SEC disclosure regulations in the US, NIS2 impact statements for cyber events in Europe – the regulatory trend is clear: companies must quantify the financial impact of cybersecurity risk and disclose when risk hits material levels. The FAIR Institute developed the FAIR Materiality Assessment Model (FAIR-MAM™) as a defensible method to collect and analyze impact data and determine materiality.
At the recent FAIR Institute Europe Summit, Institute Research Director Pankaj Goyal (left in the photo) and Mouhamad el Houssaini, Risk Director at ADP (right) gave a half-hour seminar filled with tips on meeting material-risk disclosure requirements.
Watch the video:
Meeting Regulatory Compliance - How to Think About Materiality with FAIR
Some of the key points from Pankaj and Mouhammad:
How to Avoid Hits to Stock Price from Material Cyber Incidents
Pankaj reported on his study of cyber event impact on stock price in recent months and found a noteworthy split: Four companies that declared an event to be material or “we don’t know yet” lost an average 12% in stock value; the one company that declared an event not material lost no stock value. Yet most companies will go with “don’t know yet” in the belief they are acting conservatively. His conclusion: “It is very important to be confident in determining materiality and that work does not start after the event has happened, that work starts today so you are prepared to answer confidently on materiality.”
Visit How Material Is that Hack?: The FAIR Institute assesses recent cyber incidents with FAIR-MAM.
How to Navigate Communicating to Stakeholders on Materiality
Mouhamad commented that presenting quantitative analysis results to the business is only part of the problem. “Management today is very focused on getting to compliance, not only ISO compliance or regulatory compliance but also program compliance. They get different compliance feeds from everywhere, but they never talk about real risk. The compliance team can tell them you have to patch something because of our findings and then you have the risk team telling them no, because not all your businesses are that important…Everyone is struggling today to find the right balance on how to put risk on top of compliance and not compete.”
Bottom Line: 3 Takeaways from the Materiality Discussion
Pankaj summed up the state of play in material-risk assessment:
>>We are still learning about ‘materiality’ in the cyber world.
>>We are seeing more proactive transparency and reporting from the organizations.
>>FAIR-MAM can be a strong analytics foundation to build a materiality framework for your organization - pre and post incident.
Learn more:
An Introduction to the FAIR Materiality Assessment Model (FAIR-MAM™)
Watch the video:
Meeting Regulatory Compliance - How to Think About Materiality with FAIR
