Skip to content

Measurement of financial impact of cyberattacks sought by FAIR Institute

Cybersecurity regulators are working on devising a uniform methodology to evaluate the financial repercussions of severe cyber attacks and thus aid all concerned parties in comprehending potential risks more effectively.

Quantifying the financial impact of a cyberattack is the aim of the FAIR Institute
Quantifying the financial impact of a cyberattack is the aim of the FAIR Institute

Measurement of financial impact of cyberattacks sought by FAIR Institute

The FAIR Materiality Assessment Model (FAIR-MAM) has been unveiled by the FAIR Institute, aiming to revolutionize the way organizations assess and manage cyber risks. Launched at their annual conference this week, the model is designed to help businesses quantify and evaluate the financial materiality of cyber risks and cyberattack damages.

FAIR-MAM is a structured approach that combines the FAIR (Factor Analysis of Information Risk) framework with materiality assessments commonly used in financial and regulatory contexts. This integration allows for the calculation of financial risk based on actual information after an incident occurs, providing a financially grounded, systematic method to assess and quantify damages from cyberattacks.

The model helps organizations translate cyber risk scenarios into estimated monetary losses, which are then compared against quantitative materiality thresholds (e.g., a small percentage of annual revenue) to determine if the cyber event could be deemed materially significant. This process involves both quantitative analysis, such as comparing incident costs to a defined revenue percentage threshold, and qualitative judgement, assessing impacts on the organization’s core value proposition, regulatory environment, data criticality, and investor perception to finalize materiality decisions.

By quantifying cyber risk impacts in financial terms, FAIR-MAM bridges cyber risk management and financial reporting, enabling organizations to:

  • More precisely determine if cyber incidents meet regulatory requirements for materiality disclosures.
  • Support investor communications and internal risk prioritization with quantifiable data.
  • Align cyber risk metrics with financial materiality definitions, improving transparency and governance in a post-SEC cyber rule landscape.

The FAIR-MAM model can also help companies proactively plan their risk scenarios and manage risk on an ongoing basis. For instance, the tool estimates the financial costs of five recently disclosed cyberattacks on MGM Resorts, Caesars Entertainment, Johnson Controls, Clorox, and Progressive Leasing, totaling most likely $663 million. Similarly, for the ransomware attack against Progressive Leasing, the tool estimates costs up to $91 million for information privacy and up to $1.3 million for network security.

The online calculator serves as a model for how data from SEC filings and other publicly available information can help organizations quantify materiality assessments. The goal of the 'How Material is that Hack' online resource is to be a robust repository of breaches and not limited to a particular threshold. More data and resources will be added to the online calculator on an ongoing basis by the FAIR Institute and Safe Security.

According to the FAIR Institute, these loss estimates could help businesses decide if and when a cybersecurity incident needs to be reported to the SEC. The Securities and Exchange Commission's mandate is causing more cybersecurity incident disclosures in filings, and the FAIR-MAM model can help companies navigate this evolving regulatory landscape.

The FAIR Materiality Assessment Model open-source framework is used to quantify financial damages from cyberattacks, aiding in the identification of top cyber risk scenarios and their potential materiality to prioritize efforts. This can help companies manage risk on an ongoing basis, ensuring they are prepared for potential cyber threats and can make informed decisions when it comes to risk management and disclosure.

  1. The FAIR Materiality Assessment Model (FAIR-MAM) is designed to help businesses quantify and evaluate the financial materiality of cyber risks and cyberattack damages.
  2. By using FAIR-MAM, organizations can determine if a cyber incident meets regulatory requirements for materiality disclosures, aiding in financial reporting and risk management.
  3. The FAIR-MAM model can help companies proactively plan their risk scenarios, estimate the potential financial costs of cyberattacks, and prioritize risk management efforts.
  4. FAIR-MAM bridges the gap between cyber risk management and finance, supporting investor communications, internal risk prioritization, and alignment with financial materiality definitions, particularly in the post-SEC cyber rule landscape.

Read also:

    Latest