The FAIR Institute has released the FAIR Materiality Assessment Model (FAIR-MAM™), a significant new ancillary standard to Factor Analysis of Information Risk (FAIR™) that provides a more detailed breakdown and description of the categories that contribute to Loss Magnitude, particularly useful for determining when cyber loss exposure becomes material risk for an organization.
A FAIR Institute membership required. Join now!
Rules recently approved (see the press release) by the Securities and Exchange Commission exposed the problem that many companies were not equipped to assess and disclose material risks from cybersecurity incidents in a timely, accurate and comparable way. The rules require regulated companies to report a cyber loss event within four business days of determining that its impact would likely be material, and to report when past events cumulatively reach the material level. Beyond cyber incidents, the SEC wants companies to disclose their ongoing processes to manage material risks.
Learn more about the SEC cyber risk disclosure rules:
Blog Post: What the New SEC Regulation on Cyber Reporting Means for the Risk Management Profession
Key Points on FAIR-MAM, the New FAIR Material Loss Model for Cyber Risk Assessment
- An open cybersecurity cost model that any organization can adapt to its own cost structures.
- Composed of 10 primary cost modules (Business Interruption, Proprietary Data Loss, etc.).
- Modules can be customized to estimate the cost of an attack on any of the company’s business assets from any type of risk scenario.
- Organizations that are already modeling loss exposure with FAIR can populate the FAIR-MAM model to create their own version or leverage solutions that have implemented FAIR-MAM
- Can be used to quickly estimate probable material loss from a new cyber incident or track incidents as they become material over time, as well as proactively assess top cyber risk scenarios for probable materiality, meeting SEC requirements.
- Legally defensible to help satisfy regulators on the validity of a risk management program, as it is based on FAIR, the recognized standard for quantitative cyber risk analysis.
Here’s a schematic of the FAIR Materiality Assessment Model (click for larger image):
By translating the technical processes of cyber incident response and its consequences into the financial language of business, FAIR-MAM helps solve the materiality problem of cyber risk disclosure. Read the FAIR-MAM White Paper
We welcome comments to further improve the FAIR-MAM standard. Comments may be submitted via email to the FAIR Institute Director of Standards and Research at pankaj@fairinstitute.org.
