Missing the Mark on Materiality

A little more than a year ago, the US SEC's cybersecurity incident disclosure rules went into effect.

Unfortunately, while these event disclosures may have started to help make the marketplace more transparent vis-a-vis cyber risk, they have failed to reflect the resounding impact that cyber events can have on broader economic stability.?

After a thorough examination of the past year's incident reports on Form 8-K (both on line Items 1.05 and 8.01), it's plain that the SEC's requirements for registrants only to consider an event's materiality from the internal perspective leaves a significant portion of the story untold.?

Their much-too-narrow reporting framework deprives investors of crucial insights regarding the wider implications of cyber incidents, including their cascading effects on connected industries, supply chains, and overall market and consumer dynamics.?

The CrowdStrike business outage is a glaring example of this shortcoming. The faulty Falcon software update caused more than 8.5 million Microsoft Windows-powered devices to crash, paralyzing airlines, banks, and healthcare institutions worldwide.

Delta Airlines alone reported losses in the hundreds of millions, while the wider market suffered billions in damages as critical services were disrupted for days, even weeks.?

Nevertheless, despite these catastrophic consequences, the incident's materiality remains officially "undetermined."?

The SEC's framework needs reform.?

Without a more comprehensive approach that demands corporations account for both organizational and market-wide impacts, stakeholders will remain in the dark, unable to fully assess the risks and consequences of cyber events.

Yes, the media can be counted on to shed light on some crucial information, but not all of it, and not always.?

Transparency must evolve to match the realities of an interconnected world.

#materiality #cybersecurity #cybermateriality #cyberriskmanagement #eventreporting #SEC #materialevent #CrowdStrike #CRQ

If you're interested in learning how on-demand CRQ and Kovrr's one-of-a-kind Materiality Analysis feature help to streamline materiality reporting and ensure compliance, send me a message! I'm always happy to chat.