Congress created the Cyberspace Solarium Commission, a bipartisan group of lawmakers and cybersecurity experts, to get out ahead of both a “catastrophic cyberattack” and the “millions of daily intrusions disrupting everything from financial transactions to the inner workings of our electoral system,” as the Commission's recently released report says.
The Commission responded with 75 recommendations – notably on cyber risk disclosure – that would set a new tone for government, much more in line with the principles of the FAIR Institute and quantitative cyber risk analysis.
For an example of how the Commission has mainstreamed some FAIR concepts, listen to this statement at the launch event for the report, by panel member Chris Inglis, a former deputy director at the National Security Agency.
"With the concept of risk, oftentimes that discussion devolves into a discussion of vulnerabilities, not a terribly useful organizing principle because vulnerabilities absent context may or may not matter…If everything is critical than nothing is critical. You have to consider risk in the context of critical functions and critical dependencies."
Watch the video:
(Chris was a speaker at last year’s FAIR Conference on the panel Pen Testing Your Board Pitch.)
Solarium Commission Recommendations on Tougher Cyber Risk Disclosure to the SEC under Sarbanes-Oxley
“Cyber risk is business risk,” the Commission report states in section 4.4.4. The Sarbanes-Oxley Act of 2002 mandated stricter corporate accountability enforced by the SEC, and in 2018, the SEC issued separate guidance that public companies “may be obligated to disclose” cybersecurity risks.
The Commission proposed amending that Sarbanes-Oxley to explicitly account for cybersecurity. That would include
- Specifying the metrics for risk assessments, determinations and decisions.
- Mandating record-keeping for regular cyber risk assessments
- Requiring that management assess and attest to information risk management plans.
As the FAIR Institute has advocated since 2018, this approach is a mandate for analyzing and managing cyber risk in financial terms. FAIR Institute Chairman Jack Jones said then
"You absolutely need something like FAIR to evaluate the probable frequency and magnitude of future cyber loss events and to generate a quantified view of loss exposure if you’re going to meet this dimension of the SEC's requirements.”
The FAIR Institute applauds this forward-looking approach to cyber risk which leaves behind traditional methods of assessing risk in the cybersecurity profession – “maturity scales” or qualitative ratings – that do not express risk in financial terms and that have failed the test of time.
We’d further recommend that the SEC take a page from the New York Department of Financial Service’s regulations and require that companies specify and board of directors approve an explicit level of cyber risk appetite and demonstrate how they intend to perform against those levels. With FAIR analysis, companies routinely define and set risk appetite in the same language used for credit risk, dollars and cents.
Commission Recommendations on Improving and Standardizing Cyber Risk Modeling
The Solarium Commission also identified failures of the insurance industry to accurately price cyber risk as a major problem holding back progress on cybersecurity and it called for a public-private partnership with insurance companies to bring together data to improve cyber risk modeling.
We’re particularly encouraged by the Commission’s call for
- Frameworks and methodologies for accurately pricing cyber risk
- Research on use of frameworks such as the NIST CSF as requirements for insurance companies offering cheaper premiums
The NIST CSF already references the FAIR model as a best practice for risk analysis and risk assessment, and we take this recommendation as another affirmation that FAIR and cyber risk quantification are increasingly the “innovations in cyber risk modeling” the Commission wants to see to lead the way forward.