October 09, 2023

How FAIR-MAM Helps to Assess Quantitative and Qualitative Materiality

Interact with the FAIR experts, attend workshops, and discover more at FAIRCON23.

Join Safe Security at the 2023 FAIR Conference on October 18 in Washington, DC, to learn about the FAIR Materiality Assessment Model (FAIR-MAM™), developed by researchers at the FAIR Institute and modeled by Safe, to solve the puzzle of “materiality” when assessing the loss magnitude of a cybersecurity incident.

Reckoning financial impact after a breach can be like assembling a coherent cost picture from a jumble of small pieces, and many of them missing: Incident response, forensic investigation, lost sales, customer response, legal fees to defend against class action suits, and regulatory fines. Some costs are immediate; some may roll in over months and years. Accurate estimation for any of these cost components requires estimating the sum of its subcomponents: for instance, customer response might include breach notification by postal service, call center fees, identity theft protection, and so on.

For public companies in the US, the Securities and Exchange Commission added a ticking clock to the puzzle: Companies must report on Form 8-K within four days once the company has determined that a cyber incident could have a material financial impact, so all investors have equal access to current information that could cause a negative revision of the financial outlook for the company. Companies must also keep a counter running on previous incidents (for instance, ransomware attacks) and report if they are later determined to be related and collectively cross the line into materiality.

Get the CISO’s Playbook for SEC Cyber Risk Compliance

What Is FAIR-MAM and How Can It Help?

FAIR-MAM is a model that any organization can incorporate into their existing financial risk projections to determine the probable loss magnitude from a cyber event. It is an extension of Factor Analysis of Information Risk, the FAIR™ standard model for cyber and operational risk quantification. While the main FAIR model has six high-level categories of loss, FAIR-MAM tracks loss in 10 categories down through three to five (or more) layers of subcategories so the loss can be modeled with customization to any organization’s business structure, assets, risk scenarios, or other requirements.

A good comparison is to the MITRE ATT&CK knowledge base of threat actor tactics and techniques. Just as organizations use MITRE ATT&CK to plan defenses against specific threat tactics and techniques, organizations use FAIR-MAM to build a loss model guided by categories and subcategories of cost drivers to arrive at highly accurate cost estimates. The FAIR-MAM implementation can also be tuned to account for changes in probability and loss magnitude over time (Let’s say you are sued after a data breach, then the probability of incurring defensive legal costs shoots up to 100%).

FAIR-MAM can be used to:

  1. Assess materiality immediately after an incident – to gauge the need for public disclosure and begin planning for any potential financial fallout.
  2. Track developing materiality over time – dynamic modeling adjusts as forensic investigation or business interruption continues, or qualitative materiality becomes better defined as legal or regulatory investigations are initiated.
  3. Proactively calculate risk for top scenarios – not just for cyber incident response; FAIR-MAM is a complete, bottom-up loss magnitude model for determining cyber risk.

What Loss Categories Does FAIR-MAM Track?

  1. Information Privacy: All losses related to the compromise of PCI, PHI, PII, Biometrics, etc.
  2. Proprietary Data Loss: Intellectual property theft, internal corporate data, etc..
  3. Business Interruption: Impacts on revenue, etc.
  4. Cyber Extortion: Ransom or extortion demanded.
  5. Network Security: Forensic, legal, data restoration, etc., related to the IT environment.
  6. Financial Fraud: Resulting in loss of cash or equivalents
  7. Media Content: Fraudulent use of trademarks, etc.
  8. Hardware Bricking: Physical destruction of IT systems from an attack
  9. Post-Breach Security Improvements: Security upgrades made voluntarily or mandated by a regulatory order or court.
  10. Reputational Damage: Negative estimated future impacts on a company’s value due to reduced future net revenues or higher costs like the cost or capital or higher cyber insurance premiums with lower coverages, etc.

The Safe Security Implementation of FAIR-MAM

FAIR-MAM is open source and available through the FAIR Institute for organizations that want to develop their loss magnitude models. Safe Security recently introduced the first commercially available implementation of FAIR-MAM, the Safe Platform’s FAIR-MAM Module. With proprietary formulas and benchmark loss values built in, the Safe implementation automates cyber risk modeling for an out-of-the-box FAIR-MAM solution.

If you’re interested in learning more about how Safe’s Platform can equip your business with FAIR-MAM to meet the SEC’s requirements – and help you better understand cyber risk materiality – Schedule a demo with a Safe Security cyber risk expert today.

FAIR-MAM and Safe Security at the 2023 FAIR Conference

Safe Security is the technical adviser to the Institute, involved at the leading edge of research and education on cyber risk quantification and management (CRQM). Learn how FAIR-MAM can enhance your risk analysis and management. Join us at the conference on Wednesday, October 18, at 1:00 PM for a presentation:

“Introducing FAIR-MAM™ - A Comprehensive Approach to Loss Modeling in FAIR”

  1. Moderator: Nick Sanna, Founder, FAIR Institute
  2. Tom Macphee, Cyber Risk Senior Manager, Cigna
  3. Filippo Curti, Financial Economist, Federal Reserve Board of Richmond
  4. Erica Eager, Senior Director Risk Quantification, Safe Security

See the full agenda for the 2023 FAIR Conference.

Register for FAIRCON23 now! Save up to $300 on your conference pass using the code “SAFE20FAIRCON” while registering.