Cybersecurity Materiality & Key Controls
Posted by ComplianceForge Support on Nov 04, 2024
There is a "materiality ecosystem" that exists within modern cybersecurity risk management discussions. The process begins with determining what constitutes materiality for an organization. This is organization-specific and is primarily based on a clearly-defined financial threshold. It is common practice for companies to identify "key controls" to help prioritize cybersecurity efforts and a worthwhile is to evaluate those key controls from a materiality perspective. That may confirm the accuracy of the concept of key controls or it may require changes, where this activity should be all a part of due diligence and due care in GRC operations.
Defining materiality is an executive leadership determination, not a cybersecurity determination. Often, cybersecurity teams incorrectly hypothesize what “should be material” through the myopic perspective of the cybersecurity department. However, those cybersecurity-led definitions are often incorrect and are not material to the organization, much to the frustration of legal counsel that sometimes have to reprimand cybersecurity practitioners for incorrectly labeling incidents as material. For example, while a $5 million dollar incident may appear material (e.g., it is a significant sum), that financial amount may not come close to the actual materiality threshold for a prosperous organization.
This graphic can be downloaded from: https://complianceforge.com/content/pdf/guide-risk-vs-threat-vs-vulnerability-ecosystem.pdf
Once the materiality threshold is clearly defined, it then requires a look at an organization’s risk and threat management practices to identify those specific risks and threats that could lead to a material incident. Ideally, this means reviewing established risk and threat catalogs to identify known risks and threats that have material implications.
In the end, the due diligence activities performed to define material risk and material threats assist with broader incident response operations. This prior work assists the organization in defining material incidents, or at least pre-determined criteria associated with incidents, that would elevate incident response activities to the proper organizational leadership, due to the existence of a material incident (e.g., external reporting requirements, reputation damage control, etc.). During incident triage is not the correct time to develop incident threshold categories to determine materiality, due to requirements such as the US Securities and Exchange Commission (SEC) requires public companies to disclose material incidents within 72 hours.
You can learn more about cybersecurity risk management and materiality here: https://complianceforge.com/grc/cybersecurity-risk-management-materiality/