The plain truth is that – many CISOs don't understand materiality. In addition, many organizations have chosen to use a risk lens that downplays the actual risk of an incident, as well as the future cybersecurity-related risks to their shareholders, their customers, and to society.In this essay by ICIT Fellow Malcolm Harkins, readers will learn about what cyber materiality is, how to explain cyber materiality to the Board and investors, and the ethical obligations that CISOs face when materiality is impacted by cyber events.
This paper introduces the concept of cyber risk materiality and how it should be presented to Boards of Directors and in financial disclosure documents. The essay also provides a method for tracking and visualizing cyber risk materiality.