How to Communicate Cyber Risk Materiality to your Board

Understanding the impact of SEC disclosure reporting
By Josh Reid

Cyber risks have always been a topic of conversation, but in 2023, the Security and Exchange Commission (SEC) released a new set of cyber risk disclosure rules that are impacting small and large organizations alike.

The purpose of these new rules is to help standardize cyber risk disclosures and how organizations manage material cyber incidents.

If you haven’t had a chance to check out the webinar I hosted with Onspring on this topic and other factors of cyber economic risk, you can find the recording linked here.

Cyber-Economic-Risk-Education-Business-Conversations.png

Watch On Demand Now

Watch the full cyber economic risk webinar with Josh Reid now.

Communicating cyber risk to your board

There are actually quite a few parallels between baseball and cyber risk.

Imagine you and your team are sitting in a room with the Chicago Cubs owners, the Ricketts family, and Joe Rickett, Chairman of the Board, asks, “How is the team doing?”

One of your team members quickly jumps in with stats from yesterday’s game, but that isn’t really what Joe wants to know. He’s interested in the big picture:

  • What’s our record?
  • What’s our standing in the division?
  • Will we make the playoffs?
  • What should we focus on next season to improve as an organization?

Yes, the one-game numbers and individual stats are important, but the front office wants to know how the club as a whole is doing and how that performance will affect the team’s longevity.

The same goes for the front office at any company. The following cyber risk implications and scenarios will provide context for how to approach your board on this topic.

The SEC’s impact on cyber risk

Cyber risk is a topic we’ve been discussing with our clients, specifically when communicating cyber risk to business stakeholders and boards of directors. It’s also become a hot topic because of the SEC rules surrounding cyber risk that took effect in July 2023.

On July 26, 2023, the SEC issued a press release explaining the new requirements surrounding cybersecurity incidents, specifying that companies must disclose incidents they deem to be “material.”

However, the SEC has not given specific benchmarks or numbers defining materiality; they leave it open for GRC teams to determine the reasonable materiality level for their organization.

So, how will organizations determine which cyber events are considered “material?”

The best place to start is by understanding the numbers. For example, say a company does $10 billion in annual revenue. If there’s a total of $175 million in risk, that equates to about 1.8% of exposure based on revenue, 8.8% of free cash flow, and 23% of earnings. These numbers are where people start to pay attention—especially the board.

Cyber Risk Scorecard Details

In order to fully grasp the materiality of cyber risk, it’s important to build a cybersecurity risk management program. To start, we recommend sitting down with leadership to run through different scenarios—from ransomware attacks to data breaches—to better understand the impact to the organization and its bottom line. We often work with our clients to help them build out impact matrices, which are even easier to execute when you have a GRC platform such as Onspring.

Using Onspring to determine materiality

At Crowe, we work with our clients to build a strategy around monitoring and mitigating risk. We recommend two tools to execute the strategy: Onspring, a business process automation platform for GRC, and SSIC X-Analytics, a control mitigation and risk transfer simulator. One way in which we use these tools is to build out what-if scenarios for our clients. In doing so, the data is all housed in Onspring, and X-Analytics calculates the probability of certain risks and their impact on dollars. This approach helps organizations better understand the materiality of their risks and what they’ll need to report to the SEC.

Consider this example of how these two platforms can help organizations identify risks and measure their impact.

Application risk assessment

Using a customer management system inside Onspring that has over 500,000 PII records, this customer relations business unit was looking to conduct a risk assessment to determine if encryption was enabled for the system.

Onspring housed the risk assessment, identified which parties needed to complete it, automatically sent the survey out, and generated the results as they came in. Using Onspring’s automation capabilities, we brought in the risk profile information from the assessment and mapped each risk to specific controls for mitigation.

While at the same time, the X-Analytics platform built out threat scenarios for data breaches inside the customer management system if encryption was not enabled. In this particular example, it was determined that there was an 11% probability of a data breach, causing a $2.3 million impact on the business.

As a result, we were able to provide this organization with a control and risk framework for enabling encryption for systems with sensitive data and what the potential exposure cost would be if not properly implemented.

Cyber Risk Conversations with Business Leaders

Legal Management Icon Onspring Blue Solid

“This issue is creating $2.3M additional loss exposure for our company”

Legal Management Icon Onspring Blue Solid

“Your business application has 5 open findings, resulting in $6.8M loss exposure for our company.”

Legal Management Icon Onspring Blue Solid

“Your three suppliers have 15 open findings, resulting in $8.9M loss exposure for our company.”

Onspring does more than house assessments and monitor risks.

The Onspring software allows organizations to trend and report on various risk-related scenarios, such as open exposure month-to-month, changes in probability levels, expected financial loss, etc. Rolling up that financial information—from the business side to the risk and control framework—gets leaders’ attention. It helps them understand their organization’s top 10 risks from a financial exposure standpoint rather than the day-to-day risk level (going back to our Chicago Cubs example).

The most impactful message you can send to your board is financial implication.

Your leadership wants to know if the organization will stay afloat or if they’ll need to patch some holes. Discussing cyber risk from this perspective will turn heads in your direction and help you stay compliant, especially in light of the new regulations.

Request-a-Demo-of-Onspring-GRC-Software.png

Unlock the power of a successful compliance audit

Schedule an all-access tour of Onspring's audit capabilities.

About the author

Josh Reid

Josh Reid is the Principal, GRC Technologies Leader at Crowe, a public accounting, consulting, and technology firm. He is passionate about helping life sciences companies use technologies that strengthen information security and IT risk management programs. At Crowe, he helps life science companies evaluate GRC platforms for improved alignment. He has worked with the world’s largest pharmaceutical, medical device, and clinical diagnostic testing companies who rely on his expertise to help protect their intellectual property and patient information through the use of integrated risk management technologies, automation, and data analytics.

Actionable insights we think you’ll like