At the 2021 FAIR Conference (FAIRCON21), Andy Retrum, Managing Director, Global Financial Services Security and Privacy for Protiviti, presented a use case for FAIR™ quantitative cyber risk analysis of ransomware that would both inform senior management and satisfy financial industry regulators that a bank was taking proper steps to ensure resiliency, specifically to prevent customer harm.
Andy Retrum, Protiviti
Retrum (who is also a FAIR Institute Advisory Board member) showed how Protiviti mapped out the threat vector impacting primary and secondary assets:
Then created a ranked list from the map, usable as loss event scenarios for FAIR analysis:
Then created this highly visual executive summary report on analysis findings. As Retrum pointed out, this format gives both senior management and regulators a ready view of ranges of probable loss exposure, helpful for setting risk tolerance levels.
This reporting answers “how can we respond and recover in a more thoughtful way…exactly the discussions the regulators are pushing the financial industry to have,” he said.
“We believe the FAIR methodology is an excellent approach to frame those discussions and not just from a regulatory perspective. When we talk with senior leadership and board members on this topic, they want to talk value. They talk in business terms and what the potential downside is.”