How to Communicate Cyber Risk Materiality to your Board

Cyber risks have always been a topic of conversation, but in 2023, the Security and Exchange Commission (SEC) released a new set of cyber risk disclosure rules that are impacting small and large organizations alike.

The purpose of these new rules is to help standardize cyber risk disclosures and how organizations manage material cyber incidents.

If you haven’t had a chance to check out the webinar I hosted with Onspring on this topic and other factors of cyber economic risk, you can find the recording linked here.

Communicating cyber risk to your board

There are actually quite a few parallels between baseball and cyber risk.

Imagine you and your team are sitting in a room with the Chicago Cubs owners, the Ricketts family, and Joe Rickett, Chairman of the Board, asks, “How is the team doing?”

One of your team members quickly jumps in with stats from yesterday’s game, but that isn’t really what Joe wants to know. He’s interested in the big picture:

• What’s our record?
• What’s our standing in the division?
• Will we make the playoffs?
• What should we focus on next season to improve as an organization?

Yes, the one-game numbers and individual stats are important, but the front office wants to know how the club as a whole is doing and how that performance will affect the team’s longevity.

The same goes for the front office at any company. The following cyber risk implications and scenarios will provide context for how to approach your board on this topic.

The SEC’s impact on cyber risk

Cyber risk is a topic we’ve been discussing with our clients, specifically when communicating cyber risk to business stakeholders and boards of directors. It’s also become a hot topic because of the SEC rules surrounding cyber risk that took effect in July 2023.

On July 26, 2023, the SEC issued a press release explaining the new requirements surrounding cybersecurity incidents, specifying that companies must disclose incidents they deem to be “material.”

However, the SEC has not given specific benchmarks or numbers defining materiality; they leave it open for GRC teams to determine the reasonable materiality level for their organization.

So, how will organizations determine which cyber events are considered “material?”

The best place to start is by understanding the numbers. For example, say a company does $10 billion in annual revenue. If there’s a total of $175 million in risk, that equates to about 1.8% of exposure based on revenue, 8.8% of free cash flow, and 23% of earnings. These numbers are where people start to pay attention—especially the board.

In order to fully grasp the materiality of cyber risk, it’s important to build a cybersecurity risk management program. To start, we recommend sitting down with leadership to run through different scenarios—from ransomware attacks to data breaches—to better understand the impact to the organization and its bottom line. We often work with our clients to help them build out impact matrices, which are even easier to execute when you have a GRC platform such as Onspring.

Using Onspring to determine materiality

At Crowe, we work with our clients to build a strategy around monitoring and mitigating risk. We recommend two tools to execute the strategy: Onspring, a business process automation platform for GRC, and SSIC X-Analytics, a control mitigation and risk transfer simulator. One way in which we use these tools is to build out what-if scenarios for our clients. In doing so, the data is all housed in Onspring, and X-Analytics calculates the probability of certain risks and their impact on dollars. This approach helps organizations better understand the materiality of their risks and what they’ll need to report to the SEC.

Consider this example of how these two platforms can help organizations identify risks and measure their impact.

Application risk assessment

Using a customer management system inside Onspring that has over 500,000 PII records, this customer relations business unit was looking to conduct a risk assessment to determine if encryption was enabled for the system.

Onspring housed the risk assessment, identified which parties needed to complete it, automatically sent the survey out, and generated the results as they came in. Using Onspring’s automation capabilities, we brought in the risk profile information from the assessment and mapped each risk to specific controls for mitigation.

While at the same time, the X-Analytics platform built out threat scenarios for data breaches inside the customer management system if encryption was not enabled. In this particular example, it was determined that there was an 11% probability of a data breach, causing a $2.3 million impact on the business.

As a result, we were able to provide this organization with a control and risk framework for enabling encryption for systems with sensitive data and what the potential exposure cost would be if not properly implemented.

Onspring does more than house assessments and monitor risks.

The Onspring software allows organizations to trend and report on various risk-related scenarios, such as open exposure month-to-month, changes in probability levels, expected financial loss, etc. Rolling up that financial information—from the business side to the risk and control framework—gets leaders’ attention. It helps them understand their organization’s top 10 risks from a financial exposure standpoint rather than the day-to-day risk level (going back to our Chicago Cubs example).

The most impactful message you can send to your board is financial implication.

Your leadership wants to know if the organization will stay afloat or if they’ll need to patch some holes. Discussing cyber risk from this perspective will turn heads in your direction and help you stay compliant, especially in light of the new regulations.