Why did FAIR™ (Factor Analysis of Information Risk) emerge as the de facto number-one standard model for cyber, technology and operational risk analysis? No other risk model supports defensible quantitative analysis in the financial terms
The Securities and Exchange Commission recently proposed amendments to its rules that would require reporting on cyber risk in a fast, “consistent, comparable and decision-useful manner,” as SEC Chair Gary Gensler said – a goal that effectively calls for regulated public companies to run a cyber risk management program based on risk quantification
Surprisingly, we still sometimes hear that some cyber risk professionals are challenged by their General Counsel and legal department not to quantify their cyber risk, as that might - in their opinion - introduce a liability, driven by the fact of possibly knowing about a problem and not having done enough to address it.
In his recent Senate confirmation hearing, the pressure was on Gary Gensler, the new Administration’s nominee
We were delighted to learn that John Carlin, a friend of the FAIR Institute and a pioneer of risk quantification in the federal government, has been appointed Acting Deputy Attorney General
I want to take a moment to reflect on where the FAIR™ movement stands as we begin the New Year. I believe we are right now at a turning point, headed for far-reaching improvements in cyber risk management
>>DHS/OMB mean well in pushing for a risk-based approach to cybersecurity in the Federal Government, but their requirements fall short of helping agencies effectively prioritize and right-size their cybersecurity investments
Congress created the Cyberspace Solarium Commission, a bipartisan group of lawmakers and cybersecurity experts, to get out ahead of both a “catastrophic cyberattack” and the “millions of daily intrusions disrupting everything
In a recent LinkedIn post, Christine Lagarde, Managing Director of the International Monetary Fund, calls cyber risk not just a top risk but “a significant threat to the financial system” and cites a new IMF study that cyber attacks could already cost banks close to nine percent of net income globally or around $100 billion on average a year.
The National Institute of Standards has released NIST CSF 1.1, the new version of its popular cybersecurity risk framework—it’s filled with strong implications that infosecurity programs should treat risk in cost-effective or economic terms but never quite comes out and states the words “cyber risk quantification.”