top of page
Search

Opinion - Materiality in the FSCA / PA Cybersecurity Joint Standard:

  • wynand83
  • Jan 13
  • 4 min read

 

An Old Regulatory Principle in a New Cyber Context.

One of the most important, and most misunderstood concepts in the FSCA / Prudential Authority Joint Standard on Cybersecurity and Cyber Resilience is materiality. It is frequently referenced, rarely unpacked properly, and often applied incorrectly. When that happens, organisations don’t become more resilient, they become noisier, slower, and ultimately riskier.

 

What is often missed is a critical point. Materiality is not a new regulatory invention. However, what is new, is how explicitly and operationally it is now applied to cyber security and operational resilience and understanding this distinction changes how the Joint Standard should be read and applied.

 

Materiality is not a technical concept

 

The first and most common mistake is treating materiality as an "IT severity rating". Materiality under the Joint Standard is not determined by:

 

·        CVSS scores

·        number of systems affected

·        vendor “critical” labels

·        security tool alerts

·        internal discomfort levels

 

These are "inputs", not conclusions. Materiality should be viewed as a "prudential and business concept". It asks a fundamentally different question. Could this meaningfully affect the institution’s ability to deliver critical or important services, protect customers, or meet regulatory objectives?

 

If the answer is yes, the issue is material, regardless of how small or technical it may appear.

 

Materiality has been around for decades. Materiality did not originate in cyber regulation. It has existed for many decades across:

 

·        financial reporting

·        external auditing

·        prudential supervision

·        corporate governance

·        enterprise risk management

 

Auditors have long assessed whether a misstatement is "material", meaning whether it could influence the judgment of a reasonable user. Prudential regulators have always focused supervisory attention on "material risks", not every conceivable issue. In other words, regulators have always relied on materiality to:

 

·        avoid supervisory overload

·        focus on what truly matters

·        ensure accountability at the right level

 

Cybersecurity did not change this principle. It simply forced regulators to reassert it in a new risk domain.

 

So why did materiality become explicit in cyber regulation?

 

Cyber risk behaves very differently from traditional financial or operational risks. It is:

 

·        constant

·        high-volume

·        technically noisy

·        uneven in impact

·        capable of escalating rapidly

 

Without materiality, cyber governance collapses into one of two failures:

 

·        everything is escalated, overwhelming senior management and boards; and

·        nothing is escalated properly, until a critical service fails.

 

By explicitly embedding materiality into the Joint Standard, regulators were sending a clear signal. Apply the same disciplined judgment you already use in finance and prudential risk but now, apply it to cyber security and resilience.

 

How materiality is actually assessed.

 

Materiality is determined by impact, not inconvenience. Regulators implicitly expect institutions to assess materiality across several dimensions:

 

Impact on critical or important business services

 

If a cyber issue affects services such as:

 

·        payments

·        claims processing

·        policy administration

·        client onboarding

·        regulatory reporting

 

materiality increases immediately, even if only one system is involved.

 

Potential harm to customers or counterparties

 

Materiality accelerates where customers may experience:

 

·        loss of access to funds

·        incorrect balances or data

·        service delays

·        exposure of personal or confidential information

 

Customer detriment is a key prudential concern.

 

Financial soundness and sustainability

 

An issue may be material if it could reasonably result in:

 

·        revenue loss

·        fraud exposure

·        regulatory penalties

·        capital or liquidity impact

 

Importantly, smaller institutions are not exempt, and concentration risk often increases materiality.

 

Trust, confidence, and market integrity

 

Cyber events that undermine:

 

·        data integrity

·        service reliability

·        public confidence

 

may be material even if systems are restored quickly. Reputational harm is a legitimate regulatory concern.

 

Reasonable expectation of senior management accountability

 

A simple test applies:

 

Would a regulator reasonably expect senior management or the board to know about this and act? If the answer is yes, the issue is material. 

Materiality is context-dependent, by design. The same incident can be material for one institution and non-material for another. For example, a short outage of a system may be trivial in a large, diversified institution but material in a smaller one where that system supports a regulated function.

 

This is intentional. Materiality scales with:

 

·        size

·        complexity

·        service concentration

·        substitutability

·        systemic relevance

 

It is directly linked to the Joint Standard’s principle of "proportionality".

 

Why organisations still struggle with materiality.

 

·        Cyber teams were not trained in prudential thinking

Security teams are used to technical severity, not business impact. Without translation, materiality is reduced to tool outputs.

·        Poor identification of critical services

When critical and important services are not clearly defined, materiality collapses — either everything is important, or nothing is.

·        Fear of regulatory judgement

Over-escalation is often driven by fear. Ironically, flooding boards and regulators with non-material issues reduces focus on what truly matters.

 

Regulators do not expect perfection. They expect, reasonable, well-justified decisions.

 

What regulators actually look for

 

When assessing materiality decisions, supervisors focus on:

 

·        whether risks were identified

·        whether impact was assessed sensibly

·        whether thresholds were defined

·        whether decisions were documented

·        whether accountability was clear

·        whether responses were timely and effective

 

A defensible materiality framework matters more than the outcome of any single decision.

 

The point most organisations miss

 

The Joint Standard does not expect institutions to prevent every cyber incident.

 

It expects them to:

 

Correctly recognise what matters most — and act decisively when it is threatened and materiality is the mechanism that makes this possible.

 

Final thought

 

Materiality is not a new idea but rather a long-standing regulatory discipline. What is new is its explicit application to cyber security and operational resilience, where noise is high, judgment is essential, and consequences are immediate.

 

Organisations that understand this:

 

·        escalate less noise

·        respond faster to real threats

·        engage regulators with confidence

·        and build genuine cyber resilience

 

Those that don’t often look busy, until something truly important fails.

 
 
 

Recent Posts

See All

Comments

  • LinkedIn

  © 2026 by Specialised Information Security Services. 

bottom of page