Can’t someone just tell me how to calculate materiality?
The SEC’s rules on cybersecurity disclosures have gone into effect, but we still see plenty of questions being raised. One of the top concerns involves bringing qualitative factors of a security event into materiality calculations. The concept of materiality has been around for almost 90 years now but its determination often remains subjective and can vary depending on the business context. The SEC is vague in its definition of materiality because there is no way to objectively inform investors through a magic dollar threshold. The definition has evolved, yet at its core, it emphasizes the need for information that is relevant to informed investment decisions (1).
When determining if the impact of a cybersecurity incident is material or not, we have to assess whether or not a reasonable investor could use this in their decision-making process. A fact does not have to change an investor’s decision to be material, rather, it has to be viewed as altering the mix of information made available to them. To help in navigating this challenge, the SEC’s director of corporate finance gave some guidance. He wrote up a piece with his thoughts on the rules, but specifically, he gave examples where materiality was debated in court. He provided multiple examples of Supreme Court cases, but for this blog we’re going to look into Matrixx Initiatives, Inc. v. Siracusano.
Supreme court cases as a learning tool for the notion of cyber incident materiality
In Matrixx Initiatives, Inc. v. Siracusano, claims were made that Matrixx omitted material facts because they were aware of the negative financial impacts it would have if they disclosed. Siracusano and other investors alleged that Matrixx failed to disclose the material fact that one of its products, Zicam, was linked to anosmia (total or partial loss of smell) in some of its customers. This information, while it might technically be qualitative, is still considered relevant in the decision-making process for investors. Matrixx tried making the claim that the findings were “statistically insignificant”, therefore deeming it immaterial. In response to this, Justice Sotomayor said “Given that medical professionals and regulators act on the basis of evidence of causation that is not statistically significant, it stands to reason that in certain cases reasonable investors would as well.” In the end, the courts ruled unanimously in favor of the investors, stating that the company did in fact omit a material fact.
I’d like to highlight two things in response to the results of this case that can be applied to cybersecurity disclosures under the new rules:
- Qualitative factors can carry just as significant of weight in material determinations as quantitative factors.
- Statistical significance can play a part in determining materiality, but a lack of it does not automatically deem something immaterial.
Cyber risk quantification provides you with a personalized approach to calculating materiality beyond qualitative determinations
Calculating materiality requires a personalized approach. No public company is the same, and often there are multiple differentiating factors (qualitative and quantitaive), including:
- Industries they serve
- Operational processes
- Products and services they provide
- Size of their business demographic
- Economic environment they must operate in
- Their insurance portfolio and other mechanisms of transferring risk
An assessment of materiality requires a way to determine if and how these important factors will affect the impact of cybersecurity incidents. This is where cyber risk quantification fills the knowledge gap and expands on qualitative determinations. By aligning cyber scenarios to a holistic view of your business, you can more meaningfully determine the financial consequences of an event.
Axio’s methodology of cyber risk quantification is unique. We were recently recognized as a leader in The Forrester Wave™: Cyber Risk Quantification, Q3 2023. Industry analysts spent over a year diving into how we think about cyber risk. It’s a worthwhile read to understand what it takes to reduce cyber risk using a comprehensive control-based approach that is easy to understand and implement.
We are preparing to help public companies address and solve the materiality question for the SEC’s new cybersecurity rules—from both a qualitative and quantitative view. CISOs and security teams must protect themselves and their companies in these challenging times.
We are officially launching Axio360 for Cyber Compliance on January 17th | 12 EST
Reserve your seat today to learn more about this new solution! You can ask me any questions you have, as I will be participating in the product launch event!
(1) As early as 1947, the SEC adopted rules incorporating and defining materiality. Rule 405 under the Securities Act defined the term “material” as follows: “[W]hen used to qualify a requirement for the furnishing of information as to any subject, [materiality] limits the information required to those matters to which an average prudent investor ought reasonably to be informed before purchasing the security registered.” In 1982, in keeping with U.S. Supreme Court decisions the SEC amended the definition of “material” in Rule 405 as follows: “[W]hen used to qualify a requirement for the furnishing of information as to any subject, [materiality] limits the information required to those matters to which there is a substantial likelihood that a reasonable investor would attach importance in determining whether to purchase the security registered.