Surprisingly, we still sometimes hear that some cyber risk professionals are challenged by their General Counsel and legal department not to quantify their cyber risk, as that might - in their opinion - introduce a liability, driven by the fact of possibly knowing about a problem and not having done enough to address it.
Nicola (Nick) Sanna
Recent Posts
In his recent Senate confirmation hearing, the pressure was on Gary Gensler, the new Administration’s nominee
We were delighted to learn that John Carlin, a friend of the FAIR Institute and a pioneer of risk quantification in the federal government, has been appointed Acting Deputy Attorney General
I want to take a moment to reflect on where the FAIR™ movement stands as we begin the New Year. I believe we are right now at a turning point, headed for far-reaching improvements in cyber risk management
>>DHS/OMB mean well in pushing for a risk-based approach to cybersecurity in the Federal Government, but their requirements fall short of helping agencies effectively prioritize and right-size their cybersecurity investments
Congress created the Cyberspace Solarium Commission, a bipartisan group of lawmakers and cybersecurity experts, to get out ahead of both a “catastrophic cyberattack” and the “millions of daily intrusions disrupting everything
In a recent LinkedIn post, Christine Lagarde, Managing Director of the International Monetary Fund, calls cyber risk not just a top risk but “a significant threat to the financial system” and cites a new IMF study that cyber attacks could already cost banks close to nine percent of net income globally or around $100 billion on average a year.
The National Institute of Standards has released NIST CSF 1.1, the new version of its popular cybersecurity risk framework—it’s filled with strong implications that infosecurity programs should treat risk in cost-effective or economic terms but never quite comes out and states the words “cyber risk quantification.”
This is what a movement looks like. Membership in the FAIR Institute has now passed 3,000, about double the level of a year ago, as cyber risk quantification wins converts across industries
In traditional board of directors committee structure, each of the board’s five main functions (strategy, executive selection and compensation, governance, audit, risk and compliance) is assigned to a different committee, except one: risk, long handled by the audit committee.
