One of the great concepts I locked onto when editing the book ‘Cybersecurity First Principles: A Reboot of Strategy and Tactics’ was to “reduce the probability of material impact due to a cyber event over the next three years.” This follows the rule that cybersecurity leaders can only afford to focus on threats that scale. Then, when the Security and Exchange Commission (SEC) started to talk about materiality, I realized I had been thinking only within the cybersecurity silo rather than taking the broader corporate team perspective.

While the cybersecurity profession has definitions for terms like (cyber) risk, incident, threat and weakness (vulnerability), when you apply the term “material/materiality,” they change. The definition of “material” for these terms can be vague and may vary depending upon the lens used; for example: SEC reporting versus business continuity planning. Ultimately, definitions must be developed in coordination with legal, financial and corporate disclosure teams, at a minimum.

Note: While much of what I’ll cover is directed at publicly traded companies, I think it is valuable for all organizations. If you end up in a class-action lawsuit after a major cybersecurity event, they might be the tools you need to support your due care/diligence efforts. That said, let me state that I am not a lawyer, so I am not giving legal advice here, and the opinions provided are my own and do not necessarily reflect those of Akamai.

First, standards like the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and International Organization for Standardization (ISO) cybersecurity standards don’t really state when a risk, incident or threat is “material.” Factor Analysis of Information Risk (FAIR) has recently released the Materiality Assessment Model (MAM) designed to assist the cybersecurity professional in reliably quantifying the impact of cybersecurity incidents to support risk disclosure and management. While I think FAIR could be a useful tool, it is isolated in the cybersecurity silo, so it could do more harm than good if you ever have to report a material incident that uses a different definition that was developed by the corporate team.

So, how should a company determine materiality? Cases interpreting materiality as defined by the SEC indicate that information is material if there is a “substantial likelihood that a reasonable shareholder would consider it important in making an investment decision” or if it would have “significantly altered the ‘total mix’ of information made available.” Similarly, the generally accepted accounting principles (GAAP) state, “[t]he omission or misstatement of an item in a financial report is material if, in light of surrounding circumstances, the magnitude of the item is such that it is probable that the judgment of a reasonable person relying upon the report would have been changed or influenced by the inclusion or correction of the item.” Finally, the International Financial Reporting Standards (IFRS) states “information is material if omitting, misstating, or obscuring it could reasonably be expected to influence decisions that the primary users make on the basis of those financial statements.”

These “definitions” do not, unfortunately, provide a clear, quantifiable, standard that allows the cyber team to independently determine materiality.  Indeed, even risks that the cyber professional would record in their “risk register” as “high” or “critical” would not necessarily be deemed material for SEC disclosure purposes. The materiality determination takes into account financial, business, reputation and other factors in addition to the cyberrisk rating.  Therefore, we can see where the CISO, CFO, general counsel and other business teams need to partner to document a clear process for determining when cybersecurity incidents and risks would qualify as “material.” This is where we need to blend our processes and create “connective tissue” within the company to ensure cross-functional review and management.

Often, cybersecurity leadership has built risk portfolios based on heat maps or risk dashboards. We need to understand how the company thinks about risk and what they are reporting to the board, as well as what is included as non-cybersecurity material risk factors in the company’s SEC filings. I would encourage leaders to read some of their peers’ 10K (20-F for foreign issuers) risk statements, as well. In addition, you should be familiar with the form 8K (6-K for foreign issuers) that could be required within four business days after a company determines that they have a cybersecurity incident qualifying as material.

The bottom line: Cybersecurity leaders must figure out how to differentiate between strategic (material) and tactical threats in a cross-functional manner. This means we need to be able to talk about the company’s business plan, financial results, continuity considerations and legal concerns as well as security concepts like risk appetite, risk tolerance and risk threshold and build a clear definition for cybersecurity materiality.