FAIR Institute Releases 2025 State of Cyber Risk Management Report

Automation, Quantification, and Business Value Define the New Era for Cyber Risk Leaders

WASHINGTON, June 26, 2025 /PRNewswire/ -- The FAIR Institute today released its 2025 State of Cyber Risk Management Report, revealing an ongoing shift in how leading organizations manage digital risk. Sponsored by GuidePoint Security and SAFE and based on insights from 402 cyber risk leaders from around the globe, the report reveals that cyber risk management (CRM) has evolved from a siloed compliance function into a strategic discipline that informs executive decision-making.

"The way we manage cybersecurity and technology risk is increasingly quantified, data-driven, and aligned to business outcomes and value," said John Sapp, CISO, Texas Mutual Insurance Company and FAIR Institute Board Member. "This report confirms what many of us have felt, that our risk management efforts are no longer constrained to regulations and standards and that we have the power to create risk-weighted returns for our businesses."

Key findings include:

• CRM is fueling business outcomes. High-maturity organizations report improved credibility, better alignment, optimized cybersecurity spending, measurable risk reduction, and a more proactive cybersecurity posture.
• Technology-focused C-suite decision makers benefit most. In particular, CTOs, CIOs, CISOs, and Chief Risk Officers, are the primary consumers of cyber risk information, utilizing it to inform their strategy, investments, and resource allocation.
• Quantification has gone mainstream. Nearly half of the respondents use or plan to adopt the Factor Analysis of Information Risk (FAIR) model for financially driven risk analysis.
• Automation, AI, and data are foundational. Seven in ten respondents have automated most or all of their CRM processes; nearly half are using AI to scale and mature their programs; and a strong majority integrate operational data into their risk systems.
• Demand for CRM is growing, especially for those with mature programs. Nearly all respondents said internal demand for CRM is growing. Among those reporting high or very high CRM maturity, nearly a quarter report that demand will significantly increase.
• The board sets expectations for risk management, but is not engaged enough. Nearly all respondents have defined risk appetite and tolerance levels that are formally approved by the boards; however, boards consume cyber risk information in less than half of the participating organizations.

"It's encouraging to see that boards are consistently defining risk appetite to guide cyber risk teams," said Yvette Kanouff, public company board member and partner with JC2 Ventures. "As risk quantification has evolved, particularly with the FAIR standard, I anticipate CIOs and CISOs will use quantitative risk information as a regular part of their board reporting."

"This research reveals what we've experienced first-hand," said Michael Walters, CISO for Washington State University. "We found that using FAIR to quantify risk in dollar terms helped our business partners understand the implications of cyber issues. They now see cyber risks as business risks, not just technical risks owned by somebody else."

Backed by data and peer insights, the report highlights best practices, trends, and challenges, from integrating CRM into business operations to overcoming resistance and governance gaps.

The report is available now at fairinstitute.org/state-of-crm-2025.

About the FAIR Institute

The FAIR Institute is a non-profit professional organization dedicated to advancing the discipline of measuring and managing cyber and operational risk. With over 17,000 members worldwide, the Institute is recognized as a leading authority on cyber risk quantification and best practices in management. The FAIR Cyber Risk Management Framework, based on the industry's leading CRQ methodology, has been adopted by organizations across sectors to enhance security governance and risk-informed decision-making.

About GuidePoint Security

GuidePoint Security provides trusted cybersecurity expertise, solutions, and services that help organizations make better decisions that minimize risk. GuidePoint's experts act as your trusted advisor to understand your business and challenges, helping you through an evaluation of your cybersecurity posture and ecosystem to expose risks, optimize resources, and implement best-fit solutions. GuidePoint's unmatched expertise has enabled 40% of Fortune 500 companies and more than half of the U.S. government cabinet-level agencies to improve their security posture and reduce risk. Learn more at www.guidepointsecurity.com.

About SAFE

SAFE is redefining cyber risk management through Agentic AI. SAFE helps CISOs, GRC, and TPRM leaders continuously and efficiently quantify, prioritize, and mitigate cyber risks — enabling digital growth and resilience. SAFE is the category leader in Cyber Risk Quantification (CRQ) and the first vendor to deliver fully autonomous Third-Party Risk Management. Trusted by global enterprises such as Google, Fidelity, T-Mobile, Chevron, and Peloton, SAFE has achieved over 100% year-over-year revenue growth for three consecutive years and has raised over $100m. Learn more at www.safe.security.

For press inquiries, please contact:

Todd Tucker
Managing Director
Email: TTucker@FAIRInstitute.org

View original content:https://www.prnewswire.com/news-releases/fair-institute-releases-2025-state-of-cyber-risk-management-report-302491719.html

SOURCE FAIR Institute