How Material Is that Hack, a FAIR Institute project with our technical advisor Safe Security, tracks cyber loss events in the news with FAIR-MAM™, the FAIR Materiality Assessment Model. We developed FAIR-MAM so organizations could quantify the impact of cyber incidents to quickly, reliably, and defensibly disclose material risk on SEC Form 8-K or other regulatory filings.
But FAIR-MAM is an open standard that organizations can also use to measure financial risk internally to inform cybersecurity investment and management decisions for custom cyber risk scenarios, using their own data or industry standard data. On the How Material Is that Hack site, we leverage that industry standard data to analyze the latest hacks to see what we can learn.
See our FAIR-MAM page and read the FAIR-MAM white paper.
FAIR-MAM gives FAIR practitioners a granular look at the cost data for cyber incidents, thus greatly increasing the accuracy of FAIR analysis. The model offers analysts more than 200 micro cost drivers within 10 discrete loss modules to fine-tune the quantification of loss data.
That granular look at hack impact can lead to surprises. As we reported in a blog post FAIR MAM Analysis: UnitedHealth Hack Disclosures May Significantly Under-report Total Impact, the final tally for the UnitedHealth incident could range as high as twice the number disclosed by the company to date when all the costs are counted, including regulatory fines, class action suit settlements, business interruption liability and more cost drivers covered by FAIR-MAM.
Here are the latest hacks analyzed with FAIR-MAM:
Roku
The streaming service ($3B revenue) was struck by two data exfiltration incidents, reported in early 2024. Credential stuffing was the attack vector and about 591,000 customers were affected, but the company said its network was never compromised. Rather, the attackers used credential stuffing with previously stolen login credentials to access user accounts directly. Roku notified compromised users and began enforcing multi-factor authentication after the incident but did not file an 8-K and has not released any figures on the impact.
FAIR-MAM Impact Estimates
Min: $96,000
Most Likely: $340,000
Max: $892,000
Main Cost Drivers: Network Security
Full analysis on How Material Is that Hack
Henry Schein
“The world’s largest provider of healthcare solutions to office-based dental and medical practitioners'' ($12.3B revenue) reported in an 8-K in October, 2023, a ransomware attack (claimed by ALPHV/BlackCat) that knocked out manufacturing and distribution and compromised 29,000 PII records. Schein reported an estimated sales reduction of 10 to 12% or $350 Million to $400 Million. FAIR-MAM, however, estimates gross profit loss, not pure revenue loss. Henry Schein’s gross profit margin for the last fiscal year was 30%. The company also said it holds a $60 million insurance policy.
FAIR-MAM Impact Estimates
Min: $119M
Most Likely: $121M
Max: $144M
Main Cost Driver: Business Interruption
Full analysis on How Material Is that Hack
VF Corporation
Hackers disrupted operations for the maker of Timberland, Vans and more outdoor clothing brands ($11.6B revenue) in late 2023 and stole PII of 35 million customers though VF noted that it does not collect or retain PCI or other sensitive consumer data. In its latest filing, the company said it had concluded the investigation and judged the event to be non-material.
FAIR-MAM Impact Estimates
Min: $700,000
Most Likely: $6.1M
Max: $19.4M
Main Cost Driver: Information Privacy
Full analysis on How Material Is that Hack
Mr. Cooper Group
One of the largest servicers of home loans in the US ($1.8B revenue) took a hit in November 2023 when a ransomware attack knocked it offline for four days and compromised PII on 14.6 million customers. The company reported spending $27 million in incident related costs and has accrued $20 million for credit monitoring but stated that it does not expect a material impact. Since Mr. Cooper processes mortgage payments for existing loans, most of the revenue interruption from a security incident is delayed, not permanently lost. Therefore, the majority of the losses from this attack will be related to record holder support costs, including notification, monitoring and call center costs as well as possible future class action settlements and regulatory fines.
FAIR-MAM Impact Estimates
Min: $28.8M
Most Likely: $48.9M
Max: $105.2M
Main Cost Driver: Information Privacy
Full analysis on How Material Is that Hack
HCA Healthcare
HCA Healthcare is a major operator of hospitals and clinics in the US ($65B revenue). The company disclosed in July, 2023 that attackers breached an external storage location used only to automate formatting of email addresses, exposing non-sensitive PII for 11 million patients but not interfering with operations or reducing revenue. The data breached did not include sensitive medical treatment information, payment information or government-issued identification data.
FAIR-MAM Impact Estimates
Min: $1.7M
Most Likely: $4.3M
Max: $11M
Main Cost Driver: Information Privacy
