A Memo on Cyber Materiality
So there I was the other day, pondering that new Securities and Exchange Commission rule for expanded disclosure of cybersecurity issues, when my phone rang. It was my friend the cybersecurity auditor. “Hey,” he said, “I have an idea for how companies can prepare for that new rule about disclosing cybersecurity stuff.”
I was intrigued. The rule goes into effect in three weeks, including the nettlesome provision that companies will need to disclose “material cybersecurity incidents” within four days of the company determining that an incident was indeed material.
This means companies will need to assess the materiality of cybersecurity attacks in both quantitative and qualitative dimensions. That’s going to be hard to do. So what idea did my friend the cybersecurity auditor have in mind?
“Well,” he said, “what if our company drafts a memo that defines our quantitative and qualitative cybersecurity risks?”
Hmmm, I replied. That sounds like a great idea, but you’d need to draft the memo thoughtfully and then handle it with care once the document exists. Could your company do both of those things?
“I think so,” my friend the cybersecurity auditor said. “Let me describe the idea here.”
Actually, let me first describe why my friend and I were talking about this subject at all. He had seen the recent news about hackers attacking a technology company in California. When the victim company ignored the hackers’ ransom demands, they filed a complaint with the SEC about their own attack, accusing the victim company of violating SEC disclosure rules.
Here’s the thing, though: companies are only required to disclose material cybersecurity attacks. If a company determines that an attack isn’t material, then the company has no obligation to disclose anything — and those hackers threatening to tattle to the SEC can go pound sand.
So if telling hackers to go pound sand is something you’d want to do, you’ll need a solid, reliable process to assess the materiality of cybersecurity incidents. Which brings us back to my friend the cybersecurity auditor.
The Process Behind the Memo
My friend’s concept of a cyber materiality memo wasn’t that complicated, really. Somebody in charge of cybersecurity compliance — CISO, privacy officer, director of external reporting, or some other role — just needs to prod other senior executives to define what materiality means to them. Then memorialize those thoughts in a memo, so that when attacks happen in the future, you already have guidelines that will force you to assess materiality in an objective, disciplined way.
Who would be involved in those conversations? The CISO and general counsel, obviously; the privacy officer and head of internal audit too, and possibly the heads of other business units as well. One good practice would be that if your company already has an in-house compliance committee that talks about cybersecurity, every member of that committee should have an opportunity to participate.
For example, you could go to the CFO and ask him or her to set a threshold for quantitative materiality. Would you just use the same materiality threshold already set for Sarbanes-Oxley compliance? That has the benefit of simplicity, but it also assumes that materiality in cybersecurity and in internal control over financial reporting are the same thing. Are we sure that’s the case?
Indeed, my friend recommended not using the SOX materiality threshold for cyber incidents. Cyber attacks happen at large companies every day, he argued, so if you set your quantitative materiality threshold at the low bar of SOX materiality, you could end up disclosing a constant stream of attacks that cause low-dollar damage. Is all that disclosure really useful to investors? Or does it devolve into white noise?
Instead, my friend said, the compliance officer should (politely) push the CFO: “Give me an estimate for a quantitative materiality number, but you’re not allowed to say it’s the SOX number.” Then see what he or she says.
Maybe the answer will be a 5 percent increase in the company’s cost basis, or a 5 percent loss of revenue. Maybe it will be some blend of the two, or some other threshold. My friend’s point was simply that this is an important conversation to have.
That’s even more true for qualitatively material incidents — incidents that don’t lead to significant financial harm, but do suggest deep weaknesses in the company’s cybersecurity regime. For example, the incident might be a failure of IT general controls, leaving people to wonder what other IT risks you’re not managing; or it might be a persistent tendency to fall for phishing attacks, which suggests that your employee training stinks.
Defining qualitative materiality is inherently tricky. It involves lots of subjective judgment, and subjective judgment is the sort of thing plaintiff lawyers love to second-guess in shareholder lawsuits. It also tends to be dissected by regulators, another unpleasant experience.
So the more that you can define thresholds for qualitative materiality in advance, complete with examples, and rationales for each one, the better. Otherwise you end up defining those thresholds during the pressure of a specific attack, and that pressure inevitably tempts people to fit their assessment standards to the facts at hand. It’s supposed to be the other way around.
Materiality Memo as a Tool
Once the memo comes into form, auditors and compliance officers should bring it to senior management and the board for approval. After all, the point here isn’t simply to generate a document that can be used as a checklist to evaluate whether a cybersecurity incident is material; the point is also to compel senior leadership to engage with cybersecurity risk in a serious way.
Then, my friend said, review the memo annually to see whether any changes are necessary. Why? For several reasons.
First, external auditors might be performing their own assessment of your material cybersecurity risks. An updated memo would show that you’re trying to keep pace with evolving risk, which might satisfy the auditors so they’ll go away.
Second, you might suffer an attack that becomes public knowledge by some other means, and the share price drops. Regulators or plaintiff lawyers might seize on that to say your materiality assessment was flawed. Again, an updated memo will show that you’re at least trying to grapple with the issues, which is far better than dusting off a memo years out of date.
Of course a memo such as this could bring litigation risks, and would need to exist under attorney-client privilege. (If any securities litigators out there can see other risks, I’d love to hear them; email me at [email protected].)
The larger issue, however, is that hackers will try to weaponize the SEC’s cybersecurity disclosure rules against companies. That’s one more headache compliance officers and CISOs don’t need. If a memo along the lines of what my friend the cybersecurity auditor envisions can serve as a prophylactic to neutralize this ridiculous new threat, why not use it?