Imran Khan, CISSP considers the need to assess and disclose the material impact of cyber events on their operations and financial health to maintain compliance and ensure best practices are upheld.
Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.
In 2023, the U.S. Securities and Exchange Commission (SEC) and the New York State Department of Financial Services (NYSDFS) imposed stringent breach notification requirements on financial entities. These rules, such as NYSDFS Part 500’s 72-hour disclosure window and the SEC’s four-day requirement, mark a significant shift in how cybersecurity incidents are reported. More importantly, both regulations demand that companies assess and disclose the material impact of cybersecurity events on their operations and financial health.
The intent is logical, but the execution is far from simple: regulators have not provided a definitive explanation of what constitutes materiality. NYSDFS complicates matters further by calling out “material inadequacies,” creating layers of ambiguity for CISOs, executives and legal teams alike. Given the broad scope of entities under their jurisdiction, establishing a universally applicable definition has proved challenging, necessitating a revised approach.
Material Cybersecurity Events: Current Definitions
Materiality should, in essence, drive risk-based decision-making. As interpretation is left up to the regulated entities, the door is open for subjectivity. Conceptually, this encourages risk awareness. In my practical observation, it often leads to confusion and disjointed responses. Internal dynamics – where security, legal, compliance, finance and IT may operate in silos – only add to the chaos. What should be a cohesive incident analysis turns into a turf war, undermining the goal of transparency and timely response.
What exactly constitutes a material cybersecurity event? Different regulations and regulatory bodies provide varying definitions:
| Law/Regulation | Entities Covered | Materiality Definition Statement |
| SEC (U.S.) | Publicly traded companies, financial securities issuers | A cybersecurity event is material if it has a substantial likelihood of influencing a reasonable investor’s decision-making. |
| HIPAA (U.S.) | Organizations handling health data | A breach is material if it poses a significant risk of financial, reputational, or health-related harm to individuals. |
| SCADA | Energy distributors, utilities | Materiality tied to event significance and need for disclosure to authorities or stakeholders. |
| NYS DFS 500 (New York) | Financial institutions regulated by NY DFS | Breach is material if it could reasonably cause financial or reputational harm to the customer, licensee, or others. |
| CIRCIA (U.S., 2022) | Critical infrastructure entities | Material if it results in substantial operational disruption, financial loss, or affects multiple entities. |
| NERC (U.S.) | Operators of bulk power systems | Material impact refers to events that affect reliability of the Bulk Electric System. |
| PSD2 (EU) | Payment service providers | Events are material if they impact transaction integrity or trigger regulatory reporting obligations. |
| CISA EO 14117 (U.S.) | Financial institutions handling restricted transactions | Materiality applies to high-risk transactions that may impact critical infrastructure or sensitive financial systems. |
| CPPA/CCPA (California) | Companies handling California residents' data | Breach is material if it involves exposure of sensitive data (e.g., SSNs, financials), 500+ individuals, or creates risk of identity theft. |
| DORA (EU, 2025) | Financial services in the EU | Material if the incident disrupts service continuity, causes operational disruption, or impacts clients/markets. |
None of these regulations offer a universal standard; however, cybersecurity professionals can no longer overlook the concept of materiality. Grasping its significance is essential not only for regulatory compliance but also for personal accountability in today’s high-risk environment.
Cautionary Tales
Purely used here as an example, the SEC’s lawsuit against SolarWinds and its former CISO, Timothy Brown, illustrates this shift in accountability. Following a major supply chain breach attributed to Russian hackers, regulators questioned the company’s disclosures and cybersecurity posture. Similarly, Uber’s former CISO Joe Sullivan faced federal charges regarding the non-disclosure of a breach and ransom payment.
These landmark cases are examples that sent a clear message: cybersecurity failure or concealment is no longer just a reputational risk but may also be a legal one.
Decoding Materiality in the Face of Modern Threats
The 2025 Verizon Data Breach Investigations Report (DBIR) paints a grim picture:
- 12% of breaches, exploited common web vulnerabilities
- Median ransom payment decreased to $115,000
- Ransomware was present in 44% of breaches, marking a 37% increase from the previous year
- 12% of breaches were attributed to miscellaneous errors – as human errors, misconfigurations and data handling mistakes
- Social Engineering accounted for 17% of breaches underscoring the importance of user education
- Incidents involving third parties have doubled, now accounting for 30% of all breaches, underscoring vulnerabilities in supply chains and partner ecosystems
These trends suggest that breaches are not only more frequent but also carry heavier consequences – making the case for clearer materiality assessments even more pressing.
The Solution: Apply Strategic Frameworks to Determine Materiality
To eliminate ambiguity, I advise organizations to take a structured, risk-based approach. Here are some key steps to achieving this:
- Data Inventory and Classification: Know Your “Crown Jewels” – Understand what data you possess, where it resides and who can access it is foundational. Track upstream and downstream data flows, enforce access controls and classify data based on sensitivity. Tested, catalog and govern backups to retention standards to minimize exposure.
- Risk Assessment: The Bedrock of Cybersecurity Governance – Make routine risk assessments central to your cybersecurity strategy. Frameworks like NIST CSF provide a solid foundation. Customize a control library that aligns with your industry, technology stack and regulatory requirements to make assessments more relevant and actionable. Supplement risk assessments with threat modeling, penetration testing and tabletop exercises to provide a comprehensive view.
- Invoke Expert Guidance When Internal Resources Fall Short – I advocate engaging firms that offer specialized insights that your internal teams may lack – especially when navigating regulatory complexities. Ensure clear scopes, defined deliverables and transparency in engagement so such partnerships drive results.
- Security Culture: Embed Cyber Awareness Across the Enterprise – A risk-aware workforce is a powerful defense. Educate employees on security best practices, privacy requirements and the importance of reporting threats, to prevent human error. Refresh training materials regularly to prevent knowledge fatigue and promote engagement.
- Engage Regulators: Clarify Expectations in Advance – Proactively engaging with regulators fosters trust and provides clarity. Open dialogue ensures that organizations are not blindsided by changes and can adopt best practices in real-time. I leverage industry forums, roundtables and advocacy groups to serve this need.
- Governance Maturity: Enforce Clarity in Cybersecurity Processes – Document policies for data classification, access controls, incident response and vulnerability management, to establish consistency and accountability. Governance should be iterative, reviewed regularly, and enforced rigorously.
Materiality Can Be Your Compass
Materiality is not a regulatory checkbox; it’s a core tenet of organizational resilience. Accurate and timely disclosure of cybersecurity events earns stakeholder trust, deters regulatory penalties and ensures operational continuity. Ignoring materiality, or simply misunderstanding its implications, can trigger financial penalties, reputational damage and personal liability for executives.
That said, determining materiality in cybersecurity is not just a compliance necessity, it’s a strategic imperative. Organizations that give due thought to materiality are likely to be better positioned to survive, adapt and lead in today’s hyperconnected world. My opinion is that – however you determine materiality – treat it not as a burden, but as a beacon for building a resilient and transparent future.
Imran Khan, CISSP, has over 16 years of experience financial services, life sciences and healthcare. He has held management and technical roles, with responsibility for risk management, data security, regulatory compliance, audits and application development.