August 15, 2024 at 08:14AM
Cybersecurity leaders need to navigate the SEC’s cybersecurity disclosure regulations carefully. The SEC’s guidance offers a starting point for CISOs to determine materiality, suggesting a 0.01% revenue loss threshold. This quantitative framework, combined with qualitative impacts, can aid in making informed disclosure decisions, ensuring compliance and transparency.
From the meeting notes, the key takeaways for cybersecurity leaders navigating the US SEC’s cybersecurity disclosure regulations regarding material cyber events and risks are as follows:
1. The SEC offers guidance to consider financial conditions and results of operation for materiality reporting, which can be used as a basis for assessing material cyber risks and incidents.
2. Organizations can consider using a 0.01% loss of annual revenue as a preliminary starting point for determining material cyber events.
3. CISOs should engage with key stakeholders to explore different financial loss scenarios and align the monetary threshold with the organization’s risk appetite and tolerance levels.
4. Apart from the percentage of revenue loss, organizations can also leverage operational loss metrics such as the number of compromised data records or outage time to define material cyber events.
5. Once internal materiality-framing benchmarks are established, CISOs can quantify the likelihood of these loss values being exceeded, which is valuable for complying with SEC disclosure regulations.
6. Quantitative thresholds can guide the assessment of a cyber event’s impact and assist in efficiently reporting financial and operational losses within the required timeframe.
7. It’s essential for organizations to consider qualitative impacts as well, such as the impact on key customers or regulatory fines, in addition to the quantified impact of cyber events.
In summary, adopting a standardized methodology based on quantified thresholds for material assessments is a practical approach to provide transparent and consistent information to shareholders in alignment with SEC regulations.