
作者: 杰克·弗伦德博士.D., cisa, cism, crisis, cgeit, cdpse
发表日期: 2023年11月2日

网络事件披露规则1 introduced by the US Securities and Exchange Commission (SEC) in July 2023 have sparked a wave of concern among cybersecurity professionals and boards of directors (BoDs). 这些规则包括几项新的或扩大的要求, but what has appeared to cause the most concern is the mandate that material cybersecurity incidents must be publicly disclosed to the SEC. 这需要在确定事件是重大事件后的4天内完成. 然而, these rules and their enforcement are predicated on being able to determine what a material cyberincident is. 因此, it is helpful to understand how to jumpstart the process for determining materiality in an organization.

最近发表的关于这个话题的研究有助于澄清.2 Researchers investigated what auditors have historically considered to be material risk. 使用双因素测试来确定重要性的历史悠久. 要进行这个测试, an auditor begins with a quantitative assessment of financial transactions to determine whether they would have a sizable impact on an enterprise’s balance sheet, 收入, 净收入或资产估值. 这些不同的财务指标被称为基准. 使用基准建立一个值称为它的阈值. Auditors often establish certain thresholds and benchmarks to assess the financial health and risk of an organization. 这些可能包括税前收入的5%.总资产的5%,权益的1%或0.总收入的5%. 如果财务变化超过这些阈值, 它可能表明必须解决的重大转变.

在早期的研究中, one of the researchers sought to determine whether some of the highest cybersecurity fines ever imposed would be considered material given traditional materiality threshold values.3 简而言之,答案是否定的. 事实上,这样的罚款将高达20亿美元. Due to the relatively low reported loss amounts compared to the enterprises’ financial performance and the fluctuating nature of those financials, 研究发现,收入是判断网络影响最有效的基准.

这一发现为新的研究方向奠定了基础. Researchers hoped to recreate that study but with a different focus: What would a materiality threshold value look like for cyberrisk? They analyzed the most significant cyberincidents and tested a variety of threshold values. 我们发现一个合理的值应该是0.澳门赌场官方下载最近一次财务报告中收入的0.01%. 审计人员在实践中支持这种对阈值的调整, because it is not possible for an organization to have nothing that is considered material. 因此, 即使在大型组织中, auditors must select a threshold value that generates some preliminarily material values.

双因素测试的第一部分很重要. The process of comparing an incident’s costs to a threshold and benchmark value will yield a preliminary materiality assessment. 如果用这种方法发现它在数量上是重要的, 组织将很难争辩说一个事件不重要. 然而,反之则不成立. 对于成本低于此阈值的事件, 第二个要评估的因素是定性的. The organization must determine whether a reasonable investor would find a cyberimpact meaningful to their investment decisions. Even a transaction that falls below the threshold benchmark could be considered material when evaluated using this second test. 这个场景的一个例子是上面提到的网络安全罚款测试. 如果罚款超过阈值, then it is likely material (subject to a final determination by the enterprise and its attorneys). 然而, 即使澳门赌场官方下载只收到轻微的罚款, it would still be meaningful for an investor to know that it was fined for cybersecurity violations.

SEC guidance also requires disclosure of material risk, which involves different thresholds. 首先,组织必须区分风险因素和事件. 风险因素对预测未来事件很有用, 而事件则围绕着正在展开的当前事件. The researchers propose additional metrics for determining quantitative material or cyberrisk in two ways: rate of change materiality (RoCM) and forecast accuracy materiality (FAM). RoCM focuses on the need for organizations to assess risk scenarios quantitatively and track changes in that loss exposure over time. Reporting those changes can surpass materiality thresholds such as the existing ones outlined by auditors (the researchers recommend using 5% of 收入 to test this).

另外, FAM focuses on a post-incident review of an incident’s financial impact and a comparison to the forecasted risk amount. This provides valuable insight to the investment community as to how well attuned the cyberrisk management function is and how reliable its risk forecasts are. 类似的, the variance of key values (such as the mode or max value) in excess of 5% can be considered preliminary material.

The researchers summarized their findings in a materiality heuristic that helps provide clarity for organizations dealing with uncertainty as they seek to integrate the SEC’s new compliance requirement into their governance operations. The heuristic mirrors the two-factor test that has historically been used for financial auditing purposes. 整个过程包括3个步骤:

  1. 使用定量阈值评估风险或事件. 使用0.01%的收入用于事故,5%的收入用于基于风险的度量(RoCM和FAM). 如果该值满足或超过这些阈值, 然后可以初步认为风险或事件是重大的. 事故和风险, 是否被初步认为是重要的, 是否进入第二阶段进行进一步评估.
  2. The risk or incident undergoes a qualitative review to determine whether a reasonable investor would find it material to their decision making. 这些定性因素可以包括所涉及的数据类型, 监管的影响, 商业模式或市场份额. 澳门赌场官方下载执行管理层认为可以的, 风险或事件应被初步认为是重大的.
  3. 最终的重要性决定是由组织的执行管理层做出的, 在向美国证券交易委员会披露之前,董事会和法律代表.

It is expected that the new SEC rules will be difficult to implement for many enterprises. 很多人猜测,澳门赌场官方下载将过度披露信息,以避免招致SEC的愤怒.4 One of the silver linings to reasonable compliance will be the establishment of a defensible framework for determination, 报告及披露. The guidance presented here will be critical to organizations building their own frameworks to establish cybersecurity 报告及披露.


