Materiality is the word of the year for chief information security officers (CISO) across the United States. New rules from the U.S. Securities and Exchanges Commission (SEC), which came into effect on December 15, 2023, will require companies to disclose “material cybersecurity incidents” within four days of detecting one; even before the rules were passed, the SEC showed how seriously it’s taking the concept of materiality. In October 2023 the SEC announced it was charging software company SolarWinds and its CISO for “fraud and internal control failures” related to the December 2020 breach of SolarWinds’ networks by Russian hacking group Nobelium. Nobelium leveraged its access to SolarWinds’ networks to embed malicious code in an update for SolarWinds’ Orion software, giving the hackers access to the networks of the U.S. Departments of Homeland Security, Commerce, and Treasury, along with countless other companies and government agencies. The SEC complaint alleges that SolarWinds denied investors “accurate material information” for two years by making public statements about its cybersecurity practices and risks which did not align with SolarWinds’ internal assessments of vulnerabilities and its ability to protect key internal systems. Materiality is now a critical concept for CISOs, and the U.S. government’s emphasis on it is going to force a shift in the way public corporations approach cybersecurity as a business risk.
The long-term consequence of the SolarWinds prosecutions and the recent SEC four day breach notification rule are going to shake the foundations of cybersecurity.
This new rule requires that CISOs get a good grasp of what a “material” cyberattack would be, and begin to apply that standard to how they label incidents. The information security industry has been known for using fear, uncertainty, and doubt (FUD) rather than numbers to advocate for budgets or to sell products, but this recent ruling is going to force better risk measurement and communication in order to determine what constitutes “material” risk to the information security posture of public companies. Many believe that this rule is going to do for public companies what Sarbanes Oxley did for financial reporting. Some CISOs are cheering this rule because it’s going to bring into sharp relief their requests and pleas for budget and resources; others are terrified that they’ll be measured on a metric they don’t comprehend.
Cyber has graduated to an enterprise risk, but can it be measured in a meaningful way? In cybersecurity, there are extraordinary quantities of data about an organization’s inventory of cyber assets, but security practitioners struggle to put into a cognitive framing to make risk decisions. Unlike with Sarbanes Oxley reporting two decades ago, the problem isn’t that the C-suite doesn’t have information, it’s that they have way, way too much of it and are having a hard time interpreting and translating it for their bosses and boards.
When a Chief Financial Officer (CFO) describes risk to a board, they have numbers they use to report it. CISOs have traditionally not been expected to provide a number that describes risk; instead, they often communicate in generalities that are accurate but imprecise, like “red” or “sev1.” At least partially, this is because CEOs tend to come from the financial side of organizations, and it would be inconceivable to have a CEO who was unaware of how to read an income statement, balance sheet, or cash flow report. It is very common for CEOs to be unaware of some of the most basic building blocks of the information security industry, such as a vulnerability report, a common vulnerability and exposure (CVE), or the executive summary of a penetration test. Each of those building blocks are part of the foundation of describing cyber risk. Ultimately, the goal of measuring and communicating risk well is about building trust, and that is two-sided—the people being reported to must not only trust that their CISOs are reporting accurately, but they must be able to be trusted to act with appropriate vigor or discretion.
Given that those they are reporting to are often not choosing to dedicate the time to understand their field, previous to this rule, CISOs were more concerned with being accurate than being precise. It was better to be able to describe things in generalities, like red or green or yellow, in terms of risk, if you were reporting up to someone who just wanted the correct answer, as opposed to a precise one.
On the other side, this is the first time many cyber people have been exposed to the idea of “material” statements, and we foresee a thriving new compliance ecosystem (or at least the marketing around it) to address this lack of knowledge amongst cyber folk. We in the information security industry will have to rapidly end our standard operating procedure of using FUD to get budget, as making some of the Chicken Little statements we have done could be considered as providing material statements internally. CISOs and other cybersecurity professionals need to get smart quickly on financial reporting requirements, such as the use of Form 8-K for disclosing material events or corporate changes. This shift in regulatory expectations represents a significant change for the cybersecurity industry, requiring a more rigorous and transparent approach to risk communication and decision-making, especially at the C-suite level.
While this new amendment extends corporate governance to span cyber risk, the concept of materiality is not new for the SEC. It currently requires that companies disclose material information that could impact the financial performance, business operations, or reputation of the company. And the SEC requires that companies have a process in place to identify, assess, and disclose material risks, including environmental, social, and governance (ESG) risks.
For policymakers: Congress can address the issue of cyber risk management in organizations by avoiding the creation of incentives that may lead to the dismissal of CISOs who are unable to effectively communicate cyber risks to C-suite executives. Instead, Congress should start making incentives to penalize C-suites who willfully maintain their cyber ignorance. As with so many things around the SolarWinds investigation, such as why the Cyber Safety Review Board (CSRB) refused to investigate it, we remain bewildered as to why the CISO SolarWinds is facing legal action, when the CISO reported to a Chief Experience Officer (CXO), and the CXO reported to the CEO. One finds it improbable that the middleman there had no knowledge of any problematic actions, but without coordinated investigations and consequences, we won’t ever know why.
Tarah Wheeler is Senior Fellow for Global Cyber Policy at the Council on Foreign Relations and the CEO of cybersecurity compliance company Red Queen Dynamics.
Munish Walther-Puri is a Life Member of the Council on Foreign Relations, Vice President of Cyber Risk at supply chain risk management platform Exiger, and adjunct professor at NYU’s Center for Global Affairs.