How Enterprises Can Measure & Report on Cyber Risk

In assessing cyber risk posture, enterprises often lack options that effectively report cyber risk in a manner understandable to senior business executives and boards. These options can lack financial and business context, and transparency around process and methodology. They are also often mired in jargon that is not relatable to a non-technical audience. This piece explains how companies can benefit by implementing cyber resilience exercises to help all stakeholders understand the full economic and systemic impact of a cyber incident.

Cyber Risk Reporting Methods 

Consider the current cyber risk reporting options available to communicate to executive leadership and the board:

• External analysis: This attempts to measure cyber risk by analyzing publicly available information about companies. The process has several shortcomings due to a lack of company context and cooperation including:
  • Errors due to limited data validation.
  • Lack of consideration of internal controls and defenses.
  • Sole focus on technical aspects of the cyber attack surface.
• Internal analysis: These management-prepared cyber risk updates seek to evaluate a company’s risk exposure. The maturity of this approach varies widely due to personnel and organizational maturity. While some tools and platforms can assist the process, all but the largest organizations are challenged to effectively maintain this approach.
• Loss modeling: This method factors a company’s size, sector and historical cyber incident data to determine overall cyber risk. Primarily used by insurance brokers and underwriters, it rarely contextualizes the individual company’s performance and defenses. Moreover, these exercises typically rely on surveys rather than examining data to determine cyber posture.

How to Model Cyber Loss 

Organizations should consider an approach that addresses a combination of outside-in, inside-out and economic loss modeling relative to the cyber risk exposure, including:

• Remediation costs, such as liability for stolen assets or information, repairs of system damage, and incentives to customers or business partners to maintain relationships after an attack.
• Increased cybersecurity protection costs, which may include the costs of making organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third-party experts and consultants.
• Lost revenues resulting from the unauthorized use of proprietary information or the failure to retain or attract customers following an attack.
• Litigation and legal risks, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.
• Increased insurance premiums due to deficient security controls.
• Reputational damage that adversely affects customer or investor confidence.
• Damage to the company’s competitiveness, stock price and long-term shareholder value.

Boards of directors and management are also expected to demonstrate to investors due care in the governance and oversight of cyber risk. Moreover, global regulators continue to roll out privacy rules that are underpinned by the need for strong cyber hygiene with severe consequences for failure. These strong regulatory signals, combined with pervasive global dialogue, represent a rising tide in the need for strong cyber risk oversight and will impact the decision-making and expectations from investors during the next decade.

RELATED CONTENT:  Educating the Board of Directors on Information Security

Understand the Scope of Cyber Risk

Boards and senior executives still lack a comprehensive understanding of their cyber exposure and their organization’s ability to recover from an attack. An approach that leverages a 360 inside-out/outside-in enterprise view aligned to cyber scenarios and economic exposure is needed. Regulators, investors, business executives and board directors should expect transparency and independence in this process.

Targeted exercises involving the entirety of the enterprise, starting with the board on down, should cover:

• Key cyber scenarios that create material exposure to the business. An example could center around a ransomware attack disrupting a major portion of the business while siphoning data from the network.
• Business impact associated with the following cyber-attack categories: business interruption, fraud, intellectual property (IP) theft and loss of customer data. Organizations should run exercises for all of these.
• Cyber defenses and exposures relative to peers. Hiring an external consultant for the exercise might bring a benchmarking perspective.
• Aggregate enterprise-level cyber exposure, in economic and business terms.
• Risks the enterprise is willing to accept and transfer using cyber insurance.
• Measuring the improvement of cyber risk reduction and investments in defenses over time.

Cyber Resilience Exercise Best Practices

Modeling a sound cyber resilience exercise requires the entirety of the enterprise, from the board of directors down to management. To be successful, organizations should consider:

• Expressing cyber risk in terms of economic and business risk to ensure the entire enterprise understands the issues and participates.
• Using cyber risk financial analytics as the engine to operationalize the management of financial exposure to cyber risk across the enterprise.
• Shifting the dialogue from the technology to the business impact. This is critical to establishing a successful cyber resilience exercise. Organizations should establish an overarching enterprise-level cyber resilience exercise combined with targeted drills by business unit and other functions such as IT and finance.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.