hero 12

Assessment ModelTM

Measure the Materiality of Cyber Events

The new Securities and Exchange Commission Rule on Cybersecurity exposed the problem that many companies are not equipped to assess and disclose material risks from cybersecurity incidents in a timely, accurate and comparable way to their stakeholders.

The rule requires regulated companies to report a cyber loss event within four business days of determining that its impact would likely be material, and to report when past events cumulatively reach the level of materiality.

Beyond cyber incidents, the SEC wants companies to disclose their ongoing processes to manage material risks.

Group 226

What is FAIR-MAM™

The FAIR Materiality Assessment Model (FAIR-MAM™) is a new standard that helps organizations assess the materiality of cybersecurity risk and incidents. FAIR-MAM™ expands the loss magnitude factor of the FAIR™ model, and provides a more detailed taxonomy and breakdown of loss categories driven by cybersecurity incidents.

FAIR-MAM™ is an open, financial loss model that enables organizations to:

  • Quantify the impact of cyber incidents so they can quickly and reliably disclose legally defensible material risk on SEC Form 8-K.
  • Report financial risk internally to inform cybersecurity investment and management decisions for a full range of custom cyber risk scenarios.
  • Create a timeline of the multi-year lifecycle of the total cost of an incident.

The FAIR-MAM™ standard also allows companies to report ‘comparable’ material financial costs related to cybersecurity incidents, a critical requirement for institutional investors.

Cyber Loss Categories According to FAIR-MAMTM

FAIR-MAM™ is an open cybersecurity cost model that any organization can adapt to its own cost structures:

  • Composed of 10 primary cost modules (Business Interruption, Proprietary Data Loss, etc.).
  • Modules can be customized to estimate the cost of an attack on any of the company’s business assets from any type of risk scenario.
  • Organizations that are already modeling loss exposure with FAIR can populate the FAIR-MAM model to create their own version or leverage solutions that have implemented FAIR-MAM.
  • Can be used to quickly estimate probable material loss from a new cyber incident or track incidents as they become material over time, as well as proactively assess top cyber risk scenarios for probable materiality, meeting SEC requirements.
  • Legally defensible to help satisfy regulators on the validity of a risk management program, as it is based on FAIR, the recognized standard for quantitative cyber risk analysis.
image 70

Customize FAIR-MAM to your organization with the Financial Impact Questionnaire

How Material is that Hack?

Interested in learning how cyber incident losses can be broken down and estimated using the FAIR-MAM standard?

Researchers from the FAIR Institute's Technical Advisor Safe Security have utilized FAIR-MAM as an analytical basis to estimate the cyber losses incurred by the victims of recent cyber attacks.

Learn more about this Materiality Analysis

Learn More


Must be a Contributing Member to view and download the white paper