Blog Post
June 24, 2024
TL;DR
Determining and disclosing impactful events has been a longstanding practice for organizations operating within the US market. As early as 1933, with the Securities Act, publicly traded businesses were required to disclose “material information” regarding their security environment, allowing shareholders to make more informed investment decisions.
As the Securities and Exchange Commission (SEC) was established and the marketplace’s risk landscape evolved, these reporting regulations have only become more prevalent and stringent. Nevertheless, the SEC has always remained consistent in its usage of the materiality threshold, a concept legally formalized in 1976 with the court case TSC Industries, Inc. v. Northway, Inc.
At that point, a material consequence became one in which there is “a substantial likelihood that a reasonable shareholder would consider it important” or “significantly alter the ‘total mix’” of otherwise readily available securities information. This definition is precisely the one referred to in the US SEC’s 2023 cybersecurity regulations, mandating that registrants report this type of cyber event in their Form 8-K and this level of cyber risk in their annual Form 10-K.
Across the globe, other governments have instituted that companies report material cyber events, as well. The Australian Prudential Regulation Authority (APRA), responsible for regulating and overseeing Australia’s financial sector, for example, requires that all regulated entities must "notify APRA of material information security incidents."
Likewise, the EU’s NIS 2 instructs organizations to disclose any cyber attack that has caused a "significant" impact, which is defined as having caused severe operational disruption or financial loss or having caused considerable "material" or non-material damage to other persons.
On the one hand, such a deeply ambiguous threshold is appropriate, given that what may be considered material within one organizational context may not be for another. On the other hand, this ambiguity has already caused significant challenges for companies in terms of cyber event reporting.
Undoubtedly, due to the far-reaching consequences cyber incidents often have, stakeholders feel overwhelmed by the scope of information they’d have to assess to determine materiality. Indeed, a recent survey found that less than half of organizations have established the necessary processes to quickly determine such a level of impact.
With this challenge in mind, Kovrr is pleased to introduce the groundbreaking Materiality Analysis feature, designed specifically to help organizations structure their materiality determination frameworks, remain compliant, and, ultimately, attend to their most pressing cyber risks.
Materiality is both complex and nuanced, which is even more so when applied within the cyber realm. However, with the aim of supporting companies, specifically post-SEC cybersecurity ruling, Kovrr’s risk management experts conducted a comprehensive analysis of the practices leveraged by corporations worldwide across various industries and found that the best approach for materiality determination begins with a basis point of revenue loss.
Incorporating this baseline into our cyber risk quantification (CRQ) platform, Kovrr’s models then evaluate millions of real-world cyber data points, along with an organization’s unique cyber posture, to produce an objective materiality analysis. This new feature provides data-driven insights such as:
Each of these metrics helps risk managers, cybersecurity leaders, and executive stakeholders better understand their material cyber risk landscape, enabling them to create a robust, defensible materiality determination framework for efficient decision-making. Likewise, they aid in discussions of determining risk appetite levels and capital allocation, providing the data-driven insights necessary to develop optimized strategies and achieve a state of cyber resiliency.
The financial loss exceedance curve illustrates the likelihood of an organization experiencing a cyber event that causes financial damage to surpass various thresholds. The new Materiality Analysis feature provides the pre-generated loss thresholds of 0.01% (basis point of revenue), 0.1%, 1%, and 2% (aligning with GDPR fine calculations) of annual revenue.
For example, in Figure 2, Kovrr’s CRQ models forecasted that if eMerchify falls victim to a cyber incident, there is a 35.88% chance that the ensuing financial losses will exceed 0.01% of their annual revenue, which, in their case, is $2 million. Similarly, there is a 26.73% likelihood that, should an event take place, costs will go over the threshold of 0.1% of their annual revenue, or $20 million.
Within each exceedance curve (financial loss, number of data records compromised, and outage duration), the platform also highlights the average loss severity, offering additional information for strategic and fiduciary planning.
To forecast the likelihood of events exceeding various damage thresholds, Kovrr harnesses the Monte Carlo statistical analysis. Taking into account the various predetermined thresholds (i.e., 0.01%, 0.1%, etc.), an organization’s specific risk landscape (e.g., security controls, industry, geographic location), and millions of external global intelligence data points, the Monte Carlo approach simulates the upcoming year 10,000 times.
Each of these 10,000 ‘years’ is considered a potential scenario or a forecast of the loss the organization will face due to cyber activities. In some simulations, or ‘years,’ cyber events do not occur at all. When calculating the loss exceedance curves for the Materiality Analysis, Kovrr’s models do not take into account those non-incident-occurring years.
Therefore, unlike the typical exceedance curves found throughout other components of Kovrr’s CRQ platform, which reveal annual likelihoods, the likelihoods highlighted in the Materiality Analysis loss exceedance curves, whether for financial damage, the number of data records compromised, or outage time, reflect the probability of surpassing that threshold without the parameters of a time frame.
To learn more about Kovrr’s methodology, contact one of our risk experts or explore our knowledge base, Trust.Kovrr.
However, if cybersecurity leaders and other key stakeholders want to gauge the likelihood of experiencing an event that results in the exceedance of a specific loss threshold, the novel Materiality Analysis feature determines this as well.
The Materiality Analysis feature allows Kovrr’s CRQ users to drill down to more specific details regarding a potentially material cyber event. For instance, by exploring the scenario in which eMerchify experiences a loss of 1% annual revenue, customers can discover how likely the organization is to experience losses that exceed that monetary amount ($200 million) within the upcoming year, along with other key event statistics.
Users can zoom in on these specific scenario insights for any of the preprogrammed thresholds within any of the loss categories, not only the financial. As such, the scenario explorer capability within Materiality Analysis is likewise available for the benchmarks provided loss exceedance curves for data record amount compromise and outage time duration.
After drilling down into the specific scenario chosen, risk managers have access to a wide range of interesting metrics that can be used to help plan for a potentially material event and ensure mitigation resources are optimized. In Figure 4, eMerchify stakeholders have opted to explore their organization’s risk of experiencing an event that will cost them upwards of $200 million.
For example, the Annual Events Likelihood describes the probability of eMerchify experiencing an event within the upcoming years that will exceed a financial loss of $200 million, which, in this case, is 1.43%. The Event Statistics section offers even more data, summarizing the impact of events generated in the Monte Carlo simulations that exceed the financial loss threshold.
For eMerchify, this means that in the instance that the organization does fall victim to an attack that results in more than a $200 million loss:
Within the scenario exploration, Kovrr’s Materiality Analysis feature also illuminates a breakdown of the event types that will exceed the loss threshold, as well as the initial attack vectors that may be used to gain a foothold in the network. For example, in Figure 5, out of all the events in the simulation that resulted in a financial loss of more than $200 million, 47.95% were ransomware attacks, 29.35% were data breaches, and 22.7% were business interruptions.
Similarly, of the events that eMerchify experienced that caused more than $200 million worth of damage, 34.4% were initiated via a phishing scam, %14.56 were initiated via a trusted relationship, and 14.43% were due to human error. The event types and initial vectors, or Risk Drivers, provide cybersecurity and risk professionals with the information necessary to create a priority-based cyber mitigation strategy to combat material risks.
The Number of Data Records Compromised Exceedance Curve displays the likelihood of the number of data records compromised surpassing the Materiality Analysis feature’s given thresholds in the event of a data theft. These compromisation thresholds of 1%, 2%, 5%, and 10% are based on both an evaluation of extensive insurance intelligence and common industry practices.
For eMerchify, should they experience a data theft incident, there is a 35.22% chance that more than 1%, or 2 thousand, of data records will be compromised. In Figure 6, stakeholders can likewise see that if a data theft occurs, there is a 32.12% likelihood that more than 2% of records will be compromised, an 18.41% likelihood of upwards of 5% data record compromisation, and a small, 0.001% chance that more than 2 million records will be affected.
Just as with the financial loss thresholds, users can also explore more specific details and loss insights regarding the cases in which each of these data record compromisation limits are exceeded. (For example, users can discover how likely their organizations are, on average, to experience a cyber event that results in more than 20 thousand data records being compromised within the upcoming year.)
The final exceedance curve highlighted within the new Materiality Analysis feature pertains to outage times, illuminating the likelihood of an outage duration lasting longer than each one of the listed thresholds. Kovrr chose these base values of 8, 12, 24, and 48 hours due to their alignment with common benchmarks in cybersecurity insurance waiting periods.
If Figure 7, the Outage Duration Exceedance Curve for eMerchify reveals that should there be a cyber incident in which systems go down, there is a 48.11% probability that it will last longer than 8 hours, a 41.20% probability that it will exceed 12 hours, a 38.69% probability of outlasting 24 hours, and, finally, a 32.15% probability that it will last longer than two full days.
As with the other two preliminary materiality exceedance curves, users can drill down into each of these specific outage time scenarios and explore more specific metrics, including but not limited to average event likelihood, media financial loss, and median number of data records compromised.
For each of the loss exceedance curves within Kovrr’s CRQ Materiality Analysis feature, stakeholders can create a custom loss threshold. For instance, in Figure 8, eMerchify stakeholders set a threshold of 0.25% of Annual Revenue, wanting to discover the likelihood of surpassing a financial loss of ¥50 million in the event of a cyber incident. In their case, there is a 20.05% probability that, in the case of an event, this custom loss threshold will be eclipsed.
Custom thresholds can similarly be set up for the number of data records compromised and outage time, allowing risk managers to explore additional seniors that may result in a potentially materially impactful cyber incident.
For some organizations, creating a materiality determination framework that enables efficient and effective decision-making has become a legal imperative. For others, while not mandatory, this process can nevertheless lead to more optimized cyber risk management strategies that are better aligned with overall risk appetite levels. Regardless, this can be a challenging process.
Without a concrete definition of what constitutes a material impact, stakeholders can be left scrambling around in the wake of cyber events, attempting to make this crucial decision while also dealing with the immense number of other consequences. It is, therefore, paramount to have a quantified loss in thresholds in place that can guide this materiality determination in the timely manner it necessitates.
Quantified thresholds for materiality based on financial loss, the number of data records compromised, and outage time offer robust parameters for key stakeholders and risk managers in need of a defensible material determination standard. Using these values, executives can ensure they are compliant with regulatory standards, transparent with stakeholders, and, most critically, addressing those risks that pose the most impactful consequences on the organization.
To learn more about the Materiality Analysis feature and how it can streamline materiality reporting, schedule a free demo today or contact one of Kovrr’s risk management experts.