January 4, 2024
In response to the growing number of malicious actors that have managed to exploit cybersecurity vulnerabilities and cause irreparable damage to organizations, governments worldwide have decided to intervene, recognizing a need for a systematic approach to safeguarding national assets. Helping to lead the way in this institutionalized effort is the Australian Prudential Regulation Authority (APRA).
APRA is responsible for regulating and overseeing Australia’s financial sector, including banks, insurance providers, credit unions, and retirement funds. While functioning as an independent body, they are answerable to the Australian Parliament. Over the past decade, APRA has released multiple standards to ensure that all included entities prioritize the management and governance of these prevailing cyber risks, intending to forge a more secure cyber landscape.
Among these standards, CPS 234, adopted in 2019, and CPS 230, set to be officially enacted in 2025, stand out as particularly significant. The former specifically addresses information security, while the latter more broadly focuses on operational risk management. Both, however, mandate that APRA-registered companies be sufficiently prepared for cyber risks and establish robust cybersecurity programs that ensure business resiliency in the case of an event.
While these regulations offer prescriptive guidance for what organizations must do to protect their critical data, there is much left unwritten about how to do so, particularly when it comes to discovering and disclosing “material” cyber events and risks. Indeed, without a strong definition of materiality, many organizations have found it challenging to know what is expected of them in terms of reporting and have consequently sought market solutions for support.
In their exploration, risk managers have stumbled upon financial cyber risk quantification (CRQ), an assessment methodology that calculates event likelihood and forecasts the financial impact. With this information, they have found it then becomes much easier to establish data-driven thresholds that provide a defensible basis for materiality determination.
In an age when the digital landscape is replete with ever-evolving, increasingly sophisticated cyber threats, defining material cyber risks becomes paramount for organizations to fortify their defenses. Similarly, adhering to government rulings, such as those put forth by APRA, not only ensures a unified approach to combating cyber attacks but also cultivates a resilient cyber environment for all.
In addition to being able to meet the related CPS 234 and 230 requirements more efficiently, defining materiality helps organizations develop cost-effective cyber mitigation strategies that prioritize the most significant risks. Nowadays, it’s nearly impossible to address all of a company’s cyber vulnerabilities. Having an idea of which risks may materially affect operations, however, is key for knowing which initiative to invest in first.
Sharper definitions also provide risk managers and CISOs (Chief Information Security Officers) with a roadmap, indicating when higher-level involvement may be prudent. Quantifying risk and materiality thresholds ensures that incidents are reported to the board in a timely manner. Plus, the quantification gives CISOs a basis for conclusion, allowing them to clearly explain in broader business terms why they believe the risk or incident to be material.
CPS 234 stipulates that all regulated entities must "notify APRA of material information security incidents." This notification should be submitted as quickly as possible, but the organization has a maximum of 72 hours to do so. This tight timeframe aims to facilitate swift communication and maintain essential transparency.
Beyond disclosing incidents with an evident material impact, organizations are obligated to report events that had "the potential to materially affect" the entity or key stakeholders' interests. Essentially, reporting is required even if the damage is not ultimately deemed material, as long as there is a significant chance it may have resulted in significant loss under different circumstances.
The information security regulation also requires that relevant companies notify APRA after they become aware of any material "control weakness" that they anticipate being unable to address promptly. The organization should communicate this weakness as soon as possible, with a deadline of no more than ten days.
Prudential Standard CPS 230 is much broader in scope, incorporating cyber risk into a wider operational framework and addressing material risks and incidents much more frequently than CPS 234. Still, like Standard 234, 230 also requires notification of a material event within 72 hours and makes a point of stressing that materiality can be determined both on financial and non-financial standards.
Additionally, the operational risk management regulation outlines the need for entities to remediate “material” system vulnerabilities. However, 230 offers a bit more insight into what constitutes materiality, closely aligning it with the disruption of critical operations beyond risk tolerance levels. These levels are defined as:
Another key aspect of CPS 230 in terms of materiality is the inclusion of the assessment of third-party service providers and their relevant risks. By July 2025, all regulated entities must document their approach to assessing and subsequently addressing the material risk that comes along with the engagement of these third parties.
Although clearer guidance on what constitutes a materially impactful risk or incident undoubtedly would help to streamline the disclosure process, allowing CISOs and risk personnel to focus their resources on mitigation rather than reporting, the importance of the term's inherent subjectivity cannot be ignored. Every organization is unique, and what qualifies as "material" should, therefore, be defined within that specific context.
To facilitate the determination process, it's crucial that CISOs translate risk into broader business terms. Armed with these insights, higher-level stakeholders can then evaluate the consequences of a cyber attack according to respective factors such as risk tolerance and appetite levels, industry, annual revenue, type of data compromised, and more. Based on these components, among others, these executives can then define what material means to their individual companies.
Unfortunately, APRA's lack of definition for "material" leaves too much room for interpretation, leaving many organizations struggling with where to start when it comes to their disclosures. Their confusion underscores the need to begin the materiality determination journey with quantified benchmarks, offering stakeholders a baseline understanding of the type of events APRA considers "material enough" to report.
Predetermined quantified thresholds offer CISOs and executives an all-too-needed starting point for defining material impact. These objective starting points provide a measurable standard for evaluating the significance of cybersecurity incidents, fostering a more consistent approach to risk assessment and incident response planning.
Moreover, these benchmarks simplify the communication process with stakeholders, setting clear guidelines for when CISOs will need to escalate the situation or handle it internally and ensuring resources are optimally allocated.
After researching organizational practices worldwide throughout multiple industries, risk experts from Kovrr, a leading provider of CRQ solutions, concluded that the most common approach for determining materiality began with a basis point of revenue. Indeed, when the CISO translates a cyber risk's or incident's impact into financial repercussions, it's much easier for risk owners to comprehend.
Leveraging a benchmark of 0.01% loss of revenue, stakeholders can make a preliminary decision to explore the risk or impact further in the context of reporting it to APRA. While a risk that would result in less than 0.01% of revenue should not be ignored, it most likely would not need to be included in any disclosure. Having a clear delineation between material and not makes the disclosure process much more straightforward.
When APRA-registered corporations and entities harness CRQ platforms, executives can clearly visualize the types of risks they face and how much financial damage these risks have the potential to cause. Using this information along with the basis point of revenue, they can decide whether the risk is worth mitigating, or if an event occurs, they can quickly determine whether it needs to be disclosed.
Particularly valuable is the Cyber Materiality Report, a unique dashboard offered by Kovrr that quantifies the loss potential of expected cyber events according to an organization's specific risk profile, measures the probability of that loss occurring, and recommends clearly defined, data-driven preliminary materiality thresholds.
In addition to revenue loss, Kovrr's one-of-a-kind report also provides quantified benchmarks for materiality according to the number of records lost and total outage time. For example, as shown in the dashboard above, even if an organization does not suffer a loss of $2 million, a loss that resulted in 26 hours of downtime may still qualify as material.
Ultimately, materiality should be determined on a case-by-case basis. However, having data-driven benchmarks based on an organization's unique cybersecurity risk posture helps stakeholders navigate the APRA's regulatory and reporting landscape. Moreover, these benchmarks ensure that entities have the information necessary to mitigate high-priority risks and minimize loss when the inevitable cyber incident occurs.
Discover how the Cyber Materiality Report can help your organization mitigate material risk and adhere to regulatory standards by contacting Kovrr's CRQ experts or signing up for a free demo today.
February 15, 2024
Combining traditional cyber risk methods with CRQ turns ambiguity into actionable data for CISOs, driving informed decision-making.
February 12, 2024
Risk Progression feature empowers CISOs and CRQ users to inspect and understand the changes in their cyber risk over time.