Cybersecurity Materiality

Cybersecurity materiality is meant to act as a "guard rail" for risk management decisions. ​

Why Is Materiality A Term GRC Professionals Should Be Familiar With?

The concept of materiality is important to understand the health of a cybersecurity and data protection program, where a material weakness crosses an organization’s risk threshold by making an actual difference that exposes systems, applications, services, personnel, the organization or third-parties to unacceptable risk. Materiality designations can help determine what constitutes reasonable assurance that an organization adheres to its stated risk tolerance.

For GRC practitioners, the concept of materiality was traditionally relegated to Sarbanes-Oxley Act (SOX) compliance. However, the concept of materiality is much broader than SOX and can be applied as part of risk reporting in any type of conformity assessment. A financial benchmark is commonly used to determine materiality. As an example, from a financial impact perspective, for an item to be considered material, the control deficiency, risk, threat or incident (singular or a combination) should meet one, or more, of the following criteria where the potential financial impact is measured as:

  • ≥ 5% of pre-tax income
  • ≥ 0.5% of total assets
  • ≥ 1% of total equity (shareholder value); and/or
  • ≥ 0.5% of total revenue.

Cybersecurity Materiality Considerations 

There is more to the materiality than simply defining a financial value, since there are material implications for controls, risks, threats and incidents:

  • Material Control. When a deficiency, or absence, of a specific control poses a material impact, that control is designated as a material control. A material control is such a fundamental cybersecurity and/or data protection control that:
    • It is not capable of having compensating controls; and
    • Its absence, or failure, exposes an organization to such a degree that it could have a material impact.
  • Material Risk. When an identified risk that poses a material impact, that is a material risk.
    • A material risk is a quantitative or qualitative scenario where the exposure to danger, harm or loss has a material impact (e.g., significant financial impact, potential class action lawsuit, death related to product usage, etc.); and
    • A material risk should be identified and documented in an organization's "risk catalog" that chronicles the organization's relevant and plausible risks.
  • Material Threat. When an identified threat poses a material impact, that is a material threat.
    • A material threat is a vector that causes damage or danger that has a material impact (e.g., poorly governed Artificial Intelligence (AI) initiatives, nation state hacking operations, dysfunctional internal management practices, etc.); and
    • A material threat should be identified and documented in an organization's "threat catalog" that chronicles the organization's relevant and plausible threats.
  • Material Incident. When an incident poses a material impact, that is a material incident.
    • Jeopardize the Confidentiality, Integrity, Availability and/or Safety (CIAS) of a system, application, service or the data that it processes, stores and/or transmits with a material impact on the organization; and/or
    • Constitute a violation, or imminent threat of violation, of an organization's policies, standards, procedures or acceptable use practices that has a material impact (e.g., malware on sensitive and/or regulated systems, emergent AI actions, illegal conduct, business interruption, etc.).
    • A material incident is an occurrence that does or has the potential to:
    • Reasonably foreseeable material incidents should be documented in an organization's Incident Response Plan (IRP) that chronicles the organization's relevant and plausible incidents, so there are appropriate practices to identify, respond to and recover from such incidents.
  • Material Weakness. A material weakness is a deficiency, or a combination of deficiencies, in an organization's cybersecurity and/or data protection controls (across its supply chain) where it is probable that reasonable threats will not be prevented or detected in a timely manner that directly, or indirectly, affects assurance that the organization can adhere to its stated risk tolerance.
    • When there is an existing deficiency (e.g., control deficiency) that poses a material impact, that is a material weakness (e.g., inability to maintain access control, lack of situational awareness to enable the timely identification and response to incidents, etc.).
    • A material weakness will be identified as part of a gap assessment, audit or other form of assessment as a finding due to one (1), or more, control deficiencies. A material weakness should be documented in an organization's Plan of Action & Milestones (POA&M), risk register, or similar tracking mechanism for remediation purposes.

Use Cases For Leveraging The Concept of Cybersecurity Materiality

Use cases for how "cybersecurity materiality" can benefit cybersecurity and data privacy practitioners include, but are not limited to:

  • Control Assessments. Using risk tolerance and risk thresholds provides context about how to report the significance of the findings, where material weaknesses in the controls assigned to systems, applications, services, projects, etc. can take on an enhanced sense of urgency.
  • Project/Initiative Planning. Identifying "must have" cybersecurity and data privacy controls early in the development lifecycle can prevent roadblocks that should halt a project/initiative from going live in a production environment, due to material weaknesses. This enables a risk-based justification for funding requirements for necessary people, processes and technologies to ensure the organization's risk tolerance is met.
  • Third-Party Risk Management (TPRM). Depending on the nature of a third-party's products/services, that entity's deficiencies can directly or indirectly affect the overall security of your organization. To prevent "hand waiving" practices that allow third-party services through without scrutiny, utilizing cybersecurity materiality considerations is a viable way to evaluate if that third-party enables your organization to adhere to its stated risk tolerance.
  • Catalyst for Change & Budget Justification. As a responsible party (e.g., CISO, CPO, etc.) for your organization's cybersecurity and data privacy program, being able to identify and designate material weakness can be an immensely beneficial tool for change. If material weaknesses are identified by a CISO (or equivalent role), that requires executive-level support. This may equate to forcing technology changes (e.g., good IT hygiene practices, legacy technology refreshes, terminating unsuitable vendor contracts, etc.), processes changes (e.g., good hiring practices, terminating unsuitable employees, procurement practice changes, embedding cybersecurity and data privacy in project management, etc.) or adequate budget to remediate deficiencies in the cybersecurity and data privacy program.