Continuous Materiality Determination

Continuous Materiality Determination in the context of cybersecurity is the ongoing, iterative process used by an organization, particularly its management and board, to assess whether a cybersecurity risk or incident is significant enough to impact a reasonable investor's decision-making or significantly alter the total mix of information available to stakeholders. This process requires constant vigilance and judgment, not just a one-time check, due to the dynamic nature of cyber threats.

Key Aspects and Rationale

The concept of materiality in this context is drawn from federal securities law and applies to both cybersecurity risks and cybersecurity incidents.

• Continuous Nature: The determination must be ongoing for both existing and emerging risks and for incidents as they unfold. For example, a series of seemingly minor, individually immaterial incidents—such as continuous, related low-level attacks by the same malicious actor—must be continually assessed to see if they are material in the aggregate.

• Prompt Judgment: For a cybersecurity incident, a determination of materiality must be made "without unreasonable delay" following discovery. The process cannot wait until a full forensic investigation is complete if the company has sufficient initial information to make the judgment.

• Focus on the Reasonable Investor: The fundamental test is whether the information—if misstated or omitted—would likely influence a reasonable investor's decision to buy, sell, or hold a company's securities.

Factors for Determination

Continuous Materiality Determination requires an objective analysis of both quantitative and qualitative factors, as a financial threshold alone is often insufficient for cyber events.

Quantitative Factors

These involve measurable financial impacts, which are often used as preliminary thresholds but are not dispositive.

• Direct and Indirect Costs: The cost of remediation, investigation, system fortification, legal fees, and potential regulatory fines.

• Financial Impact on Operations: Changes to forecasted revenues, expenses, profitability, and cash flows resulting from the incident.

• Asset or Revenue Proportions: Metrics such as the impact relative to a given percentage of pre-tax income, total assets, or total revenue.

Qualitative Factors

These relate to the nature and context of the event, regardless of immediate financial cost, and often hold greater weight in cybersecurity.

• Type of Information Compromised: The theft or exposure of trade secrets, intellectual property, or a large volume of sensitive/regulated data (e.g., customer, employee, or financial data).

• Operational Disruption: The impact on core business functions, continuity, or the integrity of financial reporting systems.

• Reputation and Relationships: Harm to the company’s reputation, loss of customer confidence, or damage to relationships with key third-party vendors, suppliers, or regulators.

• Threat Actor and Systems: The sophistication of the attacker (e.g., a nation-state) or the criticality of the compromised systems (e.g., "crown jewels" or key operational technology).

• Contradiction of Prior Statements: Whether the incident suggests a security flaw that contradicts prior public statements or representations made to customers or investors about the company's security posture.

This continuous determination process ensures that organizations can meet their disclosure obligations, such as the requirement for public companies to disclose a material cybersecurity incident on a Form 8-K within four business days of the determination.

The concept of Continuous Materiality Determination requires an organization to constantly assess the significance of cybersecurity risks and incidents, particularly concerning their potential impact on investors and public disclosure obligations. ThreatNG, as an external attack surface management (EASM) and digital risk protection (DRP) solution, provides the crucial external, unauthenticated intelligence necessary to power this continuous determination process.

Powering Continuous Materiality Determination with ThreatNG

ThreatNG directly supports Continuous Materiality Determination through its core functions:

External Discovery and Continuous Monitoring

ThreatNG performs purely external unauthenticated discovery to map an organization's digital footprint, mirroring an attacker's view. This external discovery is the foundation for continuous monitoring, ensuring that as soon as a new asset, such as an unknown staging subdomain, appears online, it is brought under assessment.

• Example of ThreatNG Helping: An organization has a policy stating that any exposure of critical data is material. ThreatNG's Continuous Monitoring detects a newly deployed, unauthenticated development server that was missed by internal scanning. This new server, dev-test.mycompany.com, immediately becomes subject to external assessment, preventing a potential material exposure event from remaining unknown.

External Assessment (Security Ratings)

ThreatNG's A-F security ratings provide a continuous, objective measure of risk that directly correlates to potential materiality factors.

• Data Leak Susceptibility: This rating is highly relevant to materiality, as it uncovers external digital risks like Cloud Exposure (exposed open cloud buckets), Compromised Credentials, and Externally Identifiable SaaS applications. The sudden exposure of an open cloud bucket containing thousands of customer records, causing the Data Leak Susceptibility rating to drop from 'A' to 'F', would be a strong indicator of a material incident.

• Brand Damage Susceptibility: This rating is key to assessing the qualitative materiality factor of reputational harm. It is based on findings such as ESG Violations (e.g., consumer protection offenses) and Negative News. A sudden spike in ESG violations or negative news related to a security flaw could signal a material reputational risk even before a financial impact is calculated.

• Cyber Risk Exposure: This score captures general external operational risks by focusing on issues like Sensitive Code Discovery and Exposure (code secret exposure) and missing DMARC/SPF records. The discovery of a leaked private key via code exposure on an external-facing asset, leading to a critical drop in this rating, would signal a material operational risk because it exposes a key component of the infrastructure to compromise.

Investigation Modules

The investigation modules allow security and legal teams to rapidly gather the detailed context needed to make a materiality judgment "without unreasonable delay".

• Sensitive Code Exposure: If an incident involves intellectual property (a key qualitative factor), this module is crucial. It discovers public code repositories and looks explicitly for Security Credentials (e.g., PGP private key block, RSA Private Key) and Configuration Files.

• Example of ThreatNG Helping: Following an alert, a security analyst uses the Sensitive Code Exposure module to quickly confirm the exposure of the organization's proprietary application source code, including a hardcoded AWS Access Key ID. This theft of trade secrets and the compromise of a critical infrastructure credential immediately establishes the event as material and requiring prompt disclosure.

• Sentiment and Financials: This module provides direct context for materiality by monitoring Publicly Disclosed Organizational Related Lawsuits, Layoff Chatter, and SEC Filings.

• Example of ThreatNG Helping: The Sentiment and Financials module highlights a new SEC Form 8-K filing from a competitor that discloses a similar cyber incident and the resulting financial impact. This contextual information helps the organization use the competitor's disclosure as a benchmark to determine the materiality of its ongoing, similar incident.

Intelligence Repositories

The DarCache repositories provide the contextual intelligence for risk prioritization, ensuring focus on likely material threats.

• DarCache Vulnerability: By combining NVD (severity) with KEV (actively exploited) and EPSS (likelihood of exploitation), the organization can differentiate a non-material, low-impact vulnerability from a material, high-risk vulnerability that is actively weaponized in the wild.

• Example of ThreatNG Helping: An internally detected vulnerability is initially deemed non-material. However, DarCache KEV confirms that the vulnerability is now on the list of known exploited vulnerabilities, and DarCache eXploit provides a direct link to a verified Proof-of-Concept exploit. This change in context elevates the risk from non-material to potentially material, given the high likelihood of immediate, proven exploitation.

Complementary Solutions

ThreatNG's external intelligence seamlessly feeds information to solutions that manage the internal disclosure and response process required for a materiality determination.

• Legal and GRC Platforms: ThreatNG’s External GRC Assessment provides direct mapping of external findings (e.g., a data leak) to compliance frameworks such as GDPR, HIPAA, and NIST CSF. This data can be pushed to an organization’s GRC platform to flag a severe compliance gap automatically.

• Example of ThreatNG and Complementary Solutions: ThreatNG detects that the organization's customer chat service, identified via Subdomain Intelligence as hosted by Zendesk, has missing security headers, contributing to the Web Application Hijack Susceptibility rating. ThreatNG sends this finding, along with its specific mapping to NIST CSF controls, to the GRC platform. The GRC platform then correlates the NIST CSF finding with the internal policies on customer data protection, accelerating the determination that this lapse in third-party security oversight presents a material risk to continuous compliance.

• Incident Response (IR) Platforms: ThreatNG's Dark Web Presence and Ransomware Groups and Activities intelligence provides the context needed to assess the sophistication of a threat actor (a key qualitative factor for materiality) early in an investigation.

• Example of ThreatNG and Complementary Solutions: During an ongoing breach investigation, the IR team finds initial evidence that points to a specific threat actor. ThreatNG's DarCache Ransomware is cross-referenced, confirming that the threat actor is one of the tracked 70+ Ransomware Gangs (e.g., LockBit). This context—that the attack is from a known, persistent, and successful criminal enterprise—is fed to the IR platform, which uses this high-confidence information to support the legal team's internal determination that the incident is material due to the severe and proven nature of the threat actor involved.