Privacy Incident Management | RadarFirst – this image contains a deep astral field full of distant stars and galaxies. RadarFirst blue sheens across the cosmos to evoke feelings of vast potential and the possibilities for growth and exploration through digital transformation.
Compliance

Understanding Materiality in Cybersecurity and Compliance

In an era of increasing cyber threats and evolving regulations, organizations must have a clear and consistent approach to incident response and materiality determinations. The Privacy and Compliance Collective webinar series brings together industry leaders to discuss best practices in privacy, cybersecurity, compliance, and risk management.

In this session, Doug Kruger, VP at RadarFirst, sits down with Michelle Kraynak, VP, Chief Counsel, and Chief Privacy Officer at Voya Financial, to explore how organizations assess the material impact of cyber incidents–a critical factor in regulatory compliance, particularly with the SEC’s new disclosure requirements.

This blog provides the full transcript of their conversation, structured with key takeaways and themes to help privacy, security, and risk professionals navigate materiality assessments, streamline incident response, and ensure regulatory compliance.

Read on to gain expert insights into:

  • The evolving role of privacy and cybersecurity leadership
  • How organizations assess and document materiality in cyber incidents
  • The importance of cross-department collaboration in incident response
  • Future trends in cybersecurity regulation and compliance

Whether you’re a privacy officer, security leader, or compliance professional, this discussion provides valuable guidance on creating a defensible, repeatable approach to materiality assessments.

Or click here to watch the webinar >

From Navigating Materiality Determinations after a Cyber Event

Well, hi, everyone, and welcome to today’s edition of Radar First privacy and compliance collective.

As you might know, this is a webinar series where we dive into key challenges and best practices in privacy, cybersecurity, compliance, and risk management. Today, we’re going to be exploring the materiality associated with cyber incidents.

We’ll be looking at who’s involved in the process, how decisions are made, and how automation can streamline the process. We’ll cover strategies like the importance of developing risk matrices, looking at escalation protocols, when and how possibly to integrate outside counsel, as well as tips for cross-department collaboration, all while ensuring consistency and defensible documentation.

So my name is Doug Kruger. I’m a vice president here at RadarFirst. I’ve had the privilege of hosting a number of these sessions over the past two years, all of which have a common theme, namely how to address these and other incident response challenges through automation so organizations can ensure compliance with both regulatory, contractual, and third-party notification obligations.

And I’m thrilled to have Michelle with me, Michelle Kraniak, chief counsel and CTO at Voya Financial, joining us live from Atlanta. Michelle, it’s always so good to see you. Thank you so much for joining us today.

Absolutely. Thank you for having me.

It’s a pleasure. I know you and I have spent a lot of time together over the years. I appreciate your support. And I thought we’d just start by the obvious. Can you please just introduce yourself maybe a bit more elaborately than I did, talk a little bit about your role, and even about Voya Financial since some people may not be overly familiar with the organization.

Sure. So, yes, my name is Michelle Kraynak, and, like Doug said, VP, chief counsel, and chief privacy officer at Voya. And I like to think of myself, you know, Michelle, before Voya and after Voya. So before I came in-house, ten years ago, I was a commercial litigator and was litigating a lot of what, you know, Voya Financial does, which is, you know, obviously provide record keeping retirement record keeping services. We provide supplemental health insurance, supplemental insurances, also have our investment, management arm, and, you know, again, focusing also, on employee benefits. So my role at Voya, so since I am, you know, chief privacy officer, sort of self-explanatory.

But in my universe at Voya, I support the cyber security function, so that entire area. And then, you know, now I also get the pleasure of working in AI. So AI also exists in my universe. So I get to be the legal subject matter expert in what I think are incredibly fascinating subjects and then the legal aspects of which are even more fascinating.

Understanding Materiality in Cybersecurity and Compliance

Well, I’m looking forward to another session around AI because I know it’s burgeoning and it’s new to all of us. But I know Voya is a rather large organization. As I recall, you sort of split out several years ago. But how big is Voya as an organization? And I know that you’re public as well.

Yes. We are a public company. So you know, employee-wise, we are about eight thousand.

You know, we do, you know, our assets under management. I don’t have any of those numbers in front of me, but we have a large number of assets under management, a large number of customers.

What sometimes triggers people, you know, you’ve got to think of, like, a landmark. What’s gonna get somebody’s brain going is our marketing campaign with the origami.

So we have, Val and Verne, who are orange animals, and they like to talk about retirement.

So, if you ever see us on TV You and me both.

I would like to talk about retirement myself.

Yes. Exactly.

The Evolving Role of Privacy and Cybersecurity Leadership

So I’m interested because your title as chief privacy officer officer and chief counsel for both privacy and cyber. And it’s interesting because I’ve not seen that role combined very often in the past. And I’m just curious if you have always had that broader responsibility beyond privacy, or is this something new and developed? And how is it a responsibility beyond privacy, or is this something new and developed? And how does it sort of relate to how Voya itself looks at incident response, you know, more holistically or not?

Yeah. So, you know, Voya, over the years, this role has grown because the, you know, cybersecurity regulations since I’ve been practicing have been created, have evolved, and, really, that function, I mean, I work very closely with our CISO. So, you know, he and I have a very, you know, tight, good relationship because what’s going on in his world will undoubtedly, you know, either will look to legal for, advice or guidance or vice versa, and, you know, trying to figure out what happened so that I can provide, better guidance. So I think the role of chief privacy officer in my mind, and this is almost a, you know, a personal campaign, it’s a bit of a misnomer now because it’s, you know, it used to be here’s privacy and here’s security.

Right.

And we had this nice Venn diagram of them overlapping. And through the years, I’ve seen the Venn diagram, the area of privacy, and cyber overlapping more and more and more. And so that is where, you know, the cyber team needed at least a point of entry into the legal department. And so that is, you know, that’s where I serve. I might not have all the answers in terms of implications on a specific business unit, but I, you know, certainly I mean, in addition to all the cyber, you know, regulations, you know, a business partner will get them to the right place they need to be.

Well, it’s so interesting because as I look at things, you know, I’ve been at Radar First now for about nine years. And I remember very early on, the cyber and the infosec team were handling their incidents. The privacy team was handling the incident. If there was a cyber incident that also involved PI or PHI, then they just sort of threw it over the wall to the privacy team.

They lost visibility. They lost enterprise reporting. They lost full context, etcetera. But it sounds like Voya has found a way to sort of get everybody working in the same way from an incident response perspective, and that’s been, I assume, evolving.

But is that true? Are you all sort of using the same tools technology and processes to make sure that you have that enterprise visibility into all types of incidents?

So that’s a really good question. So technology is a challenge. You know, when we started using radar, it was purely for privacy. Right? And you know, the cyber incidents were still being handled in another way, and we broke off, and started using radar so that we could have some more control over, you know, the end of our part of the incident or those incidents that were just ours. As things have evolved, you know, we’re starting to again see the, like, the interconnectedness of all of these incidents. So it’s not just cyber and privacy.

It’s also fraud. Right?

You’ve got account takeovers where people are going to and it’s also fraud.

Right? You’ve got account takeovers where people are going into accounts. Then you’ve got the risk assessment, the systemic risk for the company. Right?

And risk has, you know, their processes. Fraud has its own processes. Privacy has it, and then cyber has theirs. And we do consolidate, and work very closely because there are implications of so many, like you said, you know, cyber incidents that would kick over to privacy if personal information was involved.

You know what? Personal information is involved a lot. Right? Unless it’s pure business resiliency like the, you know, the generator goes down somewhere.

Otherwise, you know, companies have a lot of data. So, you know, we get involved as the privacy office very often in all of these different areas. We very closely collaborate and lean on each other for support and guidance when they are all interconnected.

Well, thank you. That’s really helpful. I think that’s a good segue into what we’re talking about today. And, you know, as we start looking at concepts of, like, materiality. Right? It’s a bit of a newer term. I’d certainly got a lot more exposure with the SEC obligations that have you know, that were announced and they’re now enforced.

What do you see the difference between assessing privacy incidents, what I might call risk of harm to an individual versus cyber incidents, and this concept of materiality? How do they differ?

So, you know, there’s a lot of overlap, and it kind of goes to what does the person want to know outside of Voya? Right? So for the consumer, what does the consumer want to know in terms of how their data is now sitting out on the dark web? Right?

What risks do they need to know about? Is someone going to be able, with the data they’ve gotten, to access their Voya account, their bank account, their, you know, their HSA, you know, whatever it might be? So that’s what, you know, when I think about, you know, what’s gonna be material to the consumer. Right?

And then for the SEC, right, the position or the, you know, the perspective is from the investor. And so, you know, that’s just a different level of, you know, look. That’s what makes up the business of a public company. We have to have our investors’ trust, and they’re ultimately who we respond to.

So it might not be on a personal level.

You know, my data is at issue, my household, my, you know, finances. It is that broader, you know I mean, I’m an investor in the company, and I need the company to succeed.

I need to be able to make an educated decision as to whether I think this company is viable and will give me the returns that I want. So they’re all about money. Right? It’s just who’s gonna care in what circumstance.

Yeah. I’ve noticed one of the core differences that I’ve heard some of our clients mention is that privacy law tends to be somewhat mature and somewhat prescriptive. Right? Risk of harm, what it means, when to notify, when not to notify, etcetera.

But the new cyber laws and this concept of materiality seem a bit more open-ended. In other words, the SEC might say, hey. You need to notify us in the event of a material event within ninety-six hours. But they don’t tell you what a material event is.

Right? That’s different for each organization. Right? Maybe it’s how many records were accessed, how long your systems were down or did they have access to this system or that.

So how do you think about materiality from that perspective and, again, you know, I don’t want you to share anything that you’re uncomfortable sharing. But what would be sort of the main things you would look at to determine whether something is material from a, from, you know, something you might have to disclose?

So I’m first gonna talk about the privacy laws because I do think there was an element of subjectivity built into a lot of the breach notification laws, and that’s why you mentioned the likelihood of harm. And that’s exactly it. Right? How likely is it that there’s going to be that this individual could be harmed?

You’ve got your objective factors. Right? Well, they can log into this account. They can see whatever.

But, you know, there are complaints also. Look. This stressed me out.

And, you know, so what is the definition of harm?

You know, they’ve got the concept of comp you know, compromising security, confidentiality.

So, you know, so in my mind, there’s always been a little element of subjectivity in the privacy regulations.

So then, though, you know, the concept of materiality is not new with the SEC. Right? That has been around for decades, which did help companies, helped us when we were putting together ultimately what we deem to be kind of our materiality matrix, and that’s what the SEC has referred to it as for, you know, for a long time.

But then what to think about when you’re dealing with cyber? Companies always had these obligations to file an eight k if there was a material incident that might be important to an investor. But this new cyber regulation has given us a time frame and given us more direction. This is what you need to really think about.

So, you know, so, again, we put together we tried to pull together what really would have an impact on the business, the operations of the business were something to happen, you know, were we to have some sort of cybersecurity incident. So we’ve put together qualitative and quantitative factors. Right? Same thing. Things that, you know, are very easy to measure, things that might happen, and then things that are completely we need to just sit down as a group and talk through it. And do we think that it’s going to be, something that, should at least be a consideration?

That’s interesting. So, you know, you mentioned sort of sitting together as a group and having some sort of a process here. I’m amazed at how many organizations I speak with, very large global banks and public financial services companies, that don’t have that. That, you know, you’ll ask them, well, how do you make this materiality determination?

Who’s in the room? Oh, you know, we all get in the room, and sometimes it’s this person, that person. And then the first question is, well, what did we do last time? Well, I don’t know.

We didn’t document. I don’t know what we did last time. So it sounds like you’ve thought through that. You mentioned, you know, this creation of a materiality matrix.

And I’m curious. Let’s assume there’s a cyber event. You know? And, you know, the SOC’s been notified, and, you know, you realize that something has happened.

What happens next? Like, what do you do, from a process perspective right now?

So, you know the first part is getting you know, once the SOC is notified, getting all the right people in the room, that’s gonna be much broader than just this materiality determination group.

And can I just and I just wanna ask you one question there? Who is in the room? In other words, what role is the Right? So yeah.

At that initial moment, something has happened, it’s going to be across the company. So it’s going to be, you know, at that point until we realize this we need to evaluate it for materiality.

You know, we need to make that determination.

Incident Response and the Materiality Determination Process

It’s going to be anywhere, you know, it’s it’s going to be so it’s going to be generally who you think of for an incident response. I mean, you’re gonna have, you know, legal, compliance, obviously, cybersecurity. You’re gonna have general IT. You’re gonna have business resiliency. You’re going to have, you know, it grows and grows as you figure out what’s happening with this event.

Do you now have corporate do you now do do you now have corporate communications in there?

So corporate communications gets involved. If you know, we’ve got a nice funnel. Right? If, it looks like I mean, let’s just say from a privacy incident, it looks like, you know, someone mismailed something. We’re not gonna get corporate communications involved there. They’re just not. So we have our nice you know, we’ve got a nice road map of, you know, this is when the different areas get pulled in.

So let’s just jump then and say, you know what? This is concerning. So I think that’s really sort of where you’re going. This is concerning.

So those of us, you know, in leadership roles, so it’s going to be me, our CISO.

You know, at this point, we’ll have, you know, our head of operational risk. We will have compliance involved. We may have an audit involved.

You know, and then we’re sitting around and we’re saying this is getting more serious. This you know, we need to actually evaluate it from an eight k perspective. And at that point, we bring in our more corporate attorneys, right, who are part of the disclosure. We’ve got finance involved at that point. Regular cybersecurity incidents, you’re not always gonna be reaching out to the finance team.

But once we bring this eight k team again together, that’s where we start going through our matrix.

Documentation is incredibly important, particularly because the SEC wants the four days from reasonable, you know, thought that it’s that it’s gonna be material. Right? So well, if we meet right now, we say, you know what? Doesn’t meet all of these, you know, it doesn’t meet all of these, elements, factors, whatever you will.

We’re not checking all these boxes. So right now, it’s not material. We’re gonna put it down. We’re gonna put a date on it.

And, you know, at that point, when we are gonna we’re gonna look at it again and make sure that we’ve got the same responses or they might be different. Because at this point, we might determine that it’s material. And at that point, our clock starts to tick. Right?

So because it can change while you’re evaluating a specific incident, it’s really important to document it and date it. Make sure you know who’s been in the room for those decisions.

You mentioned it’s very interesting. We heard that it was IAPP Global last year. I think it was the head of the compliance group of this within the SEC, and she mentioned that and I’ve always heard this from regulators. I don’t think I was surprised it was actually said publicly, but I don’t know if you’d see it in writing.

But it’s almost like it reminds me of fourth-grade math where your teacher’s like Michelle, I’m glad you got the long division question right, but I don’t care if you get it wrong. I just wanna see your work. I wanna know how you got there. That’s almost more important.

And so you mentioned documentation and auditability.

Documenting Incident Management for Regulators

How important is that, in terms of dealing with regulators?

So in my opinion, it is incredibly important because, because, you know, when you like, when cyber rules, privacy rules are years ago, you would just get on the phone with an investigator. You talk through stuff, oh, you know, from a regulator. Yeah. This is what we did.

This is what we thought. This is the path we went down and this you know, and we went through and looked at the regulation and did this. So that’s in my opinion, not I don’t want that pressure on myself anymore, frankly. You know?

I don’t wanna have to recreate what I sat down in a room and worked through with a lot of different people. And I think, you know, what I’ve learned just dealing with privacy laws and cyber regs, I always think of it as a pretty package. I always wanna be able to give the regulator a pretty package. Here’s our compliance program for this.

Here is what we do in this situation.

And that just makes it a lot, in my opinion, a lot easier instead of trying to recreate in your brain.

And why the decision on this date was different than on this date.

Because I think what they’re looking for is consistency. Right? A consistent, repeatable, defensible process.

And certainly documentation becomes really critical for that.

Yes.

So you’re in a room and you have, you know, this materiality matrix or risk matrix or, you know, whatever, you know, people call it different things.

Anything you can share with me about what goes into that? Like, what would determine a material event within Voya?

You know, does it involve, you know, unauthorized network access to certain systems or how long systems are down or how many records were accessed or financial impact and things like that. Or maybe that’s all. Maybe I’ve covered everything. I don’t know. But what goes into a good materiality matrix?

Well, so you pretty much just covered a lot of it. Right? You’ve gotta have all of those things in consideration.

If it’s a large amount of, you know, of personal information, right, of data, is that gonna kick it into a materiality?

You know, do we need to go and tell the SEC if it’s just we’ve got, you know, a hundred people whose data was leaked? Right?

You know, was accessed unauthorized access or, you know, misemailed might reach the threshold of, you know, having to notify a regulator under a privacy regulation.

But are we going? Did it have a material impact on our operations?

You know, unlikely. But we’re still gonna be going through and weighing like you just said. Is there a financial impact? Well, you know, if we gotta notify a hundred people, the financial impact is, you know, whatever it might be.

Let’s just say it’s, you know, five hundred severity levels to each one.

Exactly. And so it’s all going through, and this is where, you know, it’s subjective. That’s why it’s, you know, material. I mean, that’s, like, the age-old any you know, when you’re litigating any contract, you know, material breaches.

Well, what does material mean? Right? And so that’s where you’ve gotta consider all of these because, on day one, I might see that it’s just a hundred people. Well, if I see, you know, a few days later, it’s actually ten billion people.

And with that data, you know, we’ve seen an uptick in account takeovers.

And now resources are going, and it’s gonna disrupt business, and it’s gonna do whatever. That’s gonna you know, we’re constantly looking at those, you know, at those elements, those factors.

And is it fair to say that yeah? Okay. You have an obligation, say, to notify the SEC within a certain period, but you might have other obligations, third parties, clients, internal escalations, and things like that. So do you track all that in your materiality matrix as well and maybe, you know, assign severity levels for certain things and say if it hits this threshold, we’re gonna go in this direction? Like, how would you manage, and who are those other types of entities that you might have to notify?

So, you know, it is like a tree root that intersects at different places underground, you know, because if we are going to make an eight k determination you know, we’ve got we have all these regulators. Right? I mean, for anyone, I’m assuming, on this call who is familiar with privacy incidents, we now have breach laws in all states, and territories.

You know, this is out there. Then we’ve got multiple ones also to insurance commissioners, you know, that we also have to answer to. So we have all of those that we are keeping track of.

If we, you know, think that this needs to have a specific evaluation for an eight k, you know, determination, and materiality from that SCC perspective, it kicks off, and there will be others you know, and we’ll bring this group together. And if we’re bringing this group together, that incident has been escalated to members of our executive team. And then, obviously, you know, we have our communication matrices as well. You know, when does it go to the board? Again, being a public company and the responsibilities that boards have for cybersecurity oversight.

So we have pretty we call it our floor. Right? Because we have to notify certain circumstances internally, and then we’ve got our contracts as the floor for our customers and our third parties.

But, you know, that’s if we get to that point. If you know, a lot of this doesn’t pass my smell test not to let, you know, this particular client know about this or this. Right? So that’s why we call it our floor, that, you know, absolutely in this circumstance we’re notifying, chances are you’re getting notified before that.

Because we’ve also got contracts to consider. Right? Like, what have we contractually agreed to do? So there are all these different factors, which I think ultimately is why cyber needs its own lawyer because it might not be, you know, it might not just be involving personal information.

Did you have to change any processes as a result of the new SEC reporting obligation?

Or did you feel like you already had everything pretty well-oiled and it was an easy thing to do at that point? Or was it a catalyst to really looking at things from soup to nuts and reconfiguring, you know, your processes and things like that?

So I think our processes were very well established, but that doesn’t mean that we didn’t have to now make sure we were accounting for the SEC rule.

So it didn’t take the creation of a new process. It took some evolving and massaging of the current process.

You know, when I look at who would have been brought prior to the SEC rule, brought into discussions about cyber, we’re bringing those people in sooner, simply because their input matters as we’re evaluating from a, you know, from a notification perspective to determination to the SEC.

So, you know, but I don’t think you know, it’s not like we had to come up with a whole new incident response process. What also was interesting, though, is that we had a lot more people in the company interested in cyber reporting and evaluations and the like. So I started getting even just legal colleagues who, you know, would be very tangentially involved, but were involved in the corporate, you know, SEC part of our business.

All of a sudden, we’re pinging all the time. I saw this eight k. What do you think about this?

This looks pretty, you know, run of the mill.

So more interest in it, which meant you know? So you’re having more discussions, but I don’t think there were necessarily process changes, or creating new processes.

Okay. Well, thank you. And as we sort of wrap this up, I’m gonna ask you to put on your prognosticator hat and let me know, you know, we have a new administration.

Things might be looked at differently from a regulatory perspective than in the past.

What do you see happening in the next few years, that maybe you thought were gonna happen that aren’t? Or just what would your sort of guidance and advice be of what we’re gonna see over the next few years and other best practices as companies seek to automate and address these types of challenges?

So that is a great question. I am not the best.

You know, my crystal ball is probably just broken. I don’t know what the analogy would be for that.

But I think in what I’ve seen so far and what I’ve seen, in the different spaces is a moving away from the, I I think there will be continued scrutiny and regulatory enforcement over cybersecurity.

What I don’t think is that regulations that have been in effect for, you know, a hundred years will be expanded to try to cover new areas that they probably would not have already been addressed. If that, you know, when I just think about, you know, supreme court justices and the interpretation of laws and evolving and what do you pull out and apply in other areas or what do you, you know, just strictly construe.

I will tell you one surprise for me so far has been the introduction and discussion about a privacy law, at the federal level. I was not expecting that which is why I say my crystal ball is broken. Because when that happened, you know, my thought was we’re not gonna hear anything about this for at least four years, and then it popped up. So I think the best advice, and I’m following it myself, is just to keep your eyes and ears open, because it really is changing.

And I think what people were expecting in our particular area, it’s not necessarily happening that way. Just even in but we’re not, we’re six weeks in, seven weeks in.

So Okay.

Well, Michelle, thank you so much. It was such a pleasure. I really appreciate your time, and thanks to everybody for joining us. For those of you who found the content informative and might wanna share it with others, we will be sending you a link where you can find it posted on our site. If you’d like to learn more about Radar First, just go to radar first dot com where you can see previous recordings of dozens of others of these privacy collective interviews and conversations.

You’ll find research and other relevant industry content. You can download informative resources like our risk reporting maturity guide which you can see right here that you can access from the QR code. And, of course, if you’d like to learn more about Radar First at any point in terms of how we can actually help you automate the materiality determination of cyber incidents, just go to radarfirst.com and request a demo.

You can also reach out to both Michelle and myself through these fancy QR codes as well. So thanks to everybody. Michelle, thank you so much. Amazing.

I really appreciate it. Look. I look forward to seeing you at the various conferences that we see each other all the time, and I hope you have a great day. And thank you so much.

Navigating Materiality Determinations after a Cyber Event

Jumpstart your risk management for SEC reporting with Radar Compliance. Accelerate your compliance program maturity with a documented risk decision-making process that automates assessment and escalations.
Watch the Webinar