Quantification adds up better cyber risk management

10 May 2019

Managing cyber risk means different things to different people within an organisation. To the chief financial officer, it means building an insurance programme. To the chief information security officer, it means implementing technology and protocols. To the general counsel, it means complying with myriad regulations.

Yet with technology ingrained in virtually every business function, cyber exposures and vulnerabilities have multiplied. To effectively manage cyber risk, those stakeholders need to engage each other across internal boundaries. Bringing all of those stakeholders together, however, can be challenging. That’s where cyber risk quantification can help.

A Lingua Franca

Despite the clear consensus that cyber represents a significant risk for businesses, many companies have yet to calculate the potential financial impact of a cyber event. Moreover, individual managers typically see only the risk aspects relevant to their function and they often each speak a different “language.”

Quantifying cyber risk allows you to express cyber risk in a language common to all business stakeholders: economics. Equally important, quantification allows organisations to frame cyber in the same terms as other business risks and evaluate risk management investments on the same financial basis.

Data-Based Investment Decisions

Beyond providing a common method of expression, quantification allows a business to better understand the size of its risk: Is our value at risk US$10 million, or US$100 million? And it enables prioritisation of those risks: Is our biggest vulnerability data breach, technology interruption, or regulatory liability?

While qualitative terms like “high,” “medium,” or “low” are imprecise, quantitative modeling produces objective and actionable data to guide capital allocation decisions. 

Knowing the range of potential losses and areas of maximum risk enables better decision-making relative to your organisation’s risk tolerance and capital allocation, including how much insurance coverage to buy, how to direct investments in cyber security technology and training, plus more.

Sign up to our latest  News & Insights

Oversight and Transparency

A quantitative approach can also create a foundation for improved management of other critical cyber risk management functions, such as regulatory compliance. The Securities and Exchange Commission (SEC) outlined new requirements in 2018 for public companies to quantify and disclose their cyber security risks, report material cyber events, and outline their boards’ role in cyber risk oversight.

Savvy investors — including institutional investors and fund managers — have come to view cyber security as an essential component in their analysis and valuation and thus now want the same information. To that end, they are seeking to understand the potential effect of cyber events on financial performance and market value. 

This means that responsibility for cyber risk disclosures must move from the investor relations function to the boardroom — yet another reason to use cyber quantification to broaden internal discussions.

As the cost of cyber events continues to rise, businesses are seeking better methods to prioritise and evaluate their risk investments. Uninformed spending is no longer acceptable. Instead, businesses should measure and evaluate cyber risk in financial terms, just as they do with other critical risks that can make or break their bottom lines.



  • Sarah StephensSarah Stephens

    As part of Marsh JLT Specialty's London-based Financial Lines Group, Sarah and her team work both directly with our clients and with network colleagues and independent partners to make sense of cyber, technology, and media E&O (PI) risks and create leading edge bespoke insurance solutions in the London market.

    Prior, Sarah spent 12 years with Aon in a variety of roles. Her last role at Aon was Head of Cyber & Commercial E&O for the Europe, Middle East, and Africa (EMEA) Region, working with colleagues across business groups and clients in the region to identify, analyse, and drive awareness of cyber risks, exposures, and both insurance and non-insurance solutions.

    Previously, Sarah spent seven years with Aon’s US Cyber and Errors & Omissions practice group thinking nonstop about cyber insurance way before it was cool. Her first four years at Aon were spent in the Account Management group working with large clients and developing a keen eye for excellent client service.

    For further information or to learn more about cyber insurance, contact Sarah Stephens, Head of Cyber, on +44 (0)20 3394 0486.

  • For more articles like this, download our Cyber Decoder

    Share this article