Nothing has pushed cyber risk quantification (CRQ) more front and center than the release of new rules from the Securities and Exchange Commission (SEC) on cyber risk disclosure – and the concern and confusion around what’s a material cyber risk.
FAIRCON23, the leading conference for quantitative cyber risk analysis, coming October 17-18 in Washington, DC, will tackle the issue head-on with expert panelists, including the SEC’s cyber enforcement chief, David Hirsch.
Also on the agenda: Introducing the new FAIR Materiality Assessment Model (FAIR-MAM™), the only standard taxonomy to comprehensively define what forms of losses contribute to the measure of materiality in financial terms.
FAIR Conference Events
Roundtable Discussion: How to Get Ready for the New SEC Rule on Cybersecurity
Wednesday Morning, October 18
>>Moderator: Kim Nash, Deputy Bureau Chief, The Wall Street Journal
>>David Hirsch, Chief of the Crypto Asset and Cyber Unit, Division of Enforcement, SEC
>>Kurt John, Chief Security Officer, Expedia Group
>>Richard Borden, Cybersecurity and Privacy Partner, Frankfurt, Kurnit, Klein, & Selz
Presentation: Introducing FAIR-MAM™ - A Comprehensive Approach to Loss Modeling in FAIR™
Wednesday Afternoon, October 18
>>Moderator, Nick Sanna, President, FAIR Institute
>>Tom Macphee, Cyber Risk Senior Manager, Cigna
>>Filippo Curti, Financial Economist, Federal Reserve Board of Richmond
>>Erica Eager, Senior Director, Risk Quantification, Safe Security
See the complete FAIRCON23 agenda
REGISTER FOR THE FAIR CONFERENCE NOW!
Material Risk and the SEC Disclosure Rules
The SEC rules (going into effect in late 2023) require regulated companies to disclose in detail a cyber incident within four days of determining it could have material impact. Companies must also disclose previously undisclosed immaterial events cyber that become material in the aggregate. On an ongoing basis, companies must also disclose their processes for managing material risks.
But what’s "material"? The SEC’s guidance says that’s up to investors to decide – the obligation of the company is to provide “consistent, comparable, and decision-useful” information to investors evaluating the financial performance of the company.
As FAIR Institute President Nick Sanna wrote in a blog post about the SEC disclosure rules, “Cyber risk can no longer be seen and treated as a mere technical issue, but will need to be treated as a strategic enterprise risk,” in line with the financially-driven practices of enterprise risk management (ERM)…
“Companies will be expected to have the ability to break down and quantify how losses materialize for their top cyber risks and incidents…This will be a forcing function for companies to adopt trusted cyber risk quantification models such as FAIR and adopt tools that provide them with visibility into their top risks as key enablers for determining and communicating risk and incident ‘materiality’.”
Expect a thorough exploration of the materiality question – and actionable information on making the transition to quantification to meet the SEC’s requirements – from our Wednesday morning, October 18, panel of legal, board governance and information security experts. Plus, we’ll hear from the most authoritative source, David Hirsch, the SEC official charged with enforcing the new rules.
The New FAIR Materiality Assessment Model (FAIR-MAM)
Wednesday afternoon, the conference delivers on the promise of action steps to respond to the SEC rules with a session on the FAIR Materiality Assessment Model, the new extension of the FAIR standard that dives deep on the loss magnitude side of the quantitative cyber risk analysis. While FAIR
While the main FAIR model has six high-level categories of loss, FAIR-MAM tracks loss in 10 categories down through three to five (or more) layers of subcategories so the loss can be modeled with customization to any organization’s business structure, assets, risk scenarios, or other requirements.
FAIR-MAM assists in disclosure requirements for the SEC in three ways:
- Assessing materiality immediately after an incident.
- Tracking over time how mounting costs can cross the line into materiality
- Proactively calculating risk for top scenarios to support an ongoing program of material risk management.
FAIR-MAM is an open standard, available for any organization to build a loss-magnitude model; Safe Security recently announced the first SaaS implementation, the Safe FAIR-MAM module.
Detail of the FAIR-MAM model
Beyond FAIR-MAM – More Extensions of the FAIR Standard
The 2023 FAIR Conference will showcase more tools, processes and techniques built on the pioneering work in risk quantification of Factor Analysis of Information Risk.
FAIR Controls Analytics Model (FAIR-CAM™)
Workshop: Through the FAIR-CAM™ Looking Glass with Jack Jones
Monday, October 16, 2023
FAIR for Third Party Risk
Panel: How to Re-think Third-Party Risk with FAIR-TAM™
Tuesday, October 17, 2:15 PM
See the complete FAIRCON23 agenda
REGISTER FOR THE FAIR CONFERENCE NOW!
