What CISOs Need to Know About Materiality

Materiality is a key accounting principle that has become relevant to cybersecurity thanks to a new rule from the U.S. Securities and Exchange Commission (SEC).[1] The regulation aims to accelerate and standardize the way public companies report cyber incidents and their processes for avoiding them. It takes effect for most public companies in December 2023, so it’s important that security teams quickly incorporate the concept of materiality into their daily thinking. Furthermore, as with many such public-company regulations, key stakeholders are likely to begin holding smaller private companies to the same or similar standards. 

The SEC’s New Rules for Cybersecurity Risk Management and Incident Disclosure

The SEC’s new rules can be thought of in two parts, both of which incorporate the concept of materiality. The first part requires companies to disclose material cyber incidents within four days of identification, using SEC Form 8-K (which is used, only when needed, to report material events). The second part adds several requirements to a company’s annual 10-K reports, including cybersecurity risk management, strategy, and governance. A key piece of these requirements is a description of the processes the company has put in place to identify and assess material cyber incidents.

What Is Materiality?

So, what exactly is materiality? Materiality is an assessment of whether certain information — an amount, a transaction, or an error/discrepancy — is important enough to influence decisions someone (such as an investor or lender) might make on the basis of reading the company’s financial statements. It is a fundamental accounting principle that is discussed in many standards by various accounting bodies. Yet, because there are no hard-and-fast rules, determining which transactions or company information are material requires judgement and is situationally dependent. 

A piece of information is considered material if its error or omission would impact a “reasonable user’s” decision-making process. Conversely, items that are too small or unimportant to make a difference are considered immaterial. The litmus test for materiality is whether something is relevant to the readers of financial information, rather than a specific value or definition. The U.S. Supreme Court has affirmed this in several SEC-related decisions.[2] 

Materiality should be evaluated both quantitatively and qualitatively. Quantitative materiality refers to the value of an item or transaction. The size of a transaction relative to the size of a business may be enough to deem it material. For example, if a company with $500,000 in annual revenue took out a new, million-dollar loan, it would be material. If that same company bought a $200 display screen, it is likely immaterial. Qualitative materiality relates to the nature of an item, regardless of its value. In this case, the mere existence, misstatement, or omission of the transaction might affect a reasonable user’s decisions. Examples include fraud and illegal transactions of any amount, and errors or omissions that affect regulatory compliance, loan covenants, or management compensation.

Materiality can apply to information that is disclosed improperly or omitted (if the excluded information would affect a reasonable user’s decisions). If that same $500,000 company recorded the loan at $990,000 instead of $1 million, the error is likely immaterial. However, the company’s failure to record the loan would be a material omission.

The examples above are meant to be obvious, to help illustrate the concept. In reality, determining a company’s unique materiality thresholds requires prudence and careful consideration. Company size, industry, and the nature of the transaction are all key variables. What’s material in one company may be immaterial in another. Even within the same company, materiality filters may change over time as the company grows and changes products or ownership structure.

How CISOs Can Apply Materiality to Stay Compliant

For public companies, the typical “reasonable user” is someone deciding whether to buy, hold, or divest their stock or public debt. Material information, like a cybersecurity breach, can impact an investor’s thinking about a company’s current and future financial outlook. So, assessing materiality for security breaches can require financial acumen from CISOs — and be much more complicated than the previous examples. 

For example, some incidents may raise an immediate financial materiality concern, such as the price demanded in a ransomware attack. Others could have an indirect material impact on the business, such as the loss of credibility from a breach involving customers’ personally identifiable information. 

One goal of the new SEC rule is to alert reasonable users to the material business impact of cyber breaches more quickly so they can consider it in their decision-making processes. This requires the entire security team to apply a materiality filter to all incidents in coordination and collaboration with other areas of the company, most notably the finance department. Can that possibly be done within four days of discovering an incident, given the time and resources required to fully investigate the impact of a breach? Luckily, the SEC recently clarified that the four-day clock starts ticking when the breach has been determined to be material, not when it is first discovered. Regardless, however, a company must establish the parameters for what it considers material —  and the links between systems and data that are tied to material business processes — before it reports new incidents in order to comply with the rules and triage the incidents.

In addition, the rule suggests that materiality must also be applied to serial incidents. This means that a related group of incidents that are material in the aggregate must be reported, even if each individual item is immaterial. In order to do this, a company must be able to link related incidents, either by attacker or by vulnerability.

All of this requires that the concept of materiality must be ingrained into day-to-day security operations and policies.

Another SEC goal is to increase transparency by standardizing the way public companies describe their policies for assessing and managing material cybersecurity risks. The standardization is multilayered: All SEC filers must report the same categories of information and each company must build its own repeatable processes for assessing and reporting on an incident’s materiality. The regulation’s risk management disclosures require security teams to explain how they identify and assess potential cybersecurity risks, as well as any past breaches that might materially impact the company’s financial condition in the future. This requires advance planning, predefining what the company considers material as well as the rules it would follow to assess the materiality of an incident. The CISO will be required to document these processes.

The regulation’s governance disclosure requirements highlight the responsibilities and involvement of company management and its board of directors. This aims to give investors insight into the level of senior managers’ oversight of and accountability for the company’s information systems. Because these disclosures must be certified within the company’s annual 10-K, the entire C-Suite will need to collaborate and rely on the CISO to ensure that the company is compliant. CISOs will be responsible for understanding the concept of materiality and training their staff.

The Bottom Line

The concept of materiality has long been siloed within companies’ accounting and finance teams. New SEC rules regarding disclosure of material cybersecurity incidents have created the need for all areas of the company, especially CISOs, to understand the concept of materiality with regard to cybersecurity and embed it into the design of all their processes. Read more about Mimecast’s governance, risk, and compliance services.

[1] “SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies,” U.S. Securities and Exchange Commission

[2] “Assessing Materiality: Focusing on the Reasonable Investor When Evaluating Errors,” U.S. Securities and Exchange Commission