Quantification Adds Up to Better Cyber Risk Management
Managing cyber risk means different things to different people within an organization. To the chief financial officer, it means building an insurance program. To the chief information security officer, it means implementing technology and protocols. To the general counsel, it means complying with myriad regulations. But with technology ingrained in virtually every business function, cyber exposures and vulnerabilities have multiplied. To effectively manage cyber risk, those stakeholders need to engage each other across internal boundaries.
Bringing all of those stakeholders together, however, can be challenging. That’s where cyber risk quantification can help.
A Lingua Franca
Despite a clear consensus that cyber represents a significant risk for businesses, many have yet to calculate the potential financial impact of a cyber event. Moreover, individual managers typically see only the risk aspects relevant to their function. And they often each speak a different “language.”
Quantifying cyber risk allows you to express cyber risk in a language common to all business stakeholders: economics. Equally important, quantification allows organizations to frame cyber in the same terms as other business risks and evaluate risk management investments on the same financial basis.
Data-Based Investment Decisions
Beyond providing a common method of expression, quantification allows a business to better understand the size of its risk: Is our value at risk $10 million, or $100 million? And it enables prioritization of those risks: Is our biggest vulnerability data breach, technology interruption, or regulatory liability?
While qualitative terms like “high,” “medium,” or “low” are imprecise, quantitative modeling produces objective and actionable data to guide capital allocation decisions. Knowing the range of potential losses and areas of maximum risk enables better decision-making relative to your organization’s risk tolerance and capital allocation, including how much insurance coverage to buy, how to direct investments in cybersecurity technology and training, and more.
Oversight and Transparency
A quantitative approach can also create a foundation for improved management of other critical cyber risk management functions, such as regulatory compliance. The Securities and Exchange Commission (SEC) outlined new requirements in 2018 for public companies to quantify and disclose their cybersecurity risks, report material cyber events, and outline their boards’ role in cyber risk oversight.
Savvy investors — including institutional investors and fund managers — have come to view cybersecurity as an essential component in their analysis and valuation and thus now want the same information. To that end, they’re seeking to understand the potential effect of cyber events on financial performance and market value. This means that responsibility for cyber risk disclosures must move from the investor relations function to the boardroom — yet another reason to use cyber quantification to broaden internal discussions.
As the cost of cyber events continues to rise, businesses are seeking better methods to prioritize and evaluate risk investments. Uninformed spending is no longer acceptable. Instead, businesses should measure and evaluate cyber risk in financial terms, just as they do other critical risks that can make or break their bottom lines.
If you’re attending RIMS 2019 in Boston, you can learn more about how to measure and manage cyber risk at the Marsh Cafe in Hall C (East Side) of the Boston Convention & Exhibition Center. Visit www.marshatrims.com for more information.