Measurement of the financial impact of a cyber assault sought by FAIR Institute

Measurement of the financial impact of a cyber assault sought by FAIR Institute

Introducing the FAIR Materiality Assessment Model (FAIR-MAM): A Tool for Quantifying Cybersecurity Risks

The FAIR Materiality Assessment Model (FAIR-MAM) is a groundbreaking open-source framework designed to help publicly-traded companies quantify the potential financial impact of cybersecurity incidents. Developed by the FAIR Institute, this model uses the FAIR (Factor Analysis of Information Risk) methodology to integrate quantitative risk modeling with materiality thresholds relevant for financial reporting.

FAIR-MAM operates by combining probabilistic risk analysis with financial materiality criteria. It estimates the likelihood and magnitude of cyber risks, and compares anticipated losses to a defined percentage of the company’s revenue. This approach also incorporates qualitative judgments to finalize materiality determinations based on the impacts on the organization’s value proposition, industry context, regulatory environment, and investor perceptions.

The benefits of using FAIR-MAM are numerous. It helps companies quantify cyber risk exposure in financial terms aligned with accounting materiality concepts, making it easier to assess whether a cybersecurity incident is likely to have a significant impact on financial statements. The model also provides a structured, data-driven framework that supports compliance with cyber risk disclosure regulations, including SEC rules and evolving sustainability and impact reporting standards.

By allowing companies to prioritize cybersecurity investments and disclosure efforts based on a clear, quantitative understanding of material risks, FAIR-MAM facilitates alignment between cybersecurity risk management and financial reporting processes. This enhances communication with investors and regulators, ensuring that all parties have a clear understanding of the potential financial impact of cybersecurity incidents.

The FAIR Institute and Safe Security have launched an online calculator based on FAIR-MAM, enabling organizations to estimate the potential financial impact of cyberattacks. This calculator serves as a model for how data from SEC filings and other publicly available information can help organizations quantify materiality assessments.

The FAIR-MAM model can be used as one tool to aid decisions, but it's important to note that estimates are not foolproof and should not be solely relied upon. The Securities and Exchange Commission's mandate has led to an increase in cybersecurity incident disclosures in filings, and the FAIR-MAM framework can forecast materiality pre-incident and calculate financial risk based on actual information post-incident.

The online calculator continues to add more data and resources on an ongoing basis, and has already provided estimates for five recently disclosed cyberattacks against MGM Resorts, Caesars Entertainment, Johnson Controls, Clorox, and Progressive Leasing, with a total estimated cost of $663 million.

In conclusion, FAIR-MAM operationalizes the FAIR risk model within a materiality framework, enabling companies to numerically estimate and justify the financial significance of cybersecurity risks and incidents. This guides both risk governance and regulatory reporting for public companies, and provides a unique cyber loss model for organizations, estimating financial risk on an ongoing basis for risk scenarios that matter most to the business.

[1] For more information, please refer to the FAIR Institute's official documentation on FAIR-MAM.

1. The FAIR Materiality Assessment Model (FAIR-MAM) is a tool that public companies can use to quantify the potential financial impact of cybersecurity incidents in relation to their privacy, network security, and business operations.
2. FAIR-MAM integrates quantitative risk modeling with financial materiality thresholds, which helps in predicting the likelihood and magnitude of cyber risks, including ransomware attacks, and comparing anticipated losses to a defined percentage of the company’s revenue.
3. By adopting FAIR-MAM, companies can enhance communication with investors, regulators, and stakeholders, ensuring that everyone has a clear understanding of the potential financial impact of cybersecurity incidents on the organization's value proposition, industry context, regulatory environment, and investor perceptions.
4. With the help of the FAIR Institute and Safe Security, an online calculator based on FAIR-MAM has been launched, enabling organizations to estimate the potential financial impact of cyberattacks on their technology infrastructure and financial resources.

Read also: