Case Study
A US healthcare chain with numerous facilities in multiple states just discovered that ransomware has hit several of its hospital networks, encrypting data and forcing a stop to critical revenue-generating medical procedures. A clock starts ticking – as a public company, this healthcare provider must disclose to the Securities & Exchange Commission within four days if it discovers the projected loss would have a “material” impact on the company’s finances. That’s got the Board’s attention – it wants cost estimates now.
New Rules from the SEC Make the FAIR-MAM Model a Must-Have
The Securities and Exchange Commission approved rules in 2023 that confronted many of its 5,000 regulated companies with the inconvenient truth that they might not be equipped to assess and disclose material cyber risks in a timely, accurate, ongoing, and defensible way. The rules require organizations to:
- Disclose a cyber loss event within four business days of determining the material impact.
- Disclose when past events that may have been unreported cumulatively reach material levels.
- Describe to regulators in periodic reports (such as the yearly 10-K) a program to manage material cyber risks, including the roles and responsibilities of the Board and management.
To make matters more complicated, the SEC did not give new guidance on determining materiality, keeping the general rule that a “reasonable shareholder” would consider the information important – and leaving companies responsible for defining a material event.
Safe Security Launches Industry’s First Implementation of FAIR-MAM™ with the Safe FAIR-MAM Module
"Most organizations are not prepared to comply with the SEC guidelines as they cannot determine materiality, which is core to shareholder protection. The key word here is 'material' and being able to determine what that actually means.” - Saket Modi, CEO of Safe Security
Safe Security, the leader in helping organizations measure, manage, and transfer cyber risk, is the first to launch the Safe FAIR-MAM Module as an implementation of the FAIR Materiality Assessment Model, a new standard in quantifying loss in financial terms for cyber events.
The Safe FAIR-MAM Module is a bottom-up, fully tunable model based on FAIR-MAM. It is designed to enable Security and Risk leaders to present defensible, company-specific quantified cyber risk to stakeholders, including the C-Suite and Board of Directors.
The Safe FAIR-MAM Module is based on the Mutually Exclusive and Comprehensively Exhaustive (MECE) principle to enhance clarity and avoid repetition in attack cost calculations. It has multiple cost categories and subcategories to accommodate all types of cyber losses.
Figure: The Safe FAIR-MAM Module
At the lowest level, every cost category has multiple cost drivers with benchmark values that make up the components for that cost category (for example, number of hours and cost per hour, among others). All costs are represented as a lower and upper bound range and an expected cost, usually the mean between the upper and lower bounds.
Users of the SAFE Platform will find an immediate application for FAIR-MAM to quickly determine if a cyber incident will have the most serious, material effects on the organization. This is a capability in high demand with the adoption by the U.S. Securities and Exchange Commission of new rules on speedy disclosure of material loss after a cyber event. With the Safe FAIR-MAM Module, organizations will be able to quickly get a read on materiality, a result that typically takes weeks.
What Is FAIR-MAM?
Organizations use the FAIR model to quantify the probable frequency and probable loss magnitude of cyber events. FAIR-MAM deepens and extends the loss magnitude side of FAIR to support a more granular and accurate analysis. It can be used as a template for the creation of a complete cyber loss model, adjustable to the unique asset profile and cost posture of any size company in any industry or geography.
Beyond response to a cyber incident, FAIR-MAM enables organizations to estimate and manage financial risk on an ongoing basis for any number of top risk scenarios when used proactively and continuously.
But here’s a key point: To achieve a working model of FAIR-MAM requires the development of an application, a continuous flow of data inputs, and FAIR expertise – all capabilities that Safe Security brought to bear to launch the first implementation of FAIR-MAM.
Beyond SEC Compliance: Use Cases for FAIR-MAM
While SEC rules on disclosure are the driver for publicly traded companies to implement FAIR-MAM, any company needs to set a risk appetite based on quantified targets -- including a working definition of material risk levels -- to manage cyber risk responsibly. Other ways that FAIR-MAM will be used through the SAFE Platform include:
- Proactively calculate and track risk before an incident becomes material; model estimated financial losses from top risk scenarios with FAIR-MAM to cost-effectively target security or cyber insurance investments.
- Assess materiality after an incident based on FAIR-MAM’s comprehensive framework, tailored to the risk scenarios or business assets targeted, and prepare for the probable financial impact to follow.
- Track materiality post-incident. Forensic and legal discovery related to cyber loss events can continue for extended periods when assessing all immediate primary costs (quantitative in SEC language) resulting from regulatory implications and requirements after a breach. Then, there are the secondary (or ‘qualitative” in SEC language) cost considerations related to the likelihood that the company will be notified of regulatory investigation(s) and/or litigation filed in relation to the breach.
After any such notifications, there are the legal defense costs to be considered, as well as the determination of the likelihood and magnitude of any monetary fines and/or settlements being imposed on the company (secondary costs). It could take years before all regulatory and or litigation proceedings were concluded. Our dynamic model built on FAIR-MAM adapts as new inputs could trigger a predetermined materiality threshold as well as help the company track the ongoing total cost of an attack.
Our healthcare chain had the foresight to build out a FAIR-MAM instance on the SAFE Platform. As FAIR practitioners, the cyber risk management team had already populated some of the loss modules with high-level data. On Day One of the breach reaction, the team fans out to collect fresh and in-depth data from Legal, Finance, Incident Response, and other sources to provide the specificity needed to perform detailed analysis on the cost inputs. On Day Two, they began testing the model, inputting refined data, such as the percent of daily revenue interruptions from each impacted hospital. On Day Three, the risk managers have an answer for the Board: the incident probably won’t exceed the pre-determined materiality level because their frequently practiced incident response and business interruption procedures enabled the company to quickly bring revenue-generating systems and processes back online.
However, on Day Six, the forensic investigators discovered that a large number of employee records had been exfiltrated during the attack. Using Safe’s FAIR-MAM module, the risk team finds that the forensic and legal investigation costs to identify, notify, and monitor each affected employee would put the company above the materiality threshold when combined with the already costly revenue interruption. Accordingly, the company could file a Form 8-K that offered investors guidance on the quantitative and qualitative material costs related to the security incident.
If you’re interested in learning more about how Safe Platform equips your business to meet the SEC’s requirements – and helps you better understand material cyber risk – Schedule a demo with a Safe Security cyber risk expert today.
Read the FAIR-MAM white paper from the FAIR Institute: An Introduction to the FAIR Materiality Assessment Model (FAIR-MAM) | A free FAIR Institute membership is required: Join now
We’re also running special FAIR-MAM sessions at the 2023 FAIR Conference in Washington on October 17th and 18th. Haven’t registered yet? Register using the code “SAFE20FAIRCON” and save up to $300.