Virtually every organization struggles to identify and quantify the risks it may face. That is especially true of cyber risk, as boards and senior management teams see news headlines on major cyber events and begin to ask, “Can that happen here, and what would that mean for our business?”
The first part of that question has an easy answer: yes, a major breach or ransomware attack can happen. Businesses now recognize that cyber events do not occur only at large retail corporations, global financial institutions or national health care plans. Organizations of all sizes, in all industries, are exposed as the threat of malicious attacks increases.
It is the second part of the question – what impact would a cyber event have -- that organizations find far harder to answer. To begin to answer that question, it’s helpful to turn to an analytical model, experts say.
Mike Giacobbe, executive vice president and head of analytics and consulting at JLT Specialty USA, a division of JLT Group, explains that a useful model for a given organization can be built with techniques that are not exclusive to cyber risk.
“It starts with risk assessment and risk identification,” he said. “What are the organization’s true risks? That’s the starting point. Businesses need to ask, ‘What are we worried about? Why are we worried about those events? What will they do to the organization?’ Risk management needs to work with other departments to understand what the threat vectors are,” he said.
In a recent survey of corporate executives conducted by Harvard Business Review Analytic Services and sponsored by JLT, 60% of respondents said their organizations have developed and implemented one or more risk models for cyber threats. Yet only 40% have attempted to quantify the business impact - meaning a majority of organizations are unsure of the impact of potential cyber events.
Those results are not particularly surprising to JLT’s Giacobbe. “Businesses are really challenged to quantify risks where there is limited historical experience,” he said. “In general, people feel more comfortable using historical data to predict the future. The challenge is, the cyber risk landscape is extremely dynamic – which limits our ability to use historical data to accurately predict future events. Therefore, it forces individuals and teams to move from a historical-based approach to an emerging risk perspective – and generally outside of their comfort zone.”
But the stakes in cyber risk are high. There is little room for organizations to postpone quantifying – and mitigating -- the impact of cyber events. As regulatory scrutiny of cyber security practices and calls for accountability become more common, pressure on boards and the C-suite is intensifying. Just ask the CEOs in the past several years who have been subpoenaed to testify before congressional hearings about why their companies failed to protect their customers’ data. Public criticism of how corporations handle cyber events, in many cases, is a precursor to executive exits.
To begin to put an organization’s cyber risk into a financial context, the organization’s leadership and operations teams must collaborate and exchange information. A pervasive threat such as cyber attack cannot be understood fully or mitigated appropriately by a single individual or department.
The Harvard Business Review Analytic Services survey, however, found that many organizations struggle to collaborate and integrate their resources around cyber issues. A functional team, for example, might include an organization’s chief information security officer or chief security officer, compliance, the general counsel and procurement. Only 20% of respondents said their functional team was “very integrated,” while 37% said it was “somewhat integrated,” and 27% said it was minimally or not at all integrated.
“Organizations can follow a process to build an analytical model, even when there is a shortage of data,” Giacobbe said. Assumptions are inevitable in early iterations, but those assumptions eventually can be modified as we learn more about the risk and how it can impact the business.
“A business can start to quantify cyber risk by scenario building. If a cyber attack from a nation state or disgruntled employee occurs, what are they intending and what parts of the business are impacted? The scenarios are not an in-depth analytical model yet, but the approach helps build the foundation,” he said. “When we help clients through an in-depth analytical approach, we want to understand what the outcome is: What is the frequency? What is the severity? What risk and mitigation factors impact frequency and severity? How does the organization differ from its peers? That information establishes a baseline, and we can subsequently populate the framework with known sources of data and augment the model with our expertise and knowledge of the business,” he explained.
Discussing scenarios helps organizations to become more organized and prepared, Giacobbe said. “It’s a challenging exercise, but it’s not about establishing precision. The idea is to test parameters and come up with a range of potential outcomes. It provides an idea of the direction and the impact, which is helpful in evaluating the efficiency and effectiveness of investments,” he noted.
A good analogy is the “track forecast cone” that the National Oceanic and Atmospheric Administration uses with windstorms, he suggested. “If you can see directionally where an event may go, it can help you direct resources where the impact may be greatest. Even though the cone of uncertainty doesn’t show exactly where a storm will hit, it helps support decisions about risk mitigation and response.”
As more data becomes available on cyber events, analytical models will be refined and their value in risk decision-making will grow. In the meantime, businesses can’t procrastinate. They should start considering the business impact of their cyber risk now.