A CISO's Guide to Materiality and Risk Determination

COMMENTARY

2024 is shaping up to be a landscape of unparalleled volatility in cybersecurity. With regulatory shifts, third-party service incidents, and looming economic uncertainties, the need for board engagement in risk management programs is critical.

It also has dollars attached to it. Data breaches are two to three times more expensive for organizations in which boards aren't actively involved in cyber discussions. There is also a growing demand for CISOs to find innovative ways to communicate their company's risk environment with stakeholders.

In addition, regulators are imposing new fiduciary requirements. For example, the US Securities and Exchange Commission's cyber regulations mandate the disclosure of "material" cyber incidents within four days of determining an event's materiality in an attempt to align boards with this growing cyber threat. The rulings also require annual disclosure of material risks and how the company manages them.

CISOs are using agreed-upon materiality definitions to communicate risk to senior executives and boards. This helps them clarify what materiality means for their particular organization and evaluate the likelihood of cyber incidents. But for many CISOs, materiality remains an ambiguous term, open for interpretation based on an organization's unique cybersecurity environment.

Determining Material Loss With Industry Benchmarks

The core of the confusion around materiality is determining what constitutes a "material loss." It's a challenging, but essential, discussion to initiate. The most explicit industry definition published so far — by Dr. Jack Freund, chief risk officer of Kovrr and Distinguished ISSA Fellow, and Natalie Jorion, who formulated the Freund-Jorion Cyber Materiality Heuristic — assesses materiality as 0.01% of the prior year's revenue, equating to approximately one basis point of revenue. (As we will see below, this equates to approximately an hour's worth of revenue for Fortune 1000 companies.)

By testing different thresholds against industry benchmarks, organizations can gain a clearer understanding of their vulnerability to material cyberattacks. Kovrr recently modeled the expected cyber incidents experienced by the US Fortune 1000 companies. Each organization was analyzed according to a tailored collection of events and responses from security controls, producing a cyber risk quantification (CRQ) assessment that revealed the likelihood and cost of each event according to industry.

The "Fortune 1000 Cyber Risk Report" estimates the probability for a company in the Fortune 1000 to experience cyber losses totaling more than a threshold. For instance, the model evaluates the probability of experiencing cyber losses totaling $50 million, which amounts to roughly 1.2 days of revenue. Although significant, this may be considered materially low. A $100 million incident equates to 2.4 days of revenue, and a $500 million incident represents nearly two weeks of operations — undoubtedly a material loss for the average Fortune 1000 company.

To put these figures into context, the average annual revenue of a company in the Fortune 1000 is approximately $15 billion, and daily revenue is approximately $41 million. This is a more practical interpretation of the model results, which can support financial planning.

Average expected probability of event severity. Source: The Fortune 1000 Cyber Risk Report (Peter Dyson, Kovrr, November 2023)

The chart above illustrates the probability of organizations within a specific industry experiencing a loss according to magnitude, which can result from a single significant event or a series of smaller incidents pointing to weaknesses in an organization's cybersecurity posture.

Notably, the finance and real estate, retail trade, utilities, and oil, gas extraction, and mining industries all have a higher than 10% chance (1 in 10) of cyber events costing their businesses more than $50 million (within 12 months) and a more than 5% chance (1 in 20) of costing more than $100 million.

While a 1 in 10 chance of experiencing an event that costs an organization one day of revenue sounds like a high probability, if the incident were reduced to one hour, the probability would be much higher.

Defining Materiality to Protect Against Material Events

CISOs can employ a number of strategies to determine materiality thresholds, enabling them to make the necessary investments in the business areas that are most prone to material risk. With sharp definitions, executives and cybersecurity leaders can collaborate and make data-driven decisions that accurately reflect an organization's threat landscape.

First, CISOs should identify which event drivers are most likely to spur a material loss within their given industry. Although there are overarching trends, including the high cost of data breaches, a more honed assessment is necessary. For example, the chart below, which shows the median (most likely) cost of events by type, reveals that extortion and services provider events have a higher risk for many organizations.

Event severity by type. Source: The Fortune 1000 Cyber Risk Report (Peter Dyson, Kovrr, November 2023)

Through financial insights provided by a CRQ solution, CISOs can effectively communicate the benefit of improving controls, postures, and security practices with the board, demonstrating the potential reduction in material event likelihood and overall cost.

Finally, it's crucial to monitor organizational risk on an ongoing basis. The external threat environment and cost of remediation are subject to regular changes.

Although 2024 is set to be one of the most challenging years for cybersecurity personnel, implementing a data-driven framework that clearly defines material loss can facilitate more straightforward discussions with the board and promote a culture of cyber resiliency.