This guide shows how you can use X-Analytics to improve cyber risk management, strategy, and governance, and how you can use X-Analytics to support the materiality process for incident disclosure.
On July 26, 2023, the Securities and Exchange Commission (SEC) adopted rules requiring registrants to disclose material cybersecurity incidents and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures. You can find the full release here.
Throughout this guide, we will dissect each element of the SEC release and show how X-Analytics can help. This guide does not replace your business's materiality assessment process conducted by the officers responsible for SEC reporting, does not assume authority or responsibility for compliance with SEC rules, and does not represent a legal opinion regarding SEC rules, incident disclosures, materiality assessments, and how much information should or should not be shared post cyber incident.
Within this guide, you will learn:
What is material to investors?
The second paragraph of the SEC release states, "Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors".
For many within the cybersecurity field, do we know the definition of materiality? Is it the role of the CISO to determine materiality?
The determination of materiality is not straightforward and nor should it be the role of the CISO to determine materiality. The law firm of Vinson & Elkins wrote an excellent article on this topic. In summary, they provide a list of the types of material cybersecurity incidents and risk that may warrant disclosure:
Incident violating a company's security policies or procedures...
Incident affecting a company's reputation...
Incidents affecting a company's financial position...
Incident disturbing a company's relationship with either its customers or suppliers...
Incident affecting a company's operations...
Individually immaterial incidents that are material in aggregate...
In other words, the definition of materiality is broad, complex, and unique to every business. As related to cyber, this could include:
incidents due to malice or error
incidents related to confidentiality, integrity, and availability
incidents resulting in data breach, business interruption, misappropriation (including theft of intellectual property, theft of funds, and manipulation of critical services), and ransomware.
To take pressure off the CISO, the CISO only needs to support the business's materiality assessment process by providing requested information from the corporate officers responsible for SEC reporting. This could include a description of the incident, estimated financial damage, prioritized remediation guidance, and other.
The SEC developed the SEC's material cybersecurity disclose rule to "benefit investors, companies, and the markets connecting them".
How can X-Analytics help with the business's materiality assessment process?
The third paragraph of the SEC release states, "The new rule will require registrants to disclose on the new Item 1.05 of Form 8-k any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material. The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing."
As previously suggested, the role of the CISO is to support the business's materiality assessment process by providing requested information. X-Analytics can help this CISO with this function.
Since the CISO is not directly responsible for assessing materiality, the CISO just needs to provide objective metrics when requested. Just like the CFO should not alter company expenses, the CISO should not alter estimated impacts, probability, worst-case outcomes, and prioritized guidance.
Request Example: Use X-Analytics to estimate financial impact.
Within X-Analytics, go to the Report Center and select Cyber Impact Estimator. Within the Impact Summary tab, locate the loss category that associates with your cyber incident, and select the loss detail (such as volume of breached records or duration of interruption incident).
In the above screenshot, data breach was the associated loss category, and 10 million records was the loss detail. X-Analytics illustrates the financial estimates across a range from low to high.
Low = in 90% of the cases, the impact will be at least this much.
Median = in 50% of the cases, the impact will be at least this much.
High = in 10% of the cases, the impact will be at least this much.
Worst-Case = in 3% of the cases, the impact will be least this much.
If needed, each loss lookup also includes the incident probability. The business may use probability to understand future possibility of a repeated incident and to better understand the current incident.
Additional loss lookup guidance is below:
Data Breach: For data breach, select the number of records compromised within the incident.
Interruption (DoS Attack): For interruption (DoS attack), select the duration of the incident. This selection is only related to denial-of-service related interruption incidents.
Interruption (Other): For interruption (Other), select the duration of the incident. This selection is related to malice- and error-based incident that are not related to denial-of-service attacks.
Misappropriation of IP: For misappropriation of intellectual property, select the value of intellectual property, in relation to revenue, which the thief stole.
Misappropriation of Funds: For misappropriation of funds, select the value of electronic funds, in relation to revenue, which the thief stole.
Misappropriation of Services: For misappropriation of services, select the value of critical services, in relation to revenue, which the attacker compromised.
Ransomware: For ransomware, select the duration of the incident.
Ransomware + Data Breach: For a ransomware incident that includes a data breach, select:
data breach and select the number of records compromised within the incident,
and ransomware and select the duration of the incident.
Special Note: You will need to combine both estimates for total estimated loss.
The X-Analytics loss lookup process is efficient and easy, which helps your business meet filing deadlines.
Request Example: Use X-Analytics to estimate prioritized mitigation.
Within X-Analytics, go to the Report Center and select Cyber Risk Details. Within the Summary tab, select the risk scenario that associates with your cyber incident. This selection will open a new window, which contains notes and recommendations.
As an example, the data breach incident was associated with a web application attack that intersected with a critical server. The new window contains threat guidance, asset guidance, and a prioritized list of the most effective controls for reducing the probability of a similar incident in the future.
The above guidance is a guideline. Each business will need to interpret and modify the guidance for their particular purpose.
How can X-Analytics help improve cyber risk management, strategy, and governance?
The fourth paragraph of the SEC release states, "The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant's annual report on Form 10-K."
X-Analytics is a complete system, method, and apparatus for measuring, modeling, reducing, developing, addressing, and communicating a business's cyber risk resilience strategy. X-Analytics can help you improve your cyber risk management, strategy, and governance by:
aligning threat and your business's exposure profile to potentially material cyber impacts,
revealing how your current cyber maturity is already offsetting future cyber exposures,
prioritizing risk mitigation options to further reduce future cyber exposure,
illustrating risk transfer benefits and gaps,
and showing what has changed (for better or worse) since last quarter.
Use X-Analytics to understand your threat condition.
Within X-Analytics, go to the Report Center and select Cyber Risk Details. Within the Threat tab, you can understand your current threat condition, you can see if your threat condition is better or worse than industry benchmark, you can see which threats represent the most risk to your business, and you can see if your threat condition is improving or worsening.
If you are not satisfied with your threat condition, then you have options:
Unsatisfactory threat condition.
Mitigate: monitor and block threat.
Transfer: cyber insurance and third-party contracts.
Remove/Reduce: targeted assets, business functions, and vectors.
Satisfactory threat condition.
Accept: there is nothing you need to do.
Use X-Analytics to understand your risk condition.
Within X-Analytics, go to the Report Center and select Cyber Risk Details. Within the Risk tab, you can understand your current risk condition, you can see which risks require the most attention, you can correlate risk to threat, you can see how each risk associates to a potential financial loss, and you can see if your risk condition is improving or worsening.
If you are not satisfied with your risk condition, then you have options:
Unsatisfactory risk condition.
Mitigate: monitor and block threat, improve cyber maturity (countermeasures).
Transfer: cyber insurance and third-party contracts.
Remove/Reduce: targeted assets, business functions, vectors, exposure elements (such as data record types and volume).
Satisfactory risk condition.
Accept: there is nothing you need to do.
Use X-Analytics to understand risks that are within target.
Within X-Analytics, go to the Report Center and select Cyber Risk Details. Within the Scatter Plot tab, you can set target criteria (such as risk expectation and cyber maturity expectation). After setting, you can easily see which risk scenario require attention.
As an additional option, you can filter by loss category (such as data breach or ransomware), asset group (such as ICS or terminal), and threat category (such as misuse or error).
Use X-Analytics to understand your cyber exposure condition.
Within X-Analytics, go to the Report Center and select Cyber Risk Summary. Within the Cyber Risk Summary, you can understand your current cyber exposure condition, you can see which exposure categories are most problematic, you can see if cyber exposure condition is improving or worsening, and you can see a prioritized mitigation plan to best improve cyber exposure.
If you are not satisfied with your cyber exposure condition, then you have options:
Unsatisfactory exposure condition.
Mitigate: monitor and block threat, improve cyber maturity (countermeasures).
Transfer: cyber insurance and third-party contracts.
Remove/Reduce: targeted assets, business functions, vectors, exposure elements (such as data record types and volume).
Improve Revenue and Profit: by improving revenue and profit, the ratio between cyber exposure and revenue will improve, which further improves the delineation between material and immaterial thresholds.
Satisfactory exposure condition
Accept: there is nothing you need to do.
Use X-Analytics to understand your cyber maturity condition.
Within X-Analytics, go to the Report Center and select Control Framework. Within the NIST CSF tab, you can understand your current cyber maturity condition, you can see which NIST categories require the most attention, you can see which NIST functions offer the most exposure improvement, you can see if you are meeting NIST tier targets, and you can see how each NIST tier target improves cyber exposure.
If you are not satisfied with your cyber maturity condition, then focus on the NIST categories and functions that best improve exposure and focus on the NIST sub-categories that help you achieve your NIST tier targets.
Use X-Analytics to understand your cyber insurance condition.
Within X-Analytics, go to the Report Center and select Risk Transfer Analyzer. Within the Risk Transfer Summary tab, you can proactively understand insurance coverage per loss category, and you can understand how insurance reduces your cyber exposure condition.
If you are not satisfied with your cyber insurance condition, then work with our insurance broker and carrier to better align coverage, calibrate limit and retention to better meet expectations, and to correct any gaps that may currently exist in your coverage.
How can X-Analytics help foreign private issuers?
The fifth paragraph of the SEC release states, "The rules require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance."
Since the expectations for foreign private issuers have already been covered in this guide, please go here and here for materiality and please go here for cyber risk management, strategy, and governance.
In Summary
This guide showed how you can use X-Analytics to improve cyber risk management, strategy, and governance, and how you can use X-Analytics to support the materiality process for incident disclosure. Below is a quick reference map between SEC cyber rules and X-Analytics.
Form 8-K Item 1.05 – Material Cybersecurity Incidents
Post incident, X-Analytics provides loss lookup tables for data breach, business interruption, misappropriation (including FTF and theft of IP), and ransomware to help organizations determine if an incident has an estimated material consequence.
If the incident is material (or when combined with previous incidents is material), an organization can used the estimated X-Analytics severity values to establish initial disclosure to shareholders.
X-Analytics provides easy and efficient support to ensure organizations meet filing deadlines as stated within this rule.
Regulation S-K Item 106(b) – Risk Management Strategy
X-Analytics is a means to identify, understand, and manage material risk from cybersecurity threats.
X-Analytics provides an ability to lookup specific incidents and determine if such incidents have an estimated material severity.
X-Analytics provides complete loss tables, including probability and severity of incidents, to understand if the delineation between probable and improbable incident patterns.
X-Analytics provide an estimated annual exposure (in monetary terms) due to cyber, which is an aggregation of all possible impacts multiplied the probability of those impacts. This annual exposure is an easy-to-understand summary of organization profile, threat profile, cyber maturity, and the current macroeconomic cyber risk condition.
Regulation S-K Item 106(c) – Governance
X-Analytics summarizes the board’s oversight of risk from cybersecurity threats, which includes trending and detailed analysis of common frameworks (such as NIST CSF v1.1)
X-Analytics provides prioritized guidance, with the ability to set achievable risk resilience targets.
Post incident, X-Analytics provides an understanding of risk transfer benefit (where applicable).
Form 20-F
X-Analytics provides board reporting (and other reporting and metrics) to assist with the board’s oversight of risk from cybersecurity threats.
X-Analytics proves how management is assessing and managing material risk from cybersecurity threats. This includes trending and detailed analysis.
Form 6-K
Post incident, X-Analytics provides loss lookup tables for data breach, business interruption, misappropriation (including FTF and theft of IP), and ransomware to help organizations determine if an incident has an estimated material consequence.
If the incident is material (or when combined with previous incidents is material), an organization can used the estimated X-Analytics severity values to establish initial disclosure to shareholders.
X-Analytics provides easy and efficient support to ensure organizations meet filing deadlines as stated within this rule.
Commentaires