For the Mr. Cooper Group, materiality may have reached its
“Taylor Swift” moment
On October 31, 2023, a mortgage and financial services company, Mr. Cooper Group (NASDAQ:COOP), experienced a cybersecurity incident severe enough to necessitate the lockdown of their systems. To comply with a recently adopted SEC rules on cybersecurity, Mr. Cooper Group filed an 8-K form, stating that an unauthorized third party gained access to Mr. Cooper Group’s technology systems.
The new SEC rules require publicly traded companies to disclose material cybersecurity incidents and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact within four business days of being deemed material. The new rule also requires affected companies to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects from cybersecurity threats and previous cybersecurity incidents.
In compliance with the rule, Mr. Cooper Group reported that they initiated response protocols following the detection of the incident. The mortgage company, however, did not indicate when the unauthorized third party originally gained access to its systems. Mr. Cooper Group also reported that the containment protocol was launched as a precautionary measure to protect the sensitive data of the organization and its clients. This protocol included a complete shutdown of the company’s systems.
Mr. Cooper Group then launched a formal investigation and notified law enforcement. While the investigations were ongoing, the mortgage company shared that based on the available information, they did not believe this incident would adversely affect its business, operations, or financial results, deeming it non-material.
In the meantime, dozens of people have been posting on social media — including Reddit, TikTok and X (formerly Twitter) — that they’re unable to access the information in their mortgage account, their transactions haven’t been posted, and so on. Some people are hoping that this is a Mr. Robot/Elliot Alderson event and that their mortgages have been dissolved by “friendly” hackers.
All of this begs the question - Given that people appear to have been adversely affected, how can the company claim that there is no materially adverse effect? How can this happen?
It looks and smells like ransomware
Let’s start from from the beginning...Due to the nature of the attack, the most likely attack vector is ransomware. However, ransomware deployed to gain access into Mr. Cooper Group’s environment most likely used sophisticated tactics which are a distant relative to the methodology employed by opportunistic actors in the past.
Any ransomware typically demands some remote attacker to gain access to an internal machine. This is typically through malicious code received via email attachment or website download. Ransomware deployed in 2017 would typically compromise one machine. Then, acting as a toehold into the environment, the attacker immediately initiated the encryption process and demanded the equivalent of $500 in Bitcoin (BTC) to obtain a key to unlock it.
Today’s ransomware uses tactics known best as APTs: Advanced Persistent Threats. Once a single machine has been compromised, the attacker gains a toehold into the environment, quickly spreading the same malicious content throughout every system they can reach. This could include multiple offices and geographies.
The attacker then waits for an especially critical time when it is unlikely that IT staff are likely to rapidly detect the attack. Usually this happens on a weekend or, even better, a long holiday weekend.
But October 31, 2023, wasn’t a weekend, it was a Tuesday!
Since Mr. Cooper Group is a mortgage servicer and mortgage payments are typically made on the first day of the month, October 31 and November 1 are particularly critical dates.
The hypothesis of ransomware causing the incident is supported by the fact that many of Mr. Cooper Group’s essential systems were locked down (ostensibly by design) on an auspicious date. The breadth of this incident points to the criticality of 24/7 security monitoring, incident handling and incident response to identify and contain targeted attacks.
How can there be no materiality claimed by Mr. Cooper Group?
The definition of materiality may be somewhat nebulous. There is no single variable that could adequately create a definition. In the context of a cybersecurity incident, the term itself is used to assess the impact of the incident on many parties: the affected organization and its stakeholders, but also customers, shareholders, and regulatory bodies.
When an affected organization states that an attack does not attain materiality, it means that the organization believes the attack does not impart a significant or substantial impact on the organization, its stakeholders, customers, or investors.
There are several reasons why a specific cybersecurity incident may not attain materiality. Note that this list is not exhaustive:
Data Exposure
If the cybersecurity incident did not result in the unauthorized access or exposure of sensitive or financial information, it is less likely to be deemed material. The extent of data lost has not yet been disclosed.
Limited Disruption
If the incident did not significantly disrupt the organization’s operations or services, it may not be considered material. Media reports that some of Mr. Cooper Group’s services have been restored—a fact confirmed by various parties on Reddit — which suggests that the disruption is limited.
Timely Response
A prompt and effective response to the incident, such as containment measures which include a deliberate precautionary system shutdown (aka “going dark”), can significantly mitigate potential harm and contribute to the determination of non-materiality.
Minimal Financial Impact
If the incident did not result in significant financial losses, liabilities, or legal repercussions for the organization, it may not be deemed material. Often, a threshold of 0.5% of revenue is used to assess financial impact. Given that Mr. Cooper Group’s annual revenue exceeds $2 billion, it would take a financial impact of over $100 million to reach that threshold — an unlikely event at this point in time.
Regulatory Violations
If the cybersecurity incident did not violate any relevant data protection regulations or industry standards, it may be considered material. In the coming days, analyses will be performed to confirm Mr. Cooper’s compliance with appropriate data protection laws and regulations, including state and federal statutes.
No Significant Customer Impact
If the incident did not lead to widespread harm or loss for customers (including financial losses, identity theft, or other events that could damage their credit score), the event may not reach the level of materiality. Though certain aspects of their website were — and continue to be — inaccessible, Mr. Cooper Group has insisted that there will be no financial impact.
To reassure customers, the mortgage company stated explicitly:
“Rest assured, you will not incur any fees, penalties or negative credit reporting related to late payments as we work to fix this issue.”
Continued Service
The ability to continue some level of service to customers (though perhaps degraded) can mitigate the impact and support the claim that this incident does not meet the criteria for materiality.
So, what does this have to do with Taylor Swift? Just as Ms. Swift suggested, “Players gonna play, and haters gonna hate,” but she is more inclined to “shake it off.”
Given the approach Mr. Cooper Group has taken to address customer concerns and minimize actual damage done, they are attempting to dodge materiality claims and “Shake It Off.”
Well, not quite. For most publicly traded companies, cyber risk still needs to be considered from the perspective of materiality. Failure to comply with material disclosure rules can bear significant implications that are very real, potentially affecting investor confidence and business operations.
As it might be amusing to be this glib, anyone who has dealt with an ongoing incident understands its gravity. An effective cyber risk management program is critical not only to achieve compliance with the SEC Cybersecurity Rules, but, more importantly, to improve your ability to anticipate, withstand and recover from sophisticated cyberattacks.
Perhaps Mr. Cooper Group can indeed dismiss the critics by adhering to proper incident handling procedures and protocols.
As for their ability to “shake off” the attackers – that, indeed, would deserve a standing ovation.
