What Constitutes a “Material” Security Breach?

Public companies are under rising pressure to report material data breaches to authorities, but many CISOs don’t understand the concept of “materiality,” says Malcolm Harkins.

Many organizations choose to view risk through a lens that downplays the actual impact of a cyber incident to shareholders, customers, and to society at large, Harkins, the Chief Trust and Security Officer for Epiphany Systems (and former Intel CISO), writes in a new paper.

Harkins notes that the U.S. Securities and Exchange Commission (SEC) has proposed new rules governing the cybersecurity obligations of public companies. Among other things, the new rules would require public companies to disclose information on material cybersecurity incidents within four days of determining whether the impact was indeed material.

Meanwhile, President Joe Biden’s administration has released a national cybersecurity strategy that proposes to hold software vendors liable for insecure products.

It’s now more important than ever that CSOs and CISOs understand what constitutes a material breach, Harkins says. Not all material impact is created equal, he writes for the Institute for Critical Infrastructure Technology, a cybersecurity think tank where Harkins serves as a fellow.

“We need to focus and prioritize our material cyber risks,” he writes. “Not only for the events happening today but in our assessments of risks in the future.”

“Materiality by Impact” vs. “Material by Nature”

There are several ways to think about materiality, Harkins writes. “Materiality by impact” means that even a small amount of money can be material if it has a larger impact on the company’s financial statement. For example, if a small amount of money changes a profit into a loss, it is considered material due to its impact.

In addition, some situations are “material in nature,” irrespective of their size and volume, he notes. A situation affecting bank balances might be an example here.

Materiality can be measured in several ways, Harkins adds. In many cases, organizations target a significant balance or line item in their financial reports, then apply a percentage to that number. For example, a material event could affect 2 to 5 percent of total sales, 2 percent of total assets, or 5 to 10 percent of net profit.

But these measures don’t fit every situation. “We have all seen instances where an organization missing forecasts, positively or negatively, impacts earnings per share by pennies, and their stock soars or sinks almost immediately,” he writes. “Calculation of the materiality can be a complex task and requires the use of professional judgment.”

When it comes to cyberattacks, some can have a financial impact, a brand impact, or a societal impact, such as the 2021 attack on Colonial Pipeline that led to temporary fuel shortages in the Southeast.

Some cyberattacks are so huge that they can potentially cause an extinction event, he writes. Other attacks have a huge effect on a company’s brand, cause heavy financial damage, and will take a significant amount of time to recover. The 2015 breach at the U.S. Office of Personnel Management and the 2019 attack on SolarWinds are examples of serious, but not extinction-level, breaches, Harkins suggests.

Less serious are cyberattacks that create operational risk, Harkins notes. These are attacks that organizations can recover from relatively easily. An example would be a phishing attack where credentials are compromised, but attackers gain no access to critical systems or data.

Speaking from Experience

In February 2010, as Harkins was serving as Vice President and General Manager of Information Risk and Security at Intel, the company voluntarily reported a cyberattack to the SEC, possibly the first time a public company had done so. As the Intel executive who handled compliance with Sarbanes-Oxley, the 2002 law that mandated new transparency in financial reports, Harkins considered that the law mandated disclosure.

“I believed we already had an obligation, as a public company, to inform our investors of the potential material risks from this incident,” he writes.

Intel was later praised by many cybersecurity executives for setting the bar for cyber disclosure, he recalls. Other executives were “irritated,” he added. “Over the years, this has culminated in the SEC not only having to take more enforcement action on companies related to cyber risks but has led to the new guidelines for disclosure that reduce the wiggle room that many have used to rationalize an approach to non-disclosure.”

With new SEC rules coming, CSOs and CISOs should renew their focus on materiality, Harkins writes. They should make sure they understand how their applications, IT systems, and data are the cornerstones of materiality assessments, he suggests.

They should also key in on how their information assets can be compromised. “Look for direct and indirect relationships that could cause exposure,” he writes. “Go beyond the attack surface and look at the attack depth that exists. Take the attacker’s point of view.”

Finally, cybersecurity executives should prioritize their risks and automate their responses to cyberattacks, he adds. “Otherwise, your time to contextualize will take too long, and the complexity will be too great.”