Put a dollar value on cyber risk to open communication with your CISO
“Partner with the cybersecurity team and let them know that models for accounting for cyber losses exist,” Safe Security President Nick Sanna urged the Association of Chartered Accountants on a recent ACCA podcast.
“If you can put a dollar sign on possible losses…the CISO can provide mitigation options and jointly your organization can decide how much risk is acceptable and how much investment [in security] is necessary or not.”
Listen to the ACCA podcast featuring Nick Sanna:
FAIR Materiality Model
Nick, the founder of the FAIR Institute, introduced the ACCA audience to a new standard based on Factor Analysis of Information Risk (FAIR) and jointly created by the Institute and Safe Security: the FAIR Materiality Assessment Model (FAIR-MAM). “It provides a way to decompose cyber losses in categories that would make total sense to a CFO or a cyber insurance company.”
FAIR-MAM “breaks down cyber losses in 10 categories, such as information privacy, proprietary data loss, business interruption as well as reputational damage and fraud.
“Having a model like this is really important because oftentimes in the moment of an incident you do not know how to account for potential cyber losses.”
As an example, Nick cited the recent hack of UnitedHealthcare; the CEO reported to Congress that probable losses would be $1.6 billion. Using FAIR-CAM, the FAIR Institute took a comprehensive view of the risk factors and concluded that costs could likely double that figure when tallied up.
The website How Material Is That Hack? displays FAIR-MAM analyses for losses of cyber attacks in the news. Safe Security offers the first commercial implementation of FAIR-MAM, especially tuned to organizations looking to estimate material risk for financial reporting.
FAIR Risk Quantification and the Healthcare Industry
Asked about the status of risk management in healthcare, Nick commented “Oftentimes these organizations are run by people with a medical or business background and don’t have an IT background. Being able to translate the impact of cyber risk in business terms in financial terms, allows them to be part of the decision making.
“The situation in healthcare is exacerbated because a lot of organizations outsource their IT processes to third parties. They are also heavy users of third-party applications, and they have no idea of how much risk exposure they have from those third parties.” Nick cautioned that healthcare risk managers should look at their attack surface with a unified view of both first- and third-party risk, otherwise “they are going to be completely reactive to incidents as they happen…
“To proactively look those incidents in the eye and decide how much you want to mitigate or invest is not possible without a financial model like FAIR, which is currently the only standard quantification model out there.”
Artificial Intelligence and Cyber Risk Management
Asked to comment on the effect of AI on cyber risk management, Nick responded “at Safe Security we apply the FAIR standard, and we are heavy users of AI because most of our customers make heavy use of questionnaires to understand the [security] state of affairs in third parties. And that’s a very manual process – they have been spending more time managing the process than fixing security.”
Nick explained that Safe Security is using AI to interpret questionnaire responses to support automated risk analysis with FAIR. Safe also uses AI to interpret reporting on feeds from security controls. “So, AI also helps provide recommendations on what to [security gaps] to fix and what controls are most effective in reducing the probability or impact of a cyber event. That replaces work by human beings that would take many hours, days and months.”
Learn more, in a whitepaper
Blueprint: Transform Third-Party Risk Management
Read the whitepaper and discover how to:
- Focus on a set of priority security requirements and verify the controls
- Partner with third parties to help them improve their security programs
- Place more emphasis on managing the impact of incidents on the enterprise
- Switch to a risk-based approach that gives YOU an advantage
- Increase the business leaders’ role in managing third-party cybersecurity risks
SUBSCRIBE TO WEEKLY BLOG NEWSLETTER
SHARE THE PAGE
