The Commission responded with 75 recommendations – notably on cyber risk disclosure – that would set a new tone for government, much more in line with the principles of the FAIR Institute and quantitative cyber risk analysis.
For an example of how the Commission has mainstreamed some FAIR concepts, listen to this statement at the launch event for the report, by panel member Chris Inglis, a former deputy director at the National Security Agency.
"With the concept of risk, oftentimes that discussion devolves into a discussion of vulnerabilities, not a terribly useful organizing principle because vulnerabilities absent context may or may not matter…If everything is critical than nothing is critical. You have to consider risk in the context of critical functions and critical dependencies."
Watch the video:
(Chris was a speaker at last year’s FAIR Conference on the panel Pen Testing Your Board Pitch.)
“Cyber risk is business risk,” the Commission report states in section 4.4.4. The Sarbanes-Oxley Act of 2002 mandated stricter corporate accountability enforced by the SEC, and in 2018, the SEC issued separate guidance that public companies “may be obligated to disclose” cybersecurity risks.
The Commission proposed amending that Sarbanes-Oxley to explicitly account for cybersecurity. That would include
As the FAIR Institute has advocated since 2018, this approach is a mandate for analyzing and managing cyber risk in financial terms. FAIR Institute Chairman Jack Jones said then
"You absolutely need something like FAIR to evaluate the probable frequency and magnitude of future cyber loss events and to generate a quantified view of loss exposure if you’re going to meet this dimension of the SEC's requirements.”
Blog Post: The SEC's New Cyber Risk Disclosure Guidance: Textbook Case for FAIR (March, 2018)
The FAIR Institute applauds this forward-looking approach to cyber risk which leaves behind traditional methods of assessing risk in the cybersecurity profession – “maturity scales” or qualitative ratings – that do not express risk in financial terms and that have failed the test of time.
We’d further recommend that the SEC take a page from the New York Department of Financial Service’s regulations and require that companies specify and board of directors approve an explicit level of cyber risk appetite and demonstrate how they intend to perform against those levels. With FAIR analysis, companies routinely define and set risk appetite in the same language used for credit risk, dollars and cents.
Blog Post: Define Your Company’s Appetite for Risk with FAIR Analysis
The Solarium Commission also identified failures of the insurance industry to accurately price cyber risk as a major problem holding back progress on cybersecurity and it called for a public-private partnership with insurance companies to bring together data to improve cyber risk modeling.
We’re particularly encouraged by the Commission’s call for
The NIST CSF already references the FAIR model as a best practice for risk analysis and risk assessment, and we take this recommendation as another affirmation that FAIR and cyber risk quantification are increasingly the “innovations in cyber risk modeling” the Commission wants to see to lead the way forward.
Blog Post: NIST Maps FAIR to the CSF - Big Step Forward in Acceptance of Cyber Risk Quantification