Four CRQ Models for Indian BFSI — When to Use FAIR, FAIR-MAM, NIST 800-30/ALE, and Probabilistic VaR

What it answers: What is the annualised loss distribution for a specific threat scenario, with uncertainty expressed as a probability curve rather than a single point?

How it works: FAIR decomposes risk into Loss Event Frequency (LEF) and Loss Magnitude (LM). LEF = Threat Event Frequency × Vulnerability. LM covers primary (direct) and secondary (indirect/liability) losses. FAIR v3.0 runs Monte Carlo simulation across the input distributions, producing a full loss probability curve. The output is expressed as a percentile range — e.g. “90th percentile loss = ₹47 crore per year” — rather than a single ALE figure.

Best fit for BFSI: Ransomware impact analysis, data breach board reporting, cyber insurance premium justification, budget allocation between controls. The loss distribution format is the most credible output for board members who are familiar with financial risk reporting.

SEBI CSCRF alignment: FAIR v3.0 is explicitly cited as an accepted methodology in the CSCRF guidance. The loss distribution output maps directly to the GV function CRQ reporting requirement.

What it answers: Does this cyber risk scenario cross the threshold of “material adverse impact” as defined by the applicable regulator? And if so, what is the magnitude of that impact in financial terms?

How it works: FAIR-MAM extends FAIR by mapping loss outputs to regulatory materiality thresholds. For Indian BFSI, materiality thresholds include RBI’s financial reporting thresholds, SEBI’s market disclosure requirements, and IRDAI’s solvency margin impact criteria. The model tests whether the 90th percentile FAIR loss crosses any of these thresholds and flags the highest-priority regulatory disclosure obligation.

Best fit for BFSI: Any scenario where the question is not just “how much could we lose?” but “does this trigger a regulatory disclosure?” Particularly relevant for listed banks (SEBI disclosure) and insurers (IRDAI solvency reporting). Also used for CISO-to-CFO briefings where the conversation is about financial statement impact.

SEBI CSCRF alignment: FAIR-MAM directly addresses the SEBI requirement that regulated entities assess whether cyber incidents would qualify as material events under the LODR regulations, which require disclosure within 24 hours of the event.

What it answers: What is the expected annual financial loss from this risk scenario, expressed as a single number suitable for control investment prioritisation?

How it works: ALE = Annual Rate of Occurrence (ARO) × Single Loss Expectancy (SLE), where SLE = Asset Value × Exposure Factor. NIST 800-30 provides a structured risk assessment methodology that feeds into the ALE calculation. The result is a deterministic single-point estimate — not a distribution — which makes it fast to compute and easy to communicate.

Best fit for BFSI: Control investment justification (“this ₹15 lakh control reduces ₹3.2 crore ALE by 40%”), rapid triage of a large risk register, annual risk assessment baseline where the organisation does not yet have the data maturity for Monte Carlo. Also the model used in the CERT-In 6-hour breach impact assessment.

Limitation: ALE is a single-point estimate. It does not capture tail risk (low-frequency, high-impact events) and is not suitable for board-level capital allocation discussions where the uncertainty bounds matter. Upgrade to FAIR v3.0 when the scenario involves significant tail risk.

What it answers: What is the maximum cyber loss we should expect to sustain at a 95% or 99% confidence level across our entire asset portfolio, and how much capital should we hold against it?

How it works: Probabilistic Cyber VaR borrows directly from financial risk management. Using a Monte Carlo simulation across the organisation’s full risk scenario portfolio (each scenario modelled with FAIR inputs), the model computes the portfolio-level loss distribution. The VaR figure is the loss that is exceeded only 5% (95% VaR) or 1% (99% VaR) of the time. For Indian banks, this output is directly comparable to the credit VaR and market VaR figures already reported in board risk committees.

Best fit for BFSI: Board risk committee reporting, cyber capital adequacy discussion, cyber insurance limit-setting, RBI stress testing integration. Banks and large NBFCs with a risk committee are the primary users. The output language (“our 99% cyber VaR is ₹380 crore”) is immediately intelligible to CFOs and board members who live in VaR-based risk frameworks.

Data requirement: Probabilistic VaR requires a sufficiently populated scenario portfolio. RiskSage provides 110 pre-calibrated BFSI scenarios as the starting point, reducing the cold-start problem significantly.