FAIR Institute wants to quantify just how much a cyberattack costs

With cybersecurity incident disclosures showing up more often in Securities and Exchange Commission filings, courtesy of the agency’s mandate, a key question lingers about the financial damages publicly-traded companies could confront from these material events.

A materiality assessment model unveiled this week by the risk-management organization FAIR Institute aims to quantify those losses with an assist from the FAIR Materiality Assessment Model open-source framework.

“How Material is That Hack?” went live Tuesday at the FAIR Institute’s annual conference with details about five recently disclosed cyberattacks against MGM Resorts, Caesars Entertainment, Johnson Controls, Clorox and Progressive Leasing.

The tool’s estimates that, “most likely,” these five incidents will result in primary and secondary costs of $663 million.

The FAIR Institute and its founding partner, Safe Security, which runs the online calculator, said more data and resources will be added on an ongoing basis.

The online calculator isn’t automated but rather serves as a model for how data from SEC filings and other publicly available information can help organizations and other stakeholders quantify materiality assessments. The effort is less about the tool and more about creating a standard for an organization’s cyber risk and potential materiality impact.

“The goal of the ‘How Material is that Hack’ online resource is to be a robust repository of breaches and not limited to a particular threshold. The tool is designed to answer questions and guide cyber risk and materiality decision making,” Pankaj Goyal, director of standards and research at FAIR Institute and COO at Safe Security, said via email.

FAIR-MAM can create a unique cyber loss model for organizations and, when paired with risk quantification analysis and benchmark data, it can estimate financial risk on an ongoing basis for risk scenarios that matter most to the business.

The effort brings transparency to security incidents and helps provide estimates that can guide business decisions, according to Brandon Pugh, director of cybersecurity and emerging threats at R Street Institute.

“This is especially relevant since a materiality decision is not concrete, but instead relies on a variety of factors and considerations,” Pugh said.

“However, I recommend it be used as one tool to aid decisions, rather than being solely relied upon since estimates are not foolproof,” Pugh said.

The calculator estimates materiality for potential financial damages linked to information privacy, business interruption, cyber extortion and network security. For the ransomware attack against Progressive Leasing, the tool estimates costs up to $91 million for information privacy and up to $1.3 million for network security.

The framework can also forecast materiality pre-incident and calculate financial risk based on actual information after an incident occurs. “It can help companies proactively plan their risk scenarios and manage risk on an ongoing basis,” Goyal said.

Companies that use the FAIR-MAM model to define materiality thresholds can identify top cyber risk scenarios and their potential materiality to prioritize efforts on risks that could have the highest impact on the business.

The tool also serves as a financial cost model for companies that want to determine potential losses and compare those estimates with predetermined materiality thresholds. Those loss estimates could help businesses decide if and when a cybersecurity incident needs to be reported to the SEC, according to the FAIR Institute.