The 2025 FAIR Institute European Summit, held in London on June 5, brought together leading voices in cybersecurity, risk, and business to address one of today’s most pressing challenges: managing cyber risk in an era characterized by constant disruption. From the accelerating impact of AI to sweeping new regulations like NIS2 and DORA, the threat landscape is evolving faster than ever, and organizations are under pressure to respond with clarity, speed, and defensibility.
Todd Tucker is Managing Director of the FAIR Institute.
Our summit provided a full day of shared insights and professional networking opportunities. Attendees heard from CISOs, risk leaders, regulators, and industry experts who are using FAIR (Factor Analysis of Information Risk) to move beyond static frameworks and toward dynamic, business-aligned decision-making.
I walked away from this year’s event with three big takeaways.
- First, cyber risk management has crossed the threshold. It’s no longer a siloed function—it’s embedded in business operations, shaping how leaders think about resilience, growth, and competitive advantage.
- Second, AI is already transforming how we manage risk. We saw real-world examples of agentic AI being used to automate assessments, analyze vendor ecosystems, and generate FAIR-relevant structured data (e.g., risk factors) from unstructured data (e.g., vendor risk centers, SOC2 reports, emails). The future isn’t coming, it’s happening, and it couldn’t be more timely.
- Third, the FAIR community is evolving rapidly. The conversations at this summit weren’t about theory or “why quantification matters.” (Well, not entirely, at least!) They were about execution, automation, and outcomes. The maturity and momentum in the room were unmistakable.
Opening Panel
The day opened with a powerful panel on “Managing Cyber Risk at the Speed of the Business,” featuring Matt Burns (Digital Risk & Resilience Director, Lloyds Banking Group), Pierre Olodo (Senior Lead Cyber Risk, Richemont), and Neil Davis (Cyber Risk Director, Maersk), moderated by Nick Sanna (Founder & President, FAIR Institute). Their key message: Bbusiness credibility starts with good data, the right language, and a shared model—and FAIR delivers all three. Matt called out the need for threat visibility and emphasized the transformative role agentic AI will play. Pierre and Neil echoed that FAIR has been essential in building trust and alignment with leadership.
Regulatory Panel
In a thought-provoking session on regulatory readiness, Alex Campbell (Cyber Partner, EY), Jim Hawkins (Global Cyber Risk Advisor, NCC Group), and Paul Williams (Special Advisor, Protiviti), led by Tom Callaghan (General Manager, C-Risk), tackled a bold statement: “No amount of regulations or standards are going to get you to where you need to be with [cyber] risk.” It was a call to arms for embracing risk measurement and management as the only scalable and adaptable way forward in a world of fast-moving compliance requirements.
I sat down with Dr. Runli Guo, former CISO of Gett and now CEO and Founder of AI DIONIC, and Andrew Weaver, a product and AI expert with Databricks. We talked about the biggest risks related to AI. In particular, we discussed how many businesses have overly focused risk management on the wrong use cases, sometimes diverting time and attention from the most important ones and often slowing down innovation where AI introduces little risk. For example, many teams use AI to develop software code, where the AI-specific risks are often minimal and hardly different fromthan copying code from GitHub or other platforms; instead, businesses should focus on products or services that embed AI for decision-making or other functions.
We also explored the use of AI to manage risks. One of the most exciting talks came from Saket Modi (Co-founder & CEO, Safe Security), who demonstrated how AI agents can process third-party risk documents (e.g., SOC2s, contracts, control questionnaires) and convert them into FAIR scenarios and measurements. It’s not just a breakthrough in automation; it’s a game-changer for prioritizing vendor risk in financial terms and redirecting analyst time to value-added work.
In one of the most forward-looking and energizing conversations of the day, Jimmy Lumis (Director and BISO, IHG) and Zach Cossairt (Senior Manager, Cyber Risk, Equinix) sat down with Christophe Foret (Co-Founder, C-Risk) to explore how FAIR and agentic AI are transforming third-party risk management (TPRM). They unpacked how the convergence of automation, unstructured data processing, and FAIR-based quantification is shifting TPRM from a slow, checklist-driven process to a dynamic, intelligence-led discipline.
In the afternoon, a panel on cyber insurance brought together Thomas Clayton (Head of Cyber - UK, Zurich Insurance), Kelly Butler (Managing Director, Head of Cyber - UK, Marsh), Nick Lang (Class Underwriter, Cyber, Media and Technology, Antares), and Jay Vinda (Global CISO and Cyber Risk Engineering Lead, Mosaic Insurance). Their message was clear: insurers are rapidly shifting toward quantified risk models. FAIR is now a strategic asset for securing better terms and demonstrating a mature posture. Jay also shared with me how he is using the FAIR Institute’s Cyber Risk Scenario taxonomy to enhance his conversations with clients regarding coverage.
The practical side of FAIR was front and center in a case study from Zach Cossairt, once again on stage. He shared how his team delivers cyber risk “as a service” to business units. The maturity of their program, built on FAIR, was both inspiring and instructive for teams earlier in their journey. Zach and his team have built out numerous risk management capabilities to serve their business, with FAIR at the center of them.
The theme of results over theory continued with a triple case study session featuring Robert Moore (VP of Technology Risk, Mastercard), Pooya Alai (Sr. Cyber Security Risk Mgr, Maersk), Oliver Bodger (Security Risk Officer, Virgin Media O2), and Greg Spicer (Co-Founder & CRO, Ostrich Cyber-Risk). They each highlighted how FAIR is enabling measurable improvements in risk reduction, cybersecurity return on investment, and strategic engagement with executives.
The day wrapped with a standout presentation by Laura Cristiana Voicu (Principal Security Assurance, Elastic), who made the case for moving beyond traditional ROSI metrics. She used the FAIR taxonomy to link cybersecurity investments directly to modeled risk reduction, creating a robust foundation for justifying spend and optimizing security budgets.
All in all, this summit was more than a collection of sessions. It was a moment of clarity in a fast-moving field. The organizations leading the way aren’t waiting for the future to arrive. They’re building scalable programs, embracing automation, and embedding FAIR into the heart of how they operate.
We’ll be sharing the videos from all of these sessions as soon as they become available. If you’re interested in these topics, consider joining us at this year’s annual global FAIR Conference in New York on November 4-5, 2025. Learn more at https://www.fairinstitute.org/2025-fair-conference.
