Cyber risk analysis is maturing
This summer the U.S. Securities and Exchange Commission (SEC) made news with new rules (see press release here) requiring publicly listed companies to disclose material cybersecurity incidents. The "material" part attracted lots of criticism, primarily focused on increased compliance costs.
A more valid concern is the potential for the mandatory disclosures on cyber incidents to actually aid cyber criminals (see here), by handing them a roadmap on which companies to target and how to attack them - transparency is not always helping security. The reporting requirements could then tell successful attackers when the company finds out about the attack, what the company knows about it, and what the financial fallout is likely to be (i.e., how much ransom the attacker can get).
In any case, the implementation of the new SEC rules is now revealing interesting details on companies most recently impacted by cyberattacks (see recent examples here), as these are starting to trigger mandatory disclosures.
By reading them, it is becoming apparent companies struck by ransomware or other supply chain attacks are suffering substantial hits to both sales and quarterly profitability.
But what about other costs and losses?
The FAIR Institute, a nonprofit that helps businesses measure corporate risk, has been publishing its cyber risk assessment model for some time already, making it a widely recognized standard for quantitative cyber risk analysis.
Recently, the organization has updated its model to account both for the new SEC rules and the threat actors tactics (primarily ransomware) - the FAIR Materiality Assessment Model (FAIR-MAM).
The FAIR-MAM model can be used to quickly estimate probable material loss from a new cyber incident or track incidents as they become material over time.
It provides a more detailed breakdown and description of the categories that contribute to a loss magnitude (i.e. impact), particularly useful for determining when cyber loss exposure becomes material risk for an organization.
It's useful to focus here on the 10 primary cost modules or categories that contribute to a cumulative impact or cost resulting from a cyber incident:
Information privacy response costs and fines (in particular, sensitive PII loss)
Proprietary data loss (trade secrets or other intangible assets lost)
Business interruption costs
Cyber extortion (ransom)
Network security response and recovery costs
Financial fraud (business email compromise and funds stolen)
Media content i.e. media response costs
Hardware bricking i.e. replacing servers or laptops (if needed)
Post breach improvements (mandatory and voluntary)
Reputational costs (cyber insurance, increased cost of capital, employee churn, customer retention, market value, etc.)
The list makes it easier to analyze the magnitude of the potential loss and ultimately put a monetary number on it. It's worth considering it even if you are not a SEC regulated company, as cyber attacks will continue unabated.