New NACD Cyber Risk Handbook for Board Directors Endorses Quantification and FAIR™

May 13, 2020  Jeff B. Copeland

The  Cyber-Risk Oversight 2020 handbook from the National Association of Corporate Directors and the Internet Security Alliance makes a strong statement that cyber risk quantification is a must for boards to exercise proper oversight on cybersecurity – and explicitly mentions Factor Analysis of Information Risk (FAIR™) as one of the enabling risk models. The RiskLens SaaS platform operationalizes cyber risk quantification using the FAIR model.

Listing it as one of its core five principles, the handbook says that “board-management discussions about cyber risk should include identification and quantification of financial exposure to cyber risks and which risks to accept, mitigate, or transfer, such as through insurance, as well as specific plans associated with each approach.”

The traditional, controls checklist approach to expressing cyber risk “does not help decision-makers to effectively compare different kinds of cyber risk or to compare cyber risks with other risks faced by the organization” while quantitative assessments “helps management and boards to make informed decisions about the relative criticality of these risks and funding strategies for their mitigation.”

The handbook also cites  Understanding Cyber Risk Quantification: A Buyer’s Guide  by FAIR model creator Jack Jones as a resource.  And it recommends running multiple risk scenarios to cover a range of outcomes using Monte Carlo analysis – one of the features of the RiskLens platform.

The NACD and ISA authors get down to cases in the section titled “Tool F – Board-Level Cybersecurity Metrics” with a series of questions, each of which can be best answered with FAIR analysis and the RiskLens platform.

Some samples:

What, in quantitative terms, is our risk appetite and how is it measured? 

It’s a process of identifying the most critical loss events for the organization with FAIR analysis. then setting the thresholds for unacceptable loss exposure. Get the details in this blog post: How to Set a (Meaningful) Cyber Risk Appetite with RiskLens

How do we measure the effectiveness of our cybersecurity program? 

With RiskLens, you can run cost-benefit analyses of your security initiatives, as described in this post: 4 Steps to Measure Controls’ Effectiveness with Cyber Risk Quantification

How do we measure the contribution of cyber risk to related enterprise business risks? 

The COSO Enterprise Risk Management Framework, the gold standard for ERM, refers to FAIR analysis for quantifying cyber risk in an ERM program. Learn more: 10 Ways RiskLens Can Help Implement COSO’s Cyber Guidance

Based on our financial performance targets, how can cyber risk impact our financial performance? What is our annual cyber risk expected loss value? 

Cyber risk expressed as annualized loss exposure in dollars is a standard output from RiskLens analysis. Learn how to derive strategic risk reporting that looks out across the organization: Quantitative Risk Reporting Stratification: Know Your Audience

In effect, the NACD and ISA have given board members a detailed script they can follow to fulfill their fiduciary duty and meet their regulatory responsibilities. Directors would do well to take it seriously, as it's likely to become a new standard for board behavior regarding cybersecurity.

Download the  Cyber-Risk Oversight 2020, and especially see the section “Principle 5: Cybersecurity Measurement and Reporting.”