A Review: Determining Cyber Materiality in a Post-SEC Cyber Rule World

ISSA Journal Sept 2023The September 2023 ISSA Journal article, Determining Cyber Materiality in a Post-SEC Cyber Rule World, by Jack Freund, Charlotte Metroc, and Natalie Jorion, outlines the history of material events and their applicability to the cyber world. The paper presents a complex approach to end with a qualitative decision per risk basis. Organizations should determine their materiality threshold, independently quantitatively assess their risks using a consistent methodology, and then compare those results to the threshold determined before an event.

The authors used the Advisen Cyber Loss data to analyze 39 unique events from 1999 to 2022. Given that the Advisen dataset has over 90,000 events, as stated by the authors, with associated losses, it is unclear why the authors limited their analysis to a small number of events over a broad period. Cyber events have changed drastically in the last ten years; going back twenty years creates a dichotomy in the analysis that was not addressed.

Furthermore, the authors did not fully explain their chosen data transformations and categorizations, which appear different from standard approaches. In the materiality by size and industry section, their revenue buckets appeared on a log-10 scale: 1.3 million, 13 million, and 130 million. In financial and economic analysis, the log-normal value is standard due to the direct interpretability of proportional differences. Moreover, they classified revenue greater than 130 million as very. The Small Business Association classifies businesses with a mid-size annual revenue between $10 million and $1 billion.

Plan your response to the new disclosure rules - watch our Member webinar on demand: 

Webinar: What the New SEC Regulation on Cyber Reporting Means for the Risk Management Profession

Data issues aside, their materiality analysis relied on three case studies using benchmark values from their literature review: 4% of revenue and above, +/- 100% of net income, and 5% of equity. Under Case Study 1, they state that 36% of events would be material, highlighting the 2012 Gawker Media incident. Upon closer review, the case here involved the Bollea v. Gawker Media, LLC lawsuit that resulted in a $140 million court judgment brought by former professional wrestler Hulk Hogan over a sex tape. That tape's release was unrelated to the breach of the same year, though the data appears to indicate otherwise. Furthermore, the lawsuit was backed by Peter Thiel, creating an outlier event not due to the event scope but by the outsized legal financing to bankrupt the company.

Under Case 2, 26% of events would have been material highlighting the 2020 Robinhood Financial data breach. Under Case 3, 26% of events would have been material under the analysis threshold. The authors highlight Boeing's 2010 data breach. We attribute the event's materiality to the incident's findings that poor cyber practices at an aircraft manufacturer can lead to significant public safety risks. We might suggest that aircraft manufacturing and financial industries are riskier than retail as they are more heavily regulated; thus, they have a lower threshold in reporting and lead to higher costs. 

The crux of their paper lies in the Freund-Jorion Cyber Materiality Heuristic proposal, which provides quantitative measures to determine materiality. Still, the flow diagram ultimately leads to using qualitative factors to make the final determination. However, in Step 1, the authors use a greater than 0.01% multiplied by revenue as a benchmark for preliminarily material. Financial analysts on Wall Street would not have considered 0.01% of any metric material.

Read our thoughts on the new rules:

Blog: What the New SEC Regulation on Cyber Reporting Means for the Risk Management Profession

The value of a company is the perception of what an investor believes to be the sum of all future discounted earnings, net cash flow, and similar financial metrics where any event would reduce that future value by an appreciable amount to be considered material to the investor. More simply, do we report to our spouse a preliminarily material event that impacted 0.01% of our net income - on a $100,000, that would be $10?

As the authors conclude, it may also be valuable for organizations to request review by their external auditors and legal counsel. We agree. However, firms should be proactive and conduct this analysis before the event so they understand the materiality threshold and can begin working to reduce their risk exposure, thus reducing the likelihood of having a materiality event.

Want to follow along on this subject some more? Join us at FAIRCON23 for specific sessions on the new SEC rules, including a panel with David Hirsch, Chief, Crypto Asset and Cyber Unit in the Division of Enforcement, SEC.

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37