The discussion around materiality can be overwhelming
Materiality calculations have been a concept at public companies for 90 years. The SEC formulated the Securities Act of 1933 and the Securities Exchange Act of 1934, significantly shaping the understanding of materiality. Since then, we’ve seen companies calculate and present this concept in a few different ways. While we have previously discussed materiality on this blog regarding the SEC cyber rules, we looked at it from the viewpoint of an investor. What we’d like to do here is now look at it from an internal stakeholder perspective. Some questions we will cover include:
- In terms of security events, what needs to be done to start the process of assessing materiality?
- If we think an event is material, what information should we provide for the 8-k filing?
- Who should we reach out to when disclosing a material incident?
Let’s take a quick look at what your company can do to prepare yourself for an event-based materiality assessment.
Finding a materiality starting point
Assuming the cyber incident materiality question is being asked proactively, a great first step is to have conversations with your security team to understand how they fit into the process. Some icebreakers include:
- Are we currently doing anything to calculate materiality?
- What do we view as material in terms of financial or qualitative terms?
- Who owns the process of materiality calculation?
These questions allow you to get an idea of your materiality maturity. Often you may discover the process is actually in the hands of accounting or finance, so the conversation may expand to more stakeholders and become a collaborative effort. Bringing these teams together will allow you to put all the pieces of the puzzle together. You can consider this conversation a success if you’ve left it understanding more than you did prior. You can expect to have a better understanding of what each department brings to the table, where gaps might lie, and most importantly how the security team will aid in the process of quantifying these large events. This new set of rules poses a challenge not around understanding materiality, but applying it to security events that include more qualitative-based variables. The security team can educate themselves on how their company views materiality in financial terms, and then provide their expertise on security events to understand what operation and financial outcomes will follow a security event. This will include things like understanding the long-term impacts of things like stolen IP, stolen customer data, endpoints or computers impacted by a ransomware event, and so on.
What information should you be looking for to aid in the process of producing an 8-k?
Look at your peers
You can learn a lot about materiality disclosure by looking at the companies that have already filed for security events. Clorox went into detail on how their recent cyber events impacted financial results. They talked about delays in manufacturing as well as anticipated hits to their sales and EPS. This is not easy for the security team to do on their own, but what they can do is provide information to help calculate this.
Are there any known or highly anticipated costs associated with the cyber event?
Using Cyber Risk Quantification (CRQ), a company can anticipate the costs of a future cyber event and plan for a potential negative financial impact. Other things to consider when creating an 8-k would be insurance payouts. MGM mentioned in their 8-k that the event would likely have a material impact, but anticipated payouts from their insurance policies would cover a large portion of the costs. In your conversations with teams involved in the 8-k, consider creating a list of information to gather in the case of an event. It will allow you to manage the process with a level head.
Where can you do today to understand cyber incident materiality?
Axio has developed an offering to help companies not only understand where they stand but offer a roadmap with services to get them where you need to be. We broke the SEC’s cybersecurity disclosure regulations down to their core and built the offer around them. Just a few things to mention that our offering will help you accomplish:
- Identifying key threats that pose a material risk to your organization.
- Integrating our cyber risk quantification tool into your incident response plan to achieve a level-headed process for materiality determinations.
- Provide a system of record, showing how you came to your material determination
Check out our latest webinar highlight our solution launch: Axio360 for SEC Compliance