Quantification adds up better cyber risk management

10 May 2019

Managing cyber risk means different things to different people within an organisation. To the chief financial officer, it means building an insurance programme. To the chief information security officer, it means implementing technology and protocols. To the general counsel, it means complying with myriad regulations.

Yet with technology ingrained in virtually every business function, cyber exposures and vulnerabilities have multiplied. To effectively manage cyber risk, those stakeholders need to engage each other across internal boundaries. Bringing all of those stakeholders together, however, can be challenging. That’s where cyber risk quantification can help.

A Lingua Franca

Despite the clear consensus that cyber represents a significant risk for businesses, many companies have yet to calculate the potential financial impact of a cyber event. Moreover, individual managers typically see only the risk aspects relevant to their function and they often each speak a different “language.”

Quantifying cyber risk allows you to express cyber risk in a language common to all business stakeholders: economics. Equally important, quantification allows organisations to frame cyber in the same terms as other business risks and evaluate risk management investments on the same financial basis.

Data-Based Investment Decisions

Beyond providing a common method of expression, quantification allows a business to better understand the size of its risk: Is our value at risk US$10 million, or US$100 million? And it enables prioritisation of those risks: Is our biggest vulnerability data breach, technology interruption, or regulatory liability?

While qualitative terms like “high,” “medium,” or “low” are imprecise, quantitative modeling produces objective and actionable data to guide capital allocation decisions. 

Knowing the range of potential losses and areas of maximum risk enables better decision-making relative to your organisation’s risk tolerance and capital allocation, including how much insurance coverage to buy, how to direct investments in cyber security technology and training, plus more.

Sign up to our latest  News & Insights

Oversight and Transparency

A quantitative approach can also create a foundation for improved management of other critical cyber risk management functions, such as regulatory compliance. The Securities and Exchange Commission (SEC) outlined new requirements in 2018 for public companies to quantify and disclose their cyber security risks, report material cyber events, and outline their boards’ role in cyber risk oversight.

Savvy investors — including institutional investors and fund managers — have come to view cyber security as an essential component in their analysis and valuation and thus now want the same information. To that end, they are seeking to understand the potential effect of cyber events on financial performance and market value. 

This means that responsibility for cyber risk disclosures must move from the investor relations function to the boardroom — yet another reason to use cyber quantification to broaden internal discussions.

As the cost of cyber events continues to rise, businesses are seeking better methods to prioritise and evaluate their risk investments. Uninformed spending is no longer acceptable. Instead, businesses should measure and evaluate cyber risk in financial terms, just as they do with other critical risks that can make or break their bottom lines.



  • MMC Robert ParisiRobert Parisi

    Robert Parisi is a Managing Director and Marsh’s Cyber Product Leader. His current responsibilities include advising clients on issues related to intellectual property, technology, privacy, and cyber related risks as well as negotiating with the carriers on terms and conditions. 

    Robert was also responsible for initiating Marsh’s Global Cyber Network. While at Marsh, Robert has worked extensively with Marsh clients in all industries, assisting them in analysis of their risk as well as in the placement of coverage for cyber risks. Prior to joining Marsh, Robert was the senior vice president and Chief Underwriting Officer (CUO) of eBusiness Risk Solutions at AIG. 

    For further information or to learn more about cyber insurance, contact Robert Parisi, Managing Director/ Cyber Product Leader at Marsh USA, on +1 212 345 5924.

  • For more articles like this, download our Cyber Decoder

    Share this article