FAIR Institute to Focus on GenAI, 3rd Party Risk, Materiality Disclosure Rules, Risk Management Automation: Nick Sanna’s Keynote to 2023 FAIR Conference
The FAIR Conference has always been a “future-shaping” event for the risk profession, FAIR Institute President Nick Sanna told FAIRCON23 in Washington, DC, October 17 – then delivered a forward-looking welcoming address detailing how the Institute plans to stay out ahead of key trends.
The Institute is kicking off an ambitious research agenda that will focus on four main developments, Nick said:
1. New cyber incident reporting rules from the US Securities and Exchange Commission (SEC) and regulators in Europe and Australia
The regulators’ move to incentivize a risk-based approach to cybersecurity is “a confirmation of the policies we have been advocating for many years,” Nick said. But there’s a high need for education in the risk management profession, for example, on how to react to the SEC’s emphasis on “materiality.” A FAIRCON session introduced the FAIR Materiality Assessment Model (FAIR-MAM) and David Hirsch, the SEC official charged with enforcing new disclosure rules, was a featured speaker on Day Two of the conference. The Institute also debuted “How Material Is That Hack?”, a web resource for estimating materiality in recent breaches in the news.
2. Advent of generative AI
Responding to concerns from the membership about the risk vs opportunity of GenAI, about 40% of the FAIRCON23 content covered this topic. The FAIR Institute is launching a new working group on modeling GenAI risk, to provide organizations with a standard taxonomy and analytics model to properly identify, quantify and manage GenAI risk.
3 Third-party Risk
Two-thirds of organizations still do not monitor the cybersecurity and privacy practices of third-party vendors, Nick reported – yet many companies have committed to “digital transformation,” and shifting the processing of more data and applications to third parties. Current approaches to managing third party risk are not scaling. The Institute is developing a third-party risk analysis model, first discussed at a FAIRCON23 session, whose aim is to help organizations automatically analyze third party risk.
4. Risk Management Automation
Nick said the cyber risk quantification and management (CRQM) market “is accelerating” and moving from more manual, SME-driven, point-in-time estimates to “more automated, continuous, real-time assessments especially when applying FAIR” – exemplified by the merger of RiskLens and Safe Security (now the technical adviser to the FAIR Institute).
New research initiatives at the FAIR Institute
Nick said the Institute is “undergoing a profound transformation…Moving from an organization for networking, sharing best practices, helping one another to advance the industry,... but more and more we got the request from our members to accelerate the research into new risk analysis models,” to better address industry’s challenges with defining and measuring materiality, controls effectiveness, third party risk...to name just a few.
Nick also announced that EY has joined the Institute as a sponsor. He was joined onstage by David Burg, EY Americas Cybersecurity Leader.