In a new article for FinTech Weekly, A Value-at-Risk Model for Cyber? Yes, It Exists. And Watch Out for Fakes, RiskLens CEO Nick Sanna writes that the FAIR model brings to cyber risk the same value-at-risk discipline that banks and other financial institutions apply to capital requirements for credit, operational and market risk.
Conventional wisdom has been that couldn’t be done, Nick writes, and, as a result, the finance industry has had to settle for less in cybersecurity risk reporting: IT-centric “maturity models” with checklists of best practices--or straight-out guesswork risk rating.
Lately, Nick warns, marketers have been repackaging the checklists model as “cyber risk exposure.” They run vulnerability scans and other technical checks, put a number on your assumed level of risk, and call it “risk quantification.”
But true cyber risk quantification for VaR applies probabilities to estimate likely losses from cyber threats during a given timeframe – and that’s the outcome from FAIR analysis, the model behind the RiskLens platform. “True cyber risk quantification enables a whole new class of decision-making,” Nick writes.
In any event, Nick warns, cyber VaR is rapidly becoming a necessity, not a choice: Regulators like the New York State Department of Financial Services and the Securities and Exchange Commission are sending a clear message: “Follow a standard cyber value-at-risk model and report cyber risk in financial terms or you’ll hear from us.”
Read A Value-at-Risk Model for Cyber? Yes, It Exists. And Watch Out for Fakes at FinTech Weekly.
Output from a FAIR analysis: