losses, highlighting predefined and custom thresholds and the likelihood of experiencing an event that results in those levels of specified damage. Similarly, the solution provides exceedance curves for outage times and the number of data records compromised.
All of these insights can be harnessed for Form 8-K material incident reports, as well as annual Form 10-K disclosures, which require smaller SEC registrants to disclose material cyber risks, their process for identifying them, and subsequent management strategies.
Learn more here about the Materiality Analysis feature and how it supports organizations in developing data-driven risk appetites, defining material cyber events and risks, and maintaining regulatory compliance.
Generating quantitative loss benchmarks streamlines the materiality deliberation process, but it is not an all-encompassing calculation. If an incident occurs and losses exceed the threshold, it is a solid indicator that the attack can be considered material under SEC regulations. From that point, however, key stakeholders should concentrate on assessing the other, more qualitative consequences that require more in-depth exploration.
These thresholds are similarly valuable even when they are not surpassed, as they offer the SEC and investors alike a defensible reason why the event—after qualitative implications were analyzed—was determined not to be material. For instance, if an organization experiences a ransomware attack but systems are only down for two hours (a length which is less than what has been calculated to be preliminary material), executives can more easily explain to their shareholders why they did not report it on Line Item 1.05.
To reiterate: These loss thresholds do not negate the necessity of considering the more qualitative damage that occurs in the wake of a cyber event. Rather, they provide a more concrete starting point for the materiality determination process than the current definition. With the parameters, executives have a clearer understanding of when they should disclose the event and a defensible framework to leverage should that decision be questioned.
If you'd like to learn more about the power preliminary benchmarks have in regulatory compliance, contact one of our cyber risk management experts today.
When any new regulatory disclosure law is passed, there is a natural grace period, giving organizations time to figure out precisely which details to include in reports. Nevertheless, with half a year gone by since the cybersecurity rules were enacted and Form 8-Ks being consistently noncompliant, the SEC’s patience is wearing thin.
Smaller entities would benefit from adopting a standardized materiality determination framework to avoid making the same mistakes as their larger counterparts. Leveraging quantitative thresholds, these organizations can not only streamline the materiality determination process but also ensure their decisions are objectively defensible.
In today’s digital marketplace, maintaining transparency and providing investors with relevant cybersecurity information is key to long-term success. When data-driven parameters are used as the basis for this communication, businesses can be sure they are executing their cyber risk management fiduciary responsibilities.
Recognizing the challenges that SEC registrants, of any size, across all industries face when determining a cyber event’s materiality, Kovrr developed the Cyber Materiality Analysis feature directly within our on-demand CRQ platform. No matter their revenue band, organizations can harness this capability to streamline SEC disclosures and ensure compliance with Form 8-K, Line 1.05.
To learn more about this innovative CRQ feature, schedule a free platform demo today.
.webp)
Kovrr financially quantifies cyber risk on demand. Our technology enables decision makers to seamlessly drive actionable cyber risk management decisions.
