CyberWire Daily - What does materiality mean exactly?
Episode Date: August 12, 2024Rick Howard, N2K CyberWire’s Chief Analyst and Senior Fellow, discusses the meaning of cybersecurity materiality. References: Amy Howe, 2024. Supreme Court strikes down Chevron, curtailing power of... federal agencies [Blog] Cydney Posner, 2023. SEC Adopts Final Rules on Cybersecurity Disclosure [Explainer]. The Harvard Law School Forum on Corporate Governance. Cynthia Brumfield, 2022. 5 years after NotPetya: Lessons learned Analysis]. CSO Online. Eleanor Dallaway, 2023. Closed for Business: The Organisations That Suffered Fatal Cyber Attacks that Shut Their Doors For Good [News]. Assured. Gary Cohen, 2021. Throwback Attack: Chinese hackers steal plans for the F-35 fighter in a supply chain heist [Explainer]. Industrial Cybersecurity Pulse. James Pearson, 2022. Russia downed satellite internet in Ukraine [News]. Reuters. Katz, D., 2021. Corporate Governance Update: “Materiality” in America and Abroad [Essay]. The Harvard Law School Forum on Corporate Governance. Kim Zetter, 2014. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon [Cybersecurity Canon Hall of Fame Book]. Goodreads. Lizárraga, C.J., 2023. Improving the Quality of Cybersecurity Risk Management Disclosures [Essay]. U.S. Securities and Exchange Commission. MATTHEW DALY, 2024. Supreme Court Chevron decision: What it means for federal regulations [WWW Document]. AP News. Rick Howard. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon [Book Review]. Cybersecurity Canon Project. Rick Howard, 2021. Using cyber sand tables to study the DNC hack of 2016. [Podcast]. The CyberWire. Rick Howard, 2022. Cyber sand table series: OPM. [Podcast and Essay]. The CyberWire. Staff, 2020. Qasem Soleimani: US strike on Iran general was unlawful, UN expert says [Explainer]. BBC News. Staff, 2023. Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure [Government Guidance]. U.S. Securities and Exchange Commission. Staff, 2024. Number of Public Companies v. Private: U.S. [Website]. Advisorpedia. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K.
The idea of cybersecurity materiality is tough to get your hands around.
I'm part of a Carnegie Mellon University team, CMU,
that contributes to a six-month-long Chief Information
Security Officer Certificate Program. It targets existing CISOs who want to sharpen their skills
and other security professionals looking to get into the CISO game. CMU brings in 18 cybersecurity
luminaries, like Cybersecurity Canon Hall of Fame authors Jack Jones, co-author of Measuring and Managing Information Risk,
he's the inventor of the FAIR model,
Randy Treziak, co-author of the Cirque Guide to Insider Threats,
and Doug Hubbard, co-author of How to Measure Anything in Cybersecurity Risk.
Don't ask me how I got on the list.
Clearly, CMU was misinformed about what the word luminary means.
I was misinformed.
For my piece, Twice a Year,
I facilitate a five-hour session
that covers and updates the subjects in my book,
Cybersecurity First Principles,
a reboot of Strategy and Tactics.
Each time we do it, there is a subset of students
consisting of senior government people
looking to make the transition to the commercial world or just trying to understand how we civilians think about the job of being a CISO.
Last December, my class had a handful of senior U.S. Navy people, and they were intensely interested in how the Navy could improve their cybersecurity risk forecasting.
the Navy could improve their cybersecurity risk forecasting. But after listening to Jones, Hubbard,
and me go on and on about what risk forecasting means, they specifically kept stumbling on how I defined it. Now, you all know that for the past four years, I've made the case that in order to
solve cybersecurity, the starting point, the absolute atomic first principle, is this. Reduce
the probability of material impact due to a cyber event in the next three to five years.
The thing that the Navy leadership kept stumbling over is the idea of materiality.
Their understanding was that materiality was simply a financial term
used by public companies in their quarterly earnings reports.
And it had no meaning for
companies that weren't public, and especially for government organizations, institutions that
aren't in business at all. In the first principles book, I estimate that there are some 6 million
companies, nonprofits, and government institutions in the United States. And according to Advisorpedia, as of 2024, there are only 2,790 public companies.
Navy leadership rightfully asked the question, if materiality only applies to less than 1%
of the entire population, how can it be an integral part of any first principle?
That's a great question. Let's find out. So, hold on to your butts.
Hold on to your butts. Hold on to your butts.
This could get interesting.
My name is Rick Howard, and I'm broadcasting from the N2K CyberWire's secret Sanctum Sanctorum studios,
located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland, in the good old U.S. of A.
And you're listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with
on a daily basis. According to the Harvard Law School Forum on Corporate Governance,
Supreme Court Justice Thurgood Marshall crafted the landmark judicial definition of materiality in 1976. He wrote in the TSC
Industries versus Northway case that a fact is material if there is a substantial likelihood
that a reasonable shareholder would consider it important in deciding how to vote, or a substantial
likelihood that the disclosure of the omitted fact would have been viewed by the reasonable
investor as having
significantly altered the total mix of information made available. That's a mouthful. So, restated,
for a public company in the United States, materiality is any event that significantly
impacts share value. That seems straightforward enough until you view it through the lens of
cybersecurity, except for some obvious significant public cyber attacks, like the 2017 Russian NotPetya campaign,
where the total estimated damage worldwide was north of $10 billion,
public companies have never really addressed cybersecurity material risk in their earnings calls,
at least not as a matter of course.
Business leaders and
InfoSec professionals don't really have the language yet to bridge the gap between typical
business materiality issues like mergers and acquisitions and the InfoSec profession's
favorite tool to convey cybersecurity risk, the heat map. That started to change in 2023.
The U.S. Securities and Exchange Commission, the SEC, approved a new rule for all public
companies.
Leadership must report material cyber events within four business days.
All of a sudden, cybersecurity materiality became a real thing that security practitioners
in public companies needed to worry about.
Every public company CISO worth their salt made a beeline to the CFO's
office in order to come to some understanding about how they were going to define cybersecurity
materiality going forward. But hold the phone. In another landmark decision this summer, 2024,
the U.S. Supreme Court reversed its 1984 ruling in the case of Chevron v. the Natural Resources Defense
Council that allowed federal agencies like the SEC to enforce
their own rules in lieu of specific laws passed by Congress. Chief Justice John Roberts called
the Chevron Doctrine fundamentally misguided. This shift away from the Chevron Doctrine introduces a period of
uncertainty for the enforcement of the SEC's cybersecurity reporting rule. Companies and
regulators alike will need to navigate this new legal landscape very carefully. The rule doesn't
go away, but now public companies have a legal path for noncompliance. What a mess. Regardless
of what you think about the SEC reporting rule,
the Supreme Court's reversal on the Chevron Doctrine just tossed a giant bucket of chaos
and uncertainty on the entire question of cybersecurity material reporting for public
companies. As a side issue, the entire idea of government oversight by named institutions like
the Food and Drug Administration and the Environmental Protection Agency, just to name two, has been called into question.
For now, InfoSec professionals in the U.S. will get no legal clarity anytime soon on
what is material and how it should be reported.
Since what we did have before only applied to public companies anyway, this is probably
not a big loss for the infosec profession.
But in terms of cybersecurity first principles, though, is materiality still an essential concept?
If you take any three random people walking down the hallway of your headquarters building
and lock them in a room with a whiteboard for an hour,
they could probably come up with hundreds of potential risks to the business or some government mission.
And that's our show.
Well, part of it.
There's actually a whole lot more, and if I do say so myself, it's all pretty great.
So here's the deal.
We need your help so we can keep producing the insights
that make you smarter and keep you a step ahead
in this rapidly changing world of cybersecurity.
If you want the full show,
head on over to thecyberwire.com slash pro
and sign up for an account.
That's thecyberwire.com.
For less than a dollar a day,
you can help us keep the lights and the mics on
and the insights flowing.
Plus, you get a whole bunch of other great stuff
like ad-free podcasts, my favorite,
exclusive content, newsletters,
and personal level-up resources like practice tests.
With N2K Pro, you get to help me and our team
put food on the table for our families,
and you also get to be smarter and more informed
than any of your friends.
I'd say that's a win-win.
So head on over to thecyberwire.com slash pro
and sign up today for less than a dollar a day.
Now, if that's more than you can muster,
that's totally fine.
Shoot an email to pro at intuk.com and we'll figure something out. I'd love to see you over here at N2K Pro. And one
last thing. Here at N2K, we have a wonderful team of talented people doing insanely great things to
make me and this show sound good. I think it's only appropriate you know who they are.
I'm Liz Stokes. I'm N2K's CyberWire's Associate Producer.
I'm Trey Hester, Audio Editor and Sound Engineer.
I'm Elliot Peltzman, Executive Director of Sound and Vision.
I'm Jennifer Iben, Executive Producer.
I'm Brandon Karf, Executive Editor.
I'm Simone Petrella, the president of N2K.
I'm Peter Kilby, the CEO and publisher at N2K.
And I'm Rick Howard. Thanks for your support, everybody.
And thanks for listening.
Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.