TheCorporateCounsel.net

August 31, 2022

Cybersecurity: Assessing Cyberattack Materiality

Earlier this year, HanesBrands disclosed that it had been the victim of a ransomware attack.  In its second quarter earnings release, the company disclosed that the attack had a “negative impact on second-quarter net sales, adjusted operating profit and EPS of approximately $100 million, $35 million and $0.08, respectively.” Over on Radical Compliance, Matt Kelly takes a look at the company’s disclosures and observes that they pretty much checked all of the boxes when it comes to the SEC’s disclosure expectations. He then segues into a discussion of the most challenging issue companies face when confronted with a cyberattack – assessing whether it’s material in the first place:

An attack that cuts net sales by 6.2 percent is material (any loss greater than 1 or 2 percent would be), but we’re looking at that number in hindsight. When a company first discovers that a ransomware attack is afoot, you most likely don’t know how severe the damage will be. You need to monitor the disruption as it unfolds, until it crosses some materiality threshold.

Well, think about what that means. You’d need to understand the value at risk from a cyber disruption. You’d need careful analysis of which systems are mission-critical, and the “hourly rate” of their importance, so to speak, so you can keep a running tally of the financial losses. For example, you’d need to be able to say something along the lines of, “For every minute our fulfillment system is off-line, we lose $3,300 in orders.” Do the math, and after three weeks a disruption like that would cost you $100 million in sales.

After only one week, however, that disruption would already have cost $33 million in lost sales. For a company with $1.6 billion in total sales, that would be a loss of roughly 2 percent — and plenty of people would say a 2 percent loss to net sales is material. So our hypothetical company would need to file a disclosure about the incident four days after it crossed that threshold, rather than eight or 10 weeks later in the next earnings release.

I only picked those numbers to give an example that roughly fits the losses HanesBrands suffered; everyone following along will need to use whatever numbers make sense for your own business. The underlying math, however, still holds. Under certain circumstances, a ransomware attack could cost you so much money that very quickly it’s material and needs to be disclosed to investors double-quick.

Matt says that given the speed with which a cyberattack can blossom into something very material to the business, compliance and risk management teams have to ask several questions in order to ensure that the company is prepared to make this assessment: “For example, has your company identified its mission-critical, revenue generating systems? Has it modeled out the estimated revenue per hour those processes generate? Have you consulted with finance and accounting teams so that everyone has a clear understanding of the financial threshold for a material loss?”

John Jenkins