The FAIR Institute Launches “HowMaterialIsThatHack.org” to Help Risk Officers, Shareholders, and Insurance Carriers Assess “Materiality” for High-Profile Hacks
9 AM Tuesday Oct. 17
New FAIR Materiality Assessment Model (FAIR-MAM™) is in line with the new SEC Incident Disclosure rule and showcases its usefulness for the wider community via the launch of its website “howmaterialisthathack.org.”
Washington D.C., October 17, 2023 – Today, at its annual FAIR Conference, the FAIR Institute announced the launch of 'How Material Is that Hack', an online resource dedicated to helping organizations understand and quantify the materiality of recent cybersecurity breaches. The website is based on the FAIR Materiality Assessment Model (FAIR-MAM™) and risk analytics, powered by Safe Security, the Institute’s Founder and Technical Advisor. It was developed in response to the new Cyber rule proposed by the U.S. Securities and Exchange Commission (SEC) that mandates 8-K reporting of material cybersecurity incidents. FAIR-MAM™ is the only standard model to comprehensively define what forms of losses contribute to the measure of materiality in financial terms.
The use of FAIR-MAM in conjunction with a cyber risk quantification solution will allow industry analysts, organizations, and cyber insurance carriers to get a “ballpark” estimate of how “material” a hack can be on a publicly traded company, and enable key stakeholders and executive teams to make informed decisions to decrease overall risk.
‘How Material Is that Hack’ Showcases High Profile Breaches
"The million dollar question here is what is deemed 'material,'" said Nick Sanna, FAIR Institute President and President of SAFE. “Within the FAIR community, there have been numerous inquiries from top beacons of industry regarding the determination of materiality. In response to this, the FAIR Institute is launching an online resource to showcase real-life examples of materiality assessments for recent breaches involving companies such as MGM, Clorox, Caesars, and more over time.”
‘How Material Is that Hack’ provides you with an estimated materiality assessment of recent breaches with relevant loss categories and confidence levels. An estimated materiality assessment range is calculated using the FAIR-MAM model based on publicly available information and modeling assumptions made by researchers at Safe Security, the FAIR Institute Technical Advisor. The first phase of the website will showcase recent breaches such as
- The Clorox Company
- MGM Resorts International
- Caesars Entertainment
- Johnson Controls
- PROG Holdings.
It will be continually updated with more data and resources on an ongoing basis.
“Assessing the materiality of a cyberattack - the crux of the SEC incident disclosure regulations - is not straightforward,” said Omar Khawaja, former CISO at Highmark Health, currently VP Security, Field CISO at Databricks and FAIR Institute Board Member. “We’d like to see Incident disclosures evolve over time as more analysis is conducted. Decisions made based on incomplete and potentially flawed preliminary data can put enterprise executives in a difficult position with regulators. We believe this resource will be invaluable to organizations as they navigate the complexities of the SEC's incident disclosure requirements."
What Is FAIR-MAM?
FAIR-MAM™ is an extension of the FAIR risk quantification open standard and provides a more detailed breakdown and description of the categories that contribute to Loss Magnitude, particularly useful for determining when cyber loss exposure becomes a material risk for an organization. It can be used as a template for the creation of a complete cyber loss model, adjustable to the unique asset profile and cost posture of any size company in any industry or geography. Beyond response to a cyber incident, FAIR-MAM, when used with the right risk quantification solution and quality benchmark data, enables organizations to estimate and mitigate their financial risk on an ongoing basis for the top risk scenarios that matter to their business.
"Organizations need a standards-based framework to determine materiality in a defensible way," said Jack Jones. "That's why we developed the FAIR Materiality Assessment Model, which provides a consistent, repeatable, and defensible approach to assessing the materiality of a cybersecurity incident."
Sample report of estimated materiality
How FAIR-MAM Changes the Game
In light of the recent hacks - what would be the impact if a breached organization had deployed FAIR-MAM before the breaches?
- Pre-incident, FAIR-MAM enables an organization to define ‘Materiality thresholds,’ identify Top Cyber Risk Scenarios, quantify the potential Materiality of these risk scenarios, and focus and prioritize the treatment of those risk scenarios that could have the highest material impact on the business.
- Post-incident, FAIR-MAM enables organizations to understand the extent of the potential loss that could occur in the near term as well as over a long tail of several years by updating the loss drivers in the pre-incident model to get the updated loss estimate, comparing the updated loss estimate to the predetermined ‘Materiality’ thresholds to decide if a Form 8-K needs to be reported to the SEC regarding materiality.
FAIR-MAM is completely flexible as both a financial cost model for known primary losses and a risk model for possible secondary costs. This duality provides a company with wide-ranging defensibility as it assesses total attack costs vis a vis the SEC’s materiality guidelines.
About the FAIR Institute
The FAIR Institute is a research-driven not-for-profit organization dedicated to advancing the discipline of cyber and operational risk management through education, standards and collaboration. The driver behind our mission is the breakthrough achieved by FAIR™, the risk taxonomy and quantification standard, key to effective risk management.
Its members - forward-thinking risk officers, cybersecurity leaders and business executives - now exceed 15,000 in over 100 countries, with representation of 50% of Fortune 1000. The FAIR Institute has been recognized by SC Media as one of the three most influential industry organizations of the last 30 years.
To learn more and get involved visit: www.fairinstitute.org.
FAIR Institute education partners include Arizona University, Boston College, Carnegie Mellon University, Ferris State University, George Mason University, Harvard University, Macquarie University, Pepperdine University, San Jose State University, University of Massachusetts Amherst, Marymount University, Georgetown University, Georgia Southern University, Catholic University of America, University of Tampa, University of Toronto, Virginia Tech, Washington University in St. Louis, University of Wisconsin, Webster University, Seattle Pacific University, Glasgow Caledonian University, and Universidad Andina Simón Bolivar (UASB).