How to Make It All Add Up: Quantifying Cyber Business Interruption Exposures
Cyber business interruption (BI) may be the industry’s fastest-growing risk. Yet research indicates that most organisations have not yet estimated the potential financial impact of an interruption caused by a cyber event.
While the costs of a breach of personal information can be estimated from historical data, cyber BI costs are more difficult to determine ahead of time. This is because costs depend on several factors, including the specifics of the cyber event, the affected organisation’s business model, and its response. For this type of event, a scenario-based analysis can provide value by determining a hypothetical fact base and computing the resultant cost impact.
When using a scenario-based analysis to quantify BI risk, focus on three key factors:
1. Accurate Estimation of the Likelihood and Financial Impact of a Cyber BI Event
Cyber risks have traditionally been described as high, medium, or low risk. But this approach offers little to guide risk management decision making about BI. Cyber BI risk should instead be expressed quantitatively in terms of likelihood (probability within a specified timeframe) and severity (in dollars). The potential cyber BI scenarios that you define should fall within a preselected range of likelihood based on risk management considerations. For example, you may seek to transfer tail risks in the “1-in-100 and beyond” range. Knowing this target upfront can help focus efforts on defining the scenarios most useful for risk management.
2. Identification of Mitigation Options
If reliably quantified under a realistic and representative scenario, cyber BI risk can help identify mitigation-measure opportunities. For significant cyber BI exposures, such mitigation measures might include changing business processes, re-architecting IT infrastructure to improve resilience, enhancing restoration capabilities, and/or strengthening technical cybersecurity controls. With potentially costly decisions, credible estimates of your cyber BI exposure are needed to identify the strategies that will have the greatest impact.
3. Identification of Risk Transfer Options
BI is often underinsured because time and effort is not invested to fully quantify the risk prior to loss. But recently several insurers have introduced new products that allow for broad coverage of cyber BI exposures. Long experience with integrating coverage for non-cyber BI into property insurance policies shows that identification and quantification of the exposure (and therefore the limits required) is essential. Developing a quantitative understanding of cyber BI exposure is therefore the first step in devising effective risk transfer strategies. To optimise your financial investments in cyber BI risk management, decisions on risk mitigation and transfer should be complementary and coordinated.
Focusing on achieving these three key outcomes will help your organisation develop an effective cyber BI risk management and recovery strategy and overcome the challenges posed by potentially devastating cyber events