Cyber Risk, Financial Impact and Materiality

When consulting with small to medium sized business, one of the overarching topics is the cost of cyber security. Leaders understand the importance of cyber spend, but often find themselves in a changing sea of vendor products, ever-evolving threats and limited resources.

A cornerstone of our approach to helping organizations is to take large company cyber strategies and strip them down to their most impactful components. A key tool in this effort is to define cyber risks in financial terms. In our approach, this analysis extends beyond cyber to include other business interruption risks and their related potential financial impact.

Although the concept of business impact assessment is not new, it has evolved in the face of cyber threats and to a large extent, come full circle. The evolution at one point was driving a more specific approach to cyber or other threats such as infrastructure risks, but our approach now is to be less concerned with the root threat and focus simply on understanding the potential financial impact of all threats. This approach allows for an enterprise-wide ranking of risk materiality and the application of mitigation and recovery strategies that deliver the greatest value per dollar of spend.

When analyzing the financial impact, the term materiality has taken on new focus. Recently the Securities and Exchange Commission issued rules governing disclosure of cyber incidents using the term "material" as a threshold for reporting. However, the SEC chose not to define a bright line as to the definition of materiality nor did they identify a specific materiality definition for cyber. SEC rules are of course, the concern of large public companies, but the recognition of the traditional standard for materiality ("all facts which a reasonable shareholder might consider important") serves as a useful goal post for private companies navigating risk disclosures.

In conclusion, the value of a business risk assessment mapped to financial impact is a key step for enterprise leaders to identify and rank risks. As mitigation and recovery strategies are considered, the financial analysis will also change, providing a cost/benefit basis for decision making. This is a critical tool for business leaders struggling to apply limited resources to a myriad of risks. When performed correctly, risks are not siloed due to overemphasis on cyber for example - financial impact and materiality are preserved as the most important metrics.