Materiality is a legal determination.
But the communications team's read on public reaction is now part of the calculus — and most communications teams have not been trained to make that call.
The SEC's Item 1.05 disclosure requirement defines a specific decision point: when is a cybersecurity incident material enough to require disclosure within four business days. The legal standard is settled — TSC Industries v. Northway and Basic v. Levinson — but the application to specific cyber incidents is judgment-driven, and the communications team's input on reputational impact has become a routine part of the determination.
That input is consequential. It can move the materiality call in either direction. And it carries professional and legal exposure if it is provided without rigor.
The legal standard
Information is material under TSC Industries if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision. The Basic v. Levinson refinement clarifies that materiality for contingent or speculative events requires balancing the probability of the event against the magnitude of the impact.
The SEC has signaled — through the rule's adopting release, subsequent staff guidance, and early enforcement actions — that cybersecurity materiality determinations should consider qualitative factors alongside quantitative impact. Customer data exposure. Operational disruption. Regulatory exposure. Reputational exposure.
That last factor — reputational exposure — is where communications input enters the determination.
How cyber incidents map to the standard
The materiality framework for cyber incidents includes several dimensions.
Financial impact. Direct costs — ransom payment, forensic investigation, legal fees, customer notification, regulatory fines. Indirect costs — operational disruption revenue impact, customer churn, contractual penalties. IBM's Cost of a Data Breach Report provides benchmark figures.
Operational disruption. Duration of service impairment, scope of affected systems, customer-facing versus internal impact, recovery timeline.
Customer data scope. Number of affected individuals, sensitivity of data exposed (financial, health, biometric), regulatory categorization (PII, PHI, GDPR special category), notification obligations triggered.
Regulatory exposure. Sector-specific notification requirements (HIPAA, GLBA, state breach laws, GDPR), enforcement risk, contractual notification obligations.
Reputational exposure. Press coverage trajectory, customer trust impact, partner relationship impact, employee trust impact.
Each dimension contributes to the overall materiality picture. The communications team's primary contribution is the reputational dimension — but the assessment is most useful when it is grounded in observable patterns rather than speculative anxiety.
Where communications input matters
Three specific contributions matter most.
Press coverage trajectory projection. Based on similar prior incidents, what is the realistic press trajectory? Will this incident generate sustained national coverage or a one-day trade press story?
Customer reaction modeling. How will key customer segments react? Will the incident trigger termination clauses in major contracts? Will it drive social media backlash? Will it require a substantive public apology or remediation offer?
Analyst and investor reaction modeling. How will the top five covering analysts frame the incident? Will it lead to a ratings downgrade? Will it become a central question on the next earnings call?
