Davos Week: Materiality Calls Under Pressure
Companies face mounting scrutiny over how they determine which ESG issues matter most to their business and stakeholders. This article examines three strategic approaches that organizations can take to strengthen their materiality assessments and improve decision-making. Drawing on insights from sustainability and governance experts, these frameworks offer practical pathways for organizations under pressure to demonstrate meaningful impact.
Launch a Parallel Impact Council
The SEC's four-day disclosure rule has essentially turned over our incident communications playbook entirely. Materiality determination isn't a retrospective consideration that comes after technical containment--it's a separate executive track that runs parallel to a technical incident within the first hour. Our playbook now includes a 'materiality council'--a group of leaders from legal, finance, and operations--which is to begin its work at the same time as the technical incident response team. Their job is to immediately model the financial, operational, and reputational consequences of the incident, not wait for the technical forensics report--which is never complete, or perfect.
One of the most important tabletop exercises we've ever run was on a minor ransomware incident; nothing exfiltrated that was technically sensitive, but in addition to end-user data heisters, there was the exfiltration of API keys to customer production environments. The key question wasn't about the technical classification of the data, it was about cascading operational disruption. 'Can this knowledge be wielded by an adversary to disrupt our customer's core business operations?' Yes. Materiality determination and client-facing communications began at that time as well. That focus on downstream operational risk for our partners, and not just our own direct financial impact, is where the real ground is being gained.
Adopt Thresholds with Sovereignty Triggers
At Wesson & Co. and Hotel IT Company, we've moved away from the traditional 'Low-Medium-High' severity matrix. As the WEF highlights, cyber resilience today is about the speed of governance, not just the speed of recovery. To help our clients meet the SEC's four-day 'materiality' window, we've adapted our incident playbooks in three ways:
1. Quantitative 'Quick-Look' Thresholds We no longer wait for a full forensic report to discuss materiality. We've established pre-defined financial triggers. For our professional services clients, we assess materiality against 0.01% of annual revenue or the potential interruption of fee-earner billable hours exceeding a 24-hour window. If we hit that number, the 'SEC-readiness' protocol is triggered immediately, even if the breach isn't fully contained.
2. Qualitative 'Entity-Level' Risk For our hospitality clients, materiality is often reputational rather than purely financial. We use a decision criterion based on 'Brand Trust Integrity.' If a breach involves unencrypted guest credit card data or PII from high-profile VIP guests, we treat it as material by default. In 2026, a 'reasonable investor' (or a hotel owner) cares more about the long-term loss of guest loyalty than the cost of a few days' downtime.
3. The 'Third-Party Aggregation' Rule A decisive tabletop scenario for us recently involved a 'Related Occurrences' check. We simulate a scenario where three separate, seemingly minor 'immaterial' phishing attempts occur across different departments. Under the new rules, we now have a specific criterion to aggregate these. If they exploit the same vulnerability, we assess their cumulative impact.
The Decisive Decision Criterion: The one criterion that proved decisive in a real-world event was 'Operational Sovereignty.' The moment we realized a threat actor had achieved persistence in the core Property Management System (PMS), we didn't wait to see if data was exfiltrated. The potential loss of control over the business's 'primary engine' was our materiality trigger. We moved to disclosure discussions within hour six, long before the four-day clock would have even started."
Anchor Decisions on Confirmed Harm Signals
As regulatory expectations around cyber disclosure have tightened especially under the SEC's materiality rules the biggest shift I've made to incident communications is moving materiality assessment forward in time and closer to engineering reality. Traditionally, teams would focus first on containment and remediation, then loop in legal and communications later. Today, that sequence no longer works. We've adapted the playbook so that materiality triage begins in parallel with technical response, often within the first hours of an incident. This means having pre-defined criteria, clear ownership, and trusted channels between security, engineering, legal, and leadership before an incident ever happens. One decisive change has been anchoring materiality discussions around impact signals, not speculation.
Instead of asking "Could this become material?" we ask:
- Is there confirmed impact to confidentiality, integrity, or availability of customer or regulated data?
- Is there loss of control over a system that supports revenue, critical operations, or trust?
- Is the blast radius understood or still expanding in ways that affect external stakeholders?
A tabletop scenario that proved especially valuable involved a security control failure rather than a traditional breach a situation where protections were silently bypassed, but no immediate data exfiltration was confirmed. In a real event, that scenario helped teams recognize that loss of protective assurance itself can be material, even before downstream effects are fully visible. That reframing accelerated executive escalation and reduced debate during a critical window. The key lesson is this: under modern disclosure rules, speed comes from preparation, not certainty. Clear decision criteria, rehearsed cross-functional judgment, and honest communication matter more than waiting for perfect information. In an AI-driven, highly interconnected world, cyber resilience isn't just about stopping incidents it's about recognizing material risk early and responding with discipline and transparency.
Speak Plainly Then State Concrete Facts
Soft words underplay hard facts and erode trust. Stakeholders want plain terms about scale, timing, and impact. If jobs are cut, say how many and when, and state the cost and savings.
If a system failed, say what failed, what was hit, and what has been fixed. Plain talk reduces legal risk and rumor, while vague talk invites doubt. Choose clear words and state the facts now.
Align Messages to the Strictest Clock
Global disclosure rules do not tick at the same pace. A statement that is fine under one code can trigger a filing under another. Market hours, quiet periods, and grace windows also vary by place.
Davos panels and side talks add real-time risk, since remarks can be seen as public disclosure. A master calendar that maps rules to time zones helps time what is said and when. Align your messages to the strictest clock and clear talking points before speaking.
Document Rationale in Real Time
Materiality judgments hold up when the reasoning is written as events unfold. Time-stamped notes, source links, and who was in the room show that care was used. Clear records of options considered and risks weighed prove the call was not reckless.
Short summaries right after meetings beat polished stories written weeks later. Store drafts, emails, and approvals in a single folder with controls. Start the log today and keep it current.
Empower Alternates with Authority and Access
When key leaders travel, material facts still need fast calls. Named alternates with clear limits keep the process from stalling. They need secure access to data rooms, counsel, and the board chair within minutes.
A simple decision tree helps them act without guessing intent. Daily check-ins during Davos keep context fresh and avoid mixed signals. Set the alternates and tools in place before the plane takes off.
Orient Judgments to Investor Relevance
Materiality calls during Davos should rest on what helps investors make decisions. The key question is whether the fact could change a buy, hold, or sell choice. Tie each point to effects on value, risk, cash flow, and timing.
Use simple measures and pre-set thresholds to cut noise and speed action. Make sure internal notes show why the data helps capital move, not just that it is interesting. Set that bar now and act on it.