The FAIR Institute has released the FAIR Materiality Assessment Model (FAIR-MAM™), a significant new ancillary standard to Factor Analysis of Information Risk (FAIR™) that provides a more detailed breakdown and description of the categories that contribute to Loss Magnitude, particularly useful for determining when cyber loss exposure becomes material risk for an organization.
A FAIR Institute membership required. Join now!
Rules recently approved (see the press release) by the Securities and Exchange Commission exposed the problem that many companies were not equipped to assess and disclose material risks from cybersecurity incidents in a timely, accurate and comparable way. The rules require regulated companies to report a cyber loss event within four business days of determining that its impact would likely be material, and to report when past events cumulatively reach the material level. Beyond cyber incidents, the SEC wants companies to disclose their ongoing processes to manage material risks.
Learn more about the SEC cyber risk disclosure rules:
Blog Post: What the New SEC Regulation on Cyber Reporting Means for the Risk Management Profession
Here’s a schematic of the FAIR Materiality Assessment Model (click for larger image):
By translating the technical processes of cyber incident response and its consequences into the financial language of business, FAIR-MAM helps solve the materiality problem of cyber risk disclosure. Read the FAIR-MAM White Paper
We welcome comments to further improve the FAIR-MAM standard. Comments may be submitted via email to the FAIR Institute Director of Standards and Research at pankaj@fairinstitute.org.