Material Weakness vs Material Risk vs Material Threat vs Material Incident

Controls are the nexus of a cybersecurity and data privacy program, so it is vitally important to understand how cybersecurity and data privacy controls should be viewed from a high-level risk management perspective. This brings up the concept of "cybersecurity materiality" as it pertains to the governance of an organization's cybersecurity and data privacy controls.

With the recent?statement on public company cybersecurity disclosures ?by the US Security and Exchange Commission (SEC), the concept of cybersecurity materiality has taken on an enhanced sense of importance. The new SEC requirements affect publicly traded companies in two (2) ways:

1. Periodic disclosures of the company's cybersecurity-related risk management, strategy and governance practices; and
2. Disclosure of material cybersecurity incidents (disclosure will be via a?Form 8-K ?filing).

It is important to understand that the concept of #materiality expands?beyond the realm of publicly traded companies. The concept of materiality is important to understand the health of a cybersecurity and data privacy program, where?a material weakness crosses an organization's risk threshold by making an actual difference to the organization, where systems, applications, services, personnel, the organization or third-parties are or may be exposed to an unacceptable level of risk.

The SEC's usage of materiality is intended for external, third-party consumption (e.g., investors) to ensure informed decisions are made. The definitions in this article pertaining to cybersecurity materiality are intended for internal cybersecurity and data privacy governance practices. This intended usage is meant to mature risk management practices by providing context, as compared to generally-hollow risk management statements that act more as guidelines than requirements. Cybersecurity materiality determinations are meant to act as a guard rail for risk management decisions.

Defining Cybersecurity Materiality

Specific to cybersecurity and data privacy, the Secure Controls Framework (SCF) defines a?material weakness ?as:?

A deficiency, or a combination of deficiencies, in an organization's cybersecurity and/or data protection controls (across its supply chain) where it is probable that reasonable threats will not be prevented or detected in a timely manner that directly, or indirectly, affects assurance that the organization can adhere to its stated risk tolerance.

Defining The Criteria To Be Material

In cybersecurity compliance, words have meaning. Therefore, it is important to understand the nuances with the terminology, since material weakness, material risk and material threat are not synonymous. However, since the SEC, Generally Accepted Accounting Principles (GAAP) and International Financial Reporting Standards (IFRS) lack specificity in defining the criteria for materiality, organizations have leeway to define it on their own. The lack of authoritative definition for materiality is not unique, since the concept of?risk appetite, risk tolerance and risk threshold ?also suffer from nebulous definitions at many organization.

For an item to be considered material, the control deficiency, risk, threat or incident (singular or a combination) generally must meet one or more of the following criteria where the potential financial impact is:

• ≥ 5% of pre-tax profit;
• ≥ 5% of revenue;
• ≥ 1% of total equity; and/or
• ≥ 0.5% of total assets.

For a real world example, in most cases a fine associated with a serious infringement of EU GDPR would not be considered material, since it would likely not meet the criteria listed above for revenue, unless the fine exceeded pre-tax profit, total equity or total assets criteria:

• The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.?
• The more serious infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.

Material Weakness vs Material Risk vs Material Threat vs Material Incident

Material Weakness: A material weakness is a deficiency, or a combination of deficiencies, in an organization's cybersecurity and/or data privacy controls (across its supply chain) where it is probable that reasonable threats will not be prevented or detected in a timely manner that directly, or indirectly, affects assurance that the organization can adhere to its stated risk tolerance.

• When there is an existing deficiency (e.g., control deficiency) that poses a material impact, that is a?material weakness?(e.g., inability to maintain access control, lack of situational awareness to enable the timely identification and response to incidents, lacking pre-production control validation testing, etc.).
• A material weakness will be identified as part of a gap assessment, audit or assessment as a finding due to one or more control deficiencies.
• A material weakness should be documented in an organization's Plan of Action & Milestones (POA&M), risk register, or similar tracking mechanism used for remediation purposes.

Material Risk: A risk is a situation where (1) someone or something valued is exposed to danger, harm or loss (noun); or (2) to expose someone or something valued to danger, harm or loss (verb).

• When there is an identified risk that poses a material impact, that is a?material risk.
• A material risk is a quantitative or qualitative scenario where the exposure to danger, harm or loss has a material impact (e.g., potential class action lawsuit, death related to product usage, etc.)
• A material risk should be identified and documented in an organization's "risk catalog" that chronicles the organization's relevant and plausible risks.

Material Threat: A threat is (1) a person or thing likely to cause damage or danger (noun); or (2) to indicate impending damage or danger (verb).

• When there is an identified threat that poses a material impact, that is a?material threat.
• A material threat is a vector that causes damage or danger that has a material impact (e.g., poorly governed Artificial Intelligence (AI) initiatives, nation state hacking operations, dysfunctional internal management practices, etc.).
• A material threat should be identified and documented in an organization's "threat catalog" that chronicles the organization's relevant and plausible threats.

Material Incident: An incident is an occurrence that actually or potentially (1) jeopardizes the Confidentiality, Integrity, Availability or Safety (CIAS) of a system, application, service or the data that it processes, stores and/or transmits; or (2) constitutes a violation or imminent threat of violation of an organization's policies, procedures or acceptable use practices.

• When there is an incident that poses a material impact, that is a?material incident.
• A material incident is an occurrence that does or has the potential to (1) affect the CIAS of systems, applications, services or data; or (2) a violation of organizational practices that has a material impact (e.g., malware on sensitive/regulated systems, emergent AI actions, illegal conduct, business interruption, etc.).
• A material incident should be identified and documented in an organization's Incident Response Plan (IRP) that chronicles the organization's relevant and plausible incidents, so there are appropriate steps in place to identify, respond to and recover from such incidents.

Aligning Risk Appetite, Risk Tolerance & Risk Thresholds With Cybersecurity Materiality

In the context of that definition of?cybersecurity materiality, it is important to baseline the understanding risk management terminology. According to the PMBOK? Guide:

• Risk Tolerance?is the?"specified range of acceptable results."
• Risk Threshold?is the?"level of risk exposure above which risks are addressed and below which risks may be accepted."
• Risk Appetite?is the?"degree of uncertainty an organization or individual is willing to accept in anticipation of a reward."

From a hierarchical perspective:

• An organization's?risk appetite exists at the corporate level?to influence actions and decisions, specifically the organization's strategy. The strategy provides prioritization and resourcing constraints to the organization's various LOB.
• The?risk appetite helps define the organization's risk tolerance?to influence actions and decisions at the LOB level. Risk tolerance influences objectives, maturity targets and resource prioritization.
• Risk thresholds affect actions and decisions at the department and team levels. Risk thresholds influence processes, technologies, staffing levels and the supply chain (e.g., vendors, suppliers, consultants, contractors, etc.). Defined risk thresholds provide criteria to assess operational risks that exist in the course of conducting business.

What is important to keep at the forefront of risk management considerations is the material nature of risk, as it pertains to the organization. Risks that have a material impact include, but are not limited to:

• Confidentiality, Integrity, Availability or Safety (CIAS) of the organization's sensitive/regulated data;
• Supply chain security;
• Macroeconomic forces;
• Socio-political changes;
• Statutory / regulatory changes;
• Competitive landscape;
• Diplomatic sanctions (e.g., taxes, customs, embargoes, etc.); and
• Natural / manmade disasters (e.g., pandemics, war, etc.).

Use Cases For Cybersecurity Materiality

Use cases for how cybersecurity materiality can benefit cybersecurity and privacy practitioners include, but are not limited to:

• Control Assessments?- using risk tolerance and risk thresholds provides context about how to report the significance of the findings, where material weaknesses in the controls assigned to systems, applications, services, projects, etc. can take on an enhanced sense of urgency.
• Project/Initiative Planning?- identifying "must have" cybersecurity and privacy controls early in the development lifecycle can prevent roadblocks that should halt a project/initiative from going live in a production environment, due to material weaknesses. This enables a risk-based justification for funding requirements for necessary people, processes and technologies to ensure the organization's risk tolerance is met.
• Third-Party Risk Assessments?- depending on the nature of a third-party's products/services, that entity's deficiencies can directly or indirectly affect the overall security of your organization. To prevent "hand waiving" practices that allow third-party services through without scrutiny, utilizing cybersecurity materiality considerations is a viable way to evaluate if that third-party enables your organization to adhere to its stated risk tolerance.
• Catalyst for Change & Budget Justification?- as a responsible party (e.g., CISO, CPO, etc.) for your organization's cybersecurity and privacy program, being able to identify and designate material weakness can be an immensely beneficial tool for change. If material weaknesses are identified by a CISO (or equivalent role), that requires executive-level support. This may equate to forcing technology changes (e.g., good IT hygiene practices, legacy technology refreshes, terminating unsuitable vendor contracts, etc.), processes changes (e.g., good hiring practices, terminating unsuitable employees, procurement practice changes, embedding cybersecurity and privacy in project management, etc.) or adequate budget to remediate deficiencies in the cybersecurity and privacy program.

Assessing Controls To Determine Material Weaknesses

Assurance is defined as the grounds for confidence that the set of intended security and privacy controls in a system, application or service are effective in their application. Since assurance is relative to a specific set of controls, defects in those controls affect the underlying confidence in the ability of those controls to operate as intended to produce the stated results. Fundamentally, assurance identifies the level of confidence that a stakeholder has that an objective is achieved, that takes into consideration the risks associated with non-conformity (e.g., non-compliance) and the anticipated costs necessary to demonstrate conformity with the specified controls.

When organizations go through some form of certification process, it undergoes a conformity assessment (e.g., ISO 27001, CMMC, SOC 2, PCI DSS, RMF, etc.). Conformity assessments are designed to assure that a particular product, service, or system meets a given level of quality or safety. Instead of a 100% pass criteria, conformity assessments rely on the concept of assurance to establish a risk-based threshold to determine if the intent of the objective(s) has been achieved.

About The Author

If you have any questions about this, please feel free to reach out. Tom Cornelius is the Senior Partner at?ComplianceForge , an industry leader in cybersecurity and privacy documentation. He is also the founder of the?Secure Controls Framework ?(SCF), a not-for-profit initiative to help companies identify and manage their cybersecurity and privacy requirements.