SEC Cybersecurity Compliance - Cybersecurity Materiality

The Security and Exchanges Commission (SEC) recently published its Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure that will force publicly traded companies to adjust practices for ongoing cybersecurity governance and incident response. The SEC, Generally Accepted Accounting Principles (GAAP) and International Financial Reporting Standards (IFRS) lack specificity in defining the criteria for materiality. Therefore, organizations generally have leeway to define it on their own. The lack of authoritative definition for materiality is not unique, since the concept of risk appetite, risk tolerance and risk threshold also suffer from nebulous definitions by statutory and regulatory authorities.

How Do You Determine Materiality?

For an item to be considered material, the control deficiency, risk, threat or incident (singular or a combination) generally must meet one, or more, of the following criteria where the potential financial impact is:

This materiality determination can be visualized with this infographic with the callout for publicly traded companies having a requirement to publicly disclose material cybersecurity incidents: 

Determining materiality with the SEC Final Rule on cybersecurity

Material Weakness vs Material Risk vs Material Threat vs Material Incident

With evolving regulatory requirements for public disclosures, it is increasingly important to understand the nuances between material weakness vs material risk vs material threat vs material incident, since they have specific meanings:

Material Weakness

A material weakness is a deficiency, or a combination of deficiencies, in an organization's cybersecurity and/or data privacy controls (across its supply chain) where it is probable that reasonable threats will not be prevented or detected in a timely manner that directly, or indirectly, affects assurance that the organization can adhere to its stated risk tolerance.

Material Risk

A risk is a situation where (1) someone or something valued is exposed to danger, harm or loss (noun); or (2) to expose someone or something valued to danger, harm or loss (verb).

Material Threat

A threat is (1) a person or thing likely to cause damage or danger (noun); or (2) to indicate impending damage or danger (verb).

Material Incident

An incident is an occurrence that actually or potentially (1) jeopardizes the Confidentiality, Integrity, Availability or Safety (CIAS) of a system, application, service or the data that it processes, stores and/or transmits; or (2) constitutes a violation or imminent threat of violation of an organization's policies, procedures or acceptable use practices.

Holistic Approach To Cybersecurity Risk Management

In collaboration with the Secure Controls Framework (SCF), ComplianceForge authored a white paper on this subject: Enterprise Risk Management (ERM): Practitioner’s Guide To Align Risk Appetite, Risk Tolerance & Risk Thresholds With Strategic, Operational & Tactical Business Planning Activities. You'll find the SEC Final Rule discussed in the document, as well as how to address cybersecurity governance from a strategic, operational and tactical perspective.
enterprise risk management for SEC final rule cybersecurity management

cybersecurity risk management enterprise risk management
Enterprise Risk Management (ERM): Practitioner’s Guide

There are no products listed under this category.

Learn More About Cybersecurity & Data Privacy