How to Evaluate the Materiality of Cyber Incidents

I ran a cybersecurity materiality determination workshop at my company last month. I know, I know - this isn't a CISO task. But wow, the business knowledge you gain from creating scenarios, working with CEOs, CFOs, CTOs, and operational heads, moderating the discussion, and documenting takeaways -- PRICELESS. Here are the deets. SEC disclosure requirements now require cyber incidents judged to be material to be disclosed publicly with an 8K (6K for foreign entities) filing. Financial materiality is relatively simple - X% of revenue/profit impacted, it's material. But how does one judge materiality in the throes of a cybersecurity incident? It's difficult - that's why you practice with internal workshops to talk through scenarios, work out conflicts, and create (new) processes, so that you don't spend time doing that during an incident when tick tock tick tock. Here's how I run mine: - Create 2-3 realistic scenarios. - Send them a month before the workshop to the SMEs (CEO, CFO, CLO, CTO, Ops heads). - Give the SMEs parameters to think through as they developed submissions (e.g., churn rate; regulatory impact; cost of litigation; reputation cost) - Provide the SMEs with an example submission so they note expectations (the submission should be ~1 page of analysis and estimates). - Work with for the next 3 weeks to answer questions, poke holes in arguments, and finalize submissions. - On workshop day, select a crisp 30 minute block for each scenario, where each SME goes in turn, notes their assumptions, and summarizes impact. - The materiality committee (such as it is) takes all the submissions into account and decides material v/s not. - In the wrap-up, we discuss what went right, what didn't, what enhancements to make, etc. Are you a CISO trying to break into the business world? Run one of these in your company. Having an external company run it for you will cost you $50K or more. Doing it yourself is all sorts of priceless for your company and your own credibility. Questions? Comments? Want me to walk you through in a bit more detail how I ran the workshop - ask away (PS: I've also submitted a talk track for FS-ISAC's Fall Summit, so maybe I'll present it there!) -- Interested in more content like this and don't want to miss a post? Connect with me for 3x/week posts on cybersecurity, leadership, photography, life lessons & personal finance (View my profile, click 🔔). #lessonsfromaCISO #cybersecurity #security #infosec #commonsense #leadership #leadershipadvice #cyber #CISO 🔐

Does a global cyber outage qualify as a "material cybersecurity incident"? This is the question hundreds of companies are grappling with this week. Under the SEC cyber rule, public companies are required to promptly disclose material cybersecurity incidents under Item 1.05 of Form 8-K. If the company is unsure whether the incident is material, the SEC released guidance that those incidents should be reported under Item 8.01. But what is a "material cybersecurity incident"? "Material" - Limits the information required to be furnished to those matters about which an average prudent investor ought reasonably to be informed before purchasing a security. "Cybersecurity Incident" -  An unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.  Late last week, CrowdStrike released a faulty driver update for its flagship Endpoint Detection and Response tool, Falcon. Drivers operate at the kernel level of a computer, a critical and highly controlled part of the system. Typically, software avoids running in the kernel to prevent system crashes that can lead to data corruption. This corruption impacted any Windows 10 machine running Falcon-roughly 9 million devices. However, since these were mainly enterprise machines, the crashes occurred at airports, banks, healthcare facilities, government agencies, and other locations, resulting in an extensively publicized outage. Over the past 5 days, CrowdStrike's stock value plunged more than 25% as a direct result of this event. On Monday, CrowdStrike filed a Form 8-K under Item 8.01 and not Item 1.05-indicating they had not determined this to be a "material cybersecurity incident." How could that be? The answer is in the definition. This is certainly a "material" event, as evidenced by the more than 25% drop in stock value. But is it a "cybersecurity incident"? The SEC's definition turns on an "unauthorized occurrence." While a threat actor need not be involved, the occurrence itself must be unauthorized-a fire at a datacenter, for instance, could qualify. CrowdStrike's update, though faulty, was authorized. As such, it may not fall within the ambit of the SEC rule. Erring on the side of transparency, CrowdStrike reported this incident through the most legally sufficient vehicle available - Item 8.01. What does this mean for CrowdStrike's public customers impacted by this event? Other companies should consider a range of factors when assessing whether this incident materially impacted them, such as: -Reputational harm -Remediation costs -Legal risks -Lost revenues -Insurance Importantly, these should also be placed in the context of a global cyber outage - e.g., what is the reputational damage to single company amongst thousands impacted? This will be unique to each company --

The materiality determination of a cybersecurity incident might be the most important part of the SEC’s new Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules. The new rules state information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have altered the total mix of information made available.” Public companies will have four business days from the day they determine the incident is material to report an incident. The trigger for reporting an incident is not the day of discovery. It is the day the materiality determination is made. There could be several days between the discovery date and the materiality determination date. However, the new rules state that companies must make their materiality determinations “without unreasonable delay.” With this in mind, it’s important to note the following: -The definition of materiality and “without unreasonable delay” are very vague. Because of this, it is imperative that companies update their incident response policies and procedures to include the policies and procedures for making materiality decisions without unreasonable delay. -Incident response policies and procedures should be updated to include the key factors (quantitative and qualitative) that need to be considered when making the decisions, the people responsible for making the decisions, how decisions will be documented and communicated, how disagreements will be handled, and timeliness for making decisions. Policies and procedures should also include how to amend materiality decisions when new information becomes available. -Communicate the new materiality process to the appropriate personnel. -Include materiality decisions as part of your incident response tests. -When an incident occurs, document everything around making this decision. If the decision ever comes into question from regulators, you will need evidence to support the details of the decision. -Retain details around the decision for a sufficient period of time to support an investigation by regulators. Don’t take the process for making this decision lightly. There is too much ambiguity in the definitions to figure this out on the fly in the middle of incident when emotions are are running high.

A few months back the SEC released reporting rules for public companies that experience material Cybersecurity incidents. We’ve seen a few companies start to file reports under this rule. But from a lot of conversations I’ve had, the toughest part about this new rule is determining what is “material”. Materiality means can mean different things to different people. But when you as a CISO have to make a determination on whether to report based on materiality, it’s good to have some industry guidance to guide you. In order to help companies determine materiality, some of us at Lacework worked with the community to create an SEC materiality framework. Using this framework, a CISO can answer questions to know if an incident could be declared ‘material’ and require reporting to the SEC. Have a look at the framework and if you have any questions, let me know! https://lnkd.in/eAgbGA73

The new #SEC rules on #CyberSecurity reporting have sparked a debate on the concept of '#materiality'. A Materiality Threshold is relevant to your organization, even if it's not publicly traded. The SEC mandates publicly traded companies to report cyberattacks within four days of determining a hack will have a 'material impact'. But defining what constitutes 'material' is specific to each firm. What is considered a "moderate" risk appetite for a Fortune 500, is much different for smaller organizations. Here are three steps to navigate this: 1️⃣ Define your organization's materiality threshold: This will depend on factors like size, complexity, and financial tolerance if a Risk event manifests. How damaging is the impact of a $1M event vs a $50M? 2️⃣ Document your Risk Management process: The SEC requires companies to disclose the criteria by which they determine materiality in their annual reports. What factors are considered - Strategic, Operational, Reputational, Compliance etc. 3️⃣ Regularly review and update your tolerance: As your organization evolves, so too should your approach to #RiskManagement. Remember, transparency and accountability in the face of cyber threats are key to building trust with stakeholders and maintaining a robust security posture. What approach does your organization take in defining its materiality threshold? #CyberRisk #RiskManagement #Transparency #Accountability

Cybersecurity Materiality Overview As the former U.S. Securities and Exchange Commission Senior Cybersecurity Advisor to the Chair I now advise senior executives, legal community, CISOs, investors and boards of directors on matters of cybersecurity materiality. Below is an enumeration of the types of business, operational, legal, regulatory and financial factors that should be contemplated when determining incident materiality. The types of costs and adverse consequences that companies may incur or experience as a result of a cybersecurity incident include the following: • Costs due to business interruption, decreases in production and delays in product launches. • Payments to meet ransom and other extortion demands. • Remediation costs, such as liability for stolen assets or information, repairs of system damage and incentives to customers or business partners in an effort to maintain relationships after an attack. • Increased cybersecurity protection costs, which may include increased insurance premiums and the costs of making organizational changes, deploying additional personnel and protection technologies, training employees and engaging third-party experts and consultants. • Lost revenues resulting from intellectual property theft and the unauthorized use of proprietary information or the failure to retain or attract customers following an attack. • Litigation and legal risks, including regulatory actions by state and federal governmental authorities and non-U.S. authorities. • Harm to employees and customers, violation of privacy laws and reputational damage that adversely affects customer or investor confidence. • Damage to the company’s competitiveness, stock price and long-term shareholder value. Cyber risk management is a team sport that requires the entirety of the enterprise to ensure business resilience. What is required is a more inclusive message and collaboration that includes all enterprise risk management leaders. World Economic Forum World Economic Forum Cybersecurity X-Analytics (SSIC) John Frazzini NACD (National Association of Corporate Directors) Cybersecurity and Infrastructure Security Agency Cybersecurity Ventures Justin Herring Mayer Brown Erez Liebermann Dominique Shelton Leipzig Jen Easterly Jamil Farshchi Phil Venables IANS Joe Sullivan Evolution Equity Partners Richard Seewald CrowdStrike Daniel Bernard Thomas Etheridge Jim Routh Jay Chaudhry Anil Markose BPM LLP Fred Rica #CISO #AI #corporategovernance #cyberrisk Janine Savarese Katherine Kuehn Renee Guttmann Bob Ackerman https://lnkd.in/eQM9teDv