The National Association of Corporate Directors (NACD) 2018 members survey on corporate governance found that nearly a quarter of the directors were dissatisfied with reporting on cybersecurity, in particular faulting management for not providing enough “transparency into problems.” And no wonder, with cybersecurity metrics at so many organizations still reported in confusing technical terms or subjective, color-coded charts .
There is a way to bring cyber risk reporting in line with the rest of enterprise risk management, as RiskLens CEO Nick Sanna and R&D Vice President Jack Jones, creator of the FAIR model, will explain at a roundtable discussion hosted by the NACD, “Demand More–Cyber Risk Reporting in Dollars and Sense,” November 13 in San Francisco (event details).
FAIR (Factor Analysis of Information Risk) is the international standard for risk quantification, enabling financial analysis of cyber and operational risk. RiskLens is the only platform purposely built to run FAIR analyses.
An estimated 30% of the Fortune 100 use FAIR as a foundation for risk management. At the recent FAIR Conference, held at Carnegie Mellon University, speakers from Walmart, ADP, PNC, Fidelity and Charles Schwab shared their success stories in assessing cyber risk in dollars and cents.
A recent Wall Street Journal article profiled the FAIR program at Charles Schwab and quoted a Schwab executive saying, “The key value that FAIR provides is a consistent way to communicate [cyber] risks and what we should be doing about them as a firm… That will allow us to get away from articulating our exposure from just a color coded heat-map perspective…It evolves the conversation at the board level around those metrics and gets it away from the technical security jargon sort of discussion.”
For a preview of Jack Jones’ thinking on improving metrics, see the article he wrote for the NACD blog in collaboration with RiskLens board member and corporate governance authority James Lam, Getting the Right Cybersecurity Metrics and Reports for Your Board.
Board-level concerns are driving FAIR adoption, not just for clarity around metrics but to meet regulatory responsibilities. The SEC’s guidance document on cybersecurity risk disclosure issued this year, for instance, firmly guided public companies away from merely listing “risk factors” described in qualitative terms, and toward disclosing costs associated from potential data breaches or other cyber risks in monetary terms. Just last week, the SEC issued another warning that public companies should tighten their payment procedures to protect against email and other cyber fraud or risk violating securities rules on accounting controls.
Come hear Jack Jones and Nick Sanna on November 13 at The City Club of San Francisco,155 Sansome Street, 10th Floor, program starting at 11:30 AM. See the event details here.