You need a robust cyber materiality program

Companies need to get ahead in implementing the SEC’s new cybersecurity rules around cyber materiality. However, definitions of cyber materiality are vague making it difficult for organizations to know where to start. Akamai Advisory CISO Steve Winterfeld, joins us in another episode of CISO Insights to talk about cyber materiality and how organizations can build a cyber materiality program. On encouraging companies to be proactive in building out their programs, he says, “[If] you’re ended up in filing an 8K for a cyber incident, you don’t have any documentation or program. Now you’re at risk for negligence.”

Cyber materiality requirements and their definitions

Winterfeld discusses the SEC’s new rule around cyber materiality, telling us about how it focuses on reducing the probability of a material impact due to cyber events.
Winterfeld shares some of the varying definitions of materiality remarking that they are vague. Nonetheless, he confirms you have 48 hours to report on incidents that become material, which is a tight deadline.
The CISO manages all of the company’s risk, which traditionally would have been categorized depending on how high or low the risk was. However, although critical problems are discussed, few CISOs have traditionally talked about material problems.
Winterfeld talks about the crossover between critical risk becoming material and why it is crucial to understand the relationship.

Considerations for building out a cybersecurity materiality program

Winterfeld discusses the process of building out your cyber materiality program, including defining what are your material risks and cyber material risks, what is considered a material incident and the associated threats, and your material vulnerabilities.
Leadership change and regulatory notification may be required for material cyber incidents.
Winterfeld discusses which teams within an organization are involved in the cyber materiality program and why it needs to be a joint effort.
Winterfeld talks about the association between cybersecurity and business, including brand impact and operational implications.

Cyber material risks and how companies can prioritize and prepare for them

Winterfeld explains 10k, the US financial annual report and the section in it that covers risk, and the 8K that is used for announcing cyber incidents to the SEC.
Winterfeld shares his advice for companies to contain cyber material threats, encouraging companies to prioritize building a program, building a team to go through the terms and define them, writing up the plans, and testing them.

Guest: Steve Winterfeld (LinkedIn)
Company: Akamai (Twitter)
Show: Let’s Talk

This summary was written by Emily Nicholls.

You may also like

Apiiro wants to be the Diamond Standard for Application Security Posture Management

Akamai further fortifies its API Security with latest PCI DSS Compliance

If Iron Man has Jarvis, Transposit has Tanya

Bringing vCluster to Rancher is healthy competition: Lukas Gentele

How to choose best observability practices: Julian Fischer

Rootly’s AI-powered On-Call simplifies incident management