Blog Post

Materiality Analysis Offers Risk Managers Data-Driven Loss Thresholds

June 24, 2024

Table of Contents

TL;DR

  • Kovrr's new Materiality Analysis feature, found within our on-demand cyber risk quantification (CRQ) platform, helps organizations determine material cyber risks and events by evaluating data-driven thresholds for financial losses, data record compression amounts, and outage durations. 
  • First, the new feature offer highlights the Financial Loss Exceedance curve, which showcases the likelihood of financial damages surpassing specific thresholds (0.01%, 0.1%, 1%, and 2% of annual revenue) should an event occur. These insights aid in understanding potential financial impacts and support strategic planning for disclosures. 
  • Next, the Number of Data Records Compromised Exceedance curve shows the probability of exceeding data record compromise thresholds (1%, 2%, 5%, and 10%) in the case of data theft. 
  • The third exceedance curve illustrates the likelihood of various outage times being surpassed should the organization experience an event that causes systems to go down. The given thresholds are 8, 12, 24, and 48 hours, which are based on commonly used cybersecurity insurance waiting periods. 
  • Within the Cyber Materiality Analysis feature, users can also explore specific scenarios for each exceedance curve. (I.e., a user may explore additional insights regarding events that will exceed a 12-hour outage time). The scenario explorer capability provides metrics such as average annual likelihood, median financial losses, likely event type, and initial attack vectors. 
  • Kovrr's Materiality Analysis also allows stakeholders to set custom thresholds for each of the loss exceedance curves (financial loss, amount of data record compromised, and outage duration), allowing them to explore additional potentially material scenarios and optimize determination frameworks. 
  • While determining materiality is complex and nuanced, using quantified, data-driven loss thresholds to guide this process can streamline disclosures that are both compliant and defensible, as well as ensure risk management strategies are optimized to tackle material cyber risks.

The Need for More Concrete Materiality Guidelines

Determining and disclosing impactful events has been a longstanding practice for organizations operating within the US market. As early as 1933, with the Securities Act, publicly traded businesses were required to disclose “material information” regarding their security environment, allowing shareholders to make more informed investment decisions.

As the Securities and Exchange Commission (SEC) was established and the marketplace’s risk landscape evolved, these reporting regulations have only become more prevalent and stringent. Nevertheless, the SEC has always remained consistent in its usage of the materiality threshold, a concept legally formalized in 1976 with the court case TSC Industries, Inc. v. Northway, Inc.

At that point, a material consequence became one in which there is “a substantial likelihood that a reasonable shareholder would consider it important” or “significantly alter the ‘total mix’” of otherwise readily available securities information. This definition is precisely the one referred to in the US SEC’s 2023 cybersecurity regulations, mandating that registrants report this type of cyber event in their Form 8-K and this level of cyber risk in their annual Form 10-K.

Across the globe, other governments have instituted that companies report material cyber events, as well. The Australian Prudential Regulation Authority (APRA), responsible for regulating and overseeing Australia’s financial sector, for example, requires that all regulated entities must "notify APRA of material information security incidents."

Likewise, the EU’s NIS 2 instructs organizations to disclose any cyber attack that has caused a "significant" impact, which is defined as having caused severe operational disruption or financial loss or having caused considerable "material" or non-material damage to other persons.

On the one hand, such a deeply ambiguous threshold is appropriate, given that what may be considered material within one organizational context may not be for another. On the other hand, this ambiguity has already caused significant challenges for companies in terms of cyber event reporting.

Undoubtedly, due to the far-reaching consequences cyber incidents often have, stakeholders feel overwhelmed by the scope of information they’d have to assess to determine materiality. Indeed, a recent survey found that less than half of organizations have established the necessary processes to quickly determine such a level of impact.

With this challenge in mind, Kovrr is pleased to introduce the groundbreaking Materiality Analysis feature, designed specifically to help organizations structure their materiality determination frameworks, remain compliant, and, ultimately, attend to their most pressing cyber risks. 

Cyber Materiality Analysis: Exploring the Likelihood of Various Losses

Figure 1: Kovrr’s Materiality Analysis, eMerchify

Materiality is both complex and nuanced, which is even more so when applied within the cyber realm. However, with the aim of supporting companies, specifically post-SEC cybersecurity ruling, Kovrr’s risk management experts conducted a comprehensive analysis of the practices leveraged by corporations worldwide across various industries and found that the best approach for materiality determination begins with a basis point of revenue loss.

Incorporating this baseline into our cyber risk quantification (CRQ) platform, Kovrr’s models then evaluate millions of real-world cyber data points, along with an organization’s unique cyber posture, to produce an objective materiality analysis. This new feature provides data-driven insights such as:

  • The likelihood of financial damages exceeding specific loss thresholds in the event of a cyber incident
  • The likelihood of the number of data records compromised exceeding specific amount thresholds in the event of a cyber incident
  • The likelihood of an outage duration exceeding specific time thresholds in the event of a cyber incident
  • A drill-down of each of the potential materiality scenarios, highlighting the average annual likelihood of experiencing such an event and the specific event statistics. 
  • A drill-down of each of the potential materiality scenarios, illuminating both the specific event types and initial attack vectors that may be used to gain a foothold in the network that may cause such losses to occur. 
  • The likelihood of various custom thresholds being exceeded in the event of a cyber incident. 

Each of these metrics helps risk managers, cybersecurity leaders, and executive stakeholders better understand their material cyber risk landscape, enabling them to create a robust, defensible materiality determination framework for efficient decision-making. Likewise, they aid in discussions of determining risk appetite levels and capital allocation, providing the data-driven insights necessary to develop optimized strategies and achieve a state of cyber resiliency.

Financial Loss Exceedance Curve

Figure 2: Financial Loss Exceedance Curve, Materiality Analysis, eMerchify

The financial loss exceedance curve illustrates the likelihood of an organization experiencing a cyber event that causes financial damage to surpass various thresholds. The new Materiality Analysis feature provides the pre-generated loss thresholds of 0.01% (basis point of revenue), 0.1%, 1%, and 2% (aligning with GDPR fine calculations) of annual revenue.

For example, in Figure 2, Kovrr’s CRQ models forecasted that if eMerchify falls victim to a cyber incident, there is a 35.88% chance that the ensuing financial losses will exceed 0.01% of their annual revenue, which, in their case, is $2 million. Similarly, there is a 26.73% likelihood that, should an event take place, costs will go over the threshold of 0.1% of their annual revenue, or $20 million.

Within each exceedance curve (financial loss, number of data records compromised, and outage duration), the platform also highlights the average loss severity, offering additional information for strategic and fiduciary planning. 

The Process of Generating Materiality Loss Exceedance Curves

To forecast the likelihood of events exceeding various damage thresholds, Kovrr harnesses the Monte Carlo statistical analysis. Taking into account the various predetermined thresholds (i.e., 0.01%, 0.1%, etc.), an organization’s specific risk landscape (e.g., security controls, industry, geographic location), and millions of external global intelligence data points, the Monte Carlo approach simulates the upcoming year 10,000 times.

Each of these 10,000 ‘years’ is considered a potential scenario or a forecast of the loss the organization will face due to cyber activities. In some simulations, or ‘years,’ cyber events do not occur at all. When calculating the loss exceedance curves for the Materiality Analysis, Kovrr’s models do not take into account those non-incident-occurring years.

Therefore, unlike the typical exceedance curves found throughout other components of Kovrr’s CRQ platform, which reveal annual likelihoods, the likelihoods highlighted in the Materiality Analysis loss exceedance curves, whether for financial damage, the number of data records compromised, or outage time, reflect the probability of surpassing that threshold without the parameters of a time frame.

To learn more about Kovrr’s methodology, contact one of our risk experts or explore our knowledge base, Trust.Kovrr.

However, if cybersecurity leaders and other key stakeholders want to gauge the likelihood of experiencing an event that results in the exceedance of a specific loss threshold, the novel Materiality Analysis feature determines this as well. 

Scenario Drill Down: An Event Exceeding a Specific Loss Benchmark

Figure 3: Exploring a Specific Loss Scenario, Financial Loss Exceedance Curve, Materiality Analysis, eMerchify

The Materiality Analysis feature allows Kovrr’s CRQ users to drill down to more specific details regarding a potentially material cyber event. For instance, by exploring the scenario in which eMerchify experiences a loss of 1% annual revenue, customers can discover how likely the organization is to experience losses that exceed that monetary amount ($200 million) within the upcoming year, along with other key event statistics.

Users can zoom in on these specific scenario insights for any of the preprogrammed thresholds within any of the loss categories, not only the financial. As such, the scenario explorer capability within Materiality Analysis is likewise available for the benchmarks provided loss exceedance curves for data record amount compromise and outage time duration.

Average Annual Events Likelihood and Event Statistics

Figure 4: Explore Scenario, Event Statistics, Financial Loss Exceeding $200 million, Materiality Analysis, eMerchify

After drilling down into the specific scenario chosen, risk managers have access to a wide range of interesting metrics that can be used to help plan for a potentially material event and ensure mitigation resources are optimized. In Figure 4, eMerchify stakeholders have opted to explore their organization’s risk of experiencing an event that will cost them upwards of $200 million. 

For example, the Annual Events Likelihood describes the probability of eMerchify experiencing an event within the upcoming years that will exceed a financial loss of  $200 million, which, in this case, is 1.43%. The Event Statistics section offers even more data, summarizing the impact of events generated in the Monte Carlo simulations that exceed the financial loss threshold. 

For eMerchify, this means that in the instance that the organization does fall victim to an attack that results in more than a $200 million loss:

  • The median cost of said event is $212.3 million.
  • The media outage duration time is 9 hours.
  • The data record compromise amount is 1 million.

Event Types and Initial Attack Vectors 

Figure 5: Explore Scenario, Risk Drivers, Financial Loss Exceeding $200 million, Materiality Analysis, eMerchify

Within the scenario exploration, Kovrr’s Materiality Analysis feature also illuminates a breakdown of the event types that will exceed the loss threshold, as well as the initial attack vectors that may be used to gain a foothold in the network. For example, in Figure 5, out of all the events in the simulation that resulted in a financial loss of more than $200 million, 47.95% were ransomware attacks, 29.35% were data breaches, and 22.7% were business interruptions.

Similarly, of the events that eMerchify experienced that caused more than $200 million worth of damage, 34.4% were initiated via a phishing scam, %14.56 were initiated via a trusted relationship, and 14.43% were due to human error. The event types and initial vectors, or Risk Drivers, provide cybersecurity and risk professionals with the information necessary to create a priority-based cyber mitigation strategy to combat material risks. 

Number of Data Records Compromised Exceedance Curve

Figure 6: Number of Records Compromised Exceedance Curve, Materiality Analysis, eMerchify

The Number of Data Records Compromised Exceedance Curve displays the likelihood of the number of data records compromised surpassing the Materiality Analysis feature’s given thresholds in the event of a data theft. These compromisation thresholds of 1%, 2%, 5%, and 10% are based on both an evaluation of extensive insurance intelligence and common industry practices.

For eMerchify, should they experience a data theft incident, there is a 35.22% chance that more than 1%, or 2 thousand, of data records will be compromised. In Figure 6, stakeholders can likewise see that if a data theft occurs, there is a 32.12% likelihood that more than 2% of records will be compromised, an 18.41% likelihood of upwards of 5% data record compromisation, and a small, 0.001% chance that more than 2 million records will be affected. 

Just as with the financial loss thresholds, users can also explore more specific details and loss insights regarding the cases in which each of these data record compromisation limits are exceeded. (For example, users can discover how likely their organizations are, on average, to experience a cyber event that results in more than 20 thousand data records being compromised within the upcoming year.) 

Outage Duration Exceedance Curve

Figure 7: Outage Duration Exceedance Curve, Materiality Analysis, eMerchify

The final exceedance curve highlighted within the new Materiality Analysis feature pertains to outage times, illuminating the likelihood of an outage duration lasting longer than each one of the listed thresholds. Kovrr chose these base values of 8, 12, 24, and 48 hours due to their alignment with common benchmarks in cybersecurity insurance waiting periods.

If Figure 7, the Outage Duration Exceedance Curve for eMerchify reveals that should there be a cyber incident in which systems go down, there is a 48.11% probability that it will last longer than 8 hours, a 41.20% probability that it will exceed 12 hours, a 38.69% probability of outlasting 24 hours, and, finally, a 32.15% probability that it will last longer than two full days. 

As with the other two preliminary materiality exceedance curves, users can drill down into each of these specific outage time scenarios and explore more specific metrics, including but not limited to average event likelihood, media financial loss, and median number of data records compromised.

Custom Scenario Loss Thresholds

Figure 8: Custom Threshold Creation, Materiality Analysis, eMerchify

For each of the loss exceedance curves within Kovrr’s CRQ Materiality Analysis feature, stakeholders can create a custom loss threshold. For instance, in Figure 8, eMerchify stakeholders set a threshold of 0.25% of Annual Revenue, wanting to discover the likelihood of surpassing a financial loss of ¥50 million in the event of a cyber incident. In their case, there is a 20.05% probability that, in the case of an event, this custom loss threshold will be eclipsed.

Custom thresholds can similarly be set up for the number of data records compromised and outage time, allowing risk managers to explore additional seniors that may result in a potentially materially impactful cyber incident.

Leveraging Data-Driven Loss Thresholds for Materiality Determination

For some organizations, creating a materiality determination framework that enables efficient and effective decision-making has become a legal imperative. For others, while not mandatory, this process can nevertheless lead to more optimized cyber risk management strategies that are better aligned with overall risk appetite levels. Regardless, this can be a challenging process. 

Without a concrete definition of what constitutes a material impact, stakeholders can be left scrambling around in the wake of cyber events, attempting to make this crucial decision while also dealing with the immense number of other consequences. It is, therefore, paramount to have a quantified loss in thresholds in place that can guide this materiality determination in the timely manner it necessitates. 

Quantified thresholds for materiality based on financial loss, the number of data records compromised, and outage time offer robust parameters for key stakeholders and risk managers in need of a defensible material determination standard. Using these values, executives can ensure they are compliant with regulatory standards, transparent with stakeholders, and, most critically, addressing those risks that pose the most impactful consequences on the organization. 

To learn more about the Materiality Analysis feature and how it can streamline materiality reporting, schedule a free demo today or contact one of Kovrr’s risk management experts.

Amir Shur

VP R&D

More Blog Posts
Explore All Blog Posts
Industry Recognition