Managing cyber risk means different things to different people within an organisation. To the chief financial officer, it means building an insurance programme. To the chief information security officer, it means implementing technology and protocols. To the general counsel, it means complying with myriad regulations.
Yet with technology ingrained in virtually every business function, cyber exposures and vulnerabilities have multiplied. To effectively manage cyber risk, those stakeholders need to engage each other across internal boundaries. Bringing all of those stakeholders together, however, can be challenging. That’s where cyber risk quantification can help.
A Lingua Franca
Despite the clear consensus that cyber represents a significant risk for businesses, many companies have yet to calculate the potential financial impact of a cyber event. Moreover, individual managers typically see only the risk aspects relevant to their function and they often each speak a different “language.”
Quantifying cyber risk allows you to express cyber risk in a language common to all business stakeholders: economics. Equally important, quantification allows organisations to frame cyber in the same terms as other business risks and evaluate risk management investments on the same financial basis.
Data-Based Investment Decisions
Beyond providing a common method of expression, quantification allows a business to better understand the size of its risk: Is our value at risk US$10 million, or US$100 million? And it enables prioritisation of those risks: Is our biggest vulnerability data breach, technology interruption, or regulatory liability?
While qualitative terms like “high,” “medium,” or “low” are imprecise, quantitative modeling produces objective and actionable data to guide capital allocation decisions.
Knowing the range of potential losses and areas of maximum risk enables better decision-making relative to your organisation’s risk tolerance and capital allocation, including how much insurance coverage to buy, how to direct investments in cyber security technology and training, plus more.
Oversight and Transparency
A quantitative approach can also create a foundation for improved management of other critical cyber risk management functions, such as regulatory compliance. The Securities and Exchange Commission (SEC) outlined new requirements in 2018 for public companies to quantify and disclose their cyber security risks, report material cyber events, and outline their boards’ role in cyber risk oversight.
Savvy investors — including institutional investors and fund managers — have come to view cyber security as an essential component in their analysis and valuation and thus now want the same information. To that end, they are seeking to understand the potential effect of cyber events on financial performance and market value.
This means that responsibility for cyber risk disclosures must move from the investor relations function to the boardroom — yet another reason to use cyber quantification to broaden internal discussions.
As the cost of cyber events continues to rise, businesses are seeking better methods to prioritise and evaluate their risk investments. Uninformed spending is no longer acceptable. Instead, businesses should measure and evaluate cyber risk in financial terms, just as they do with other critical risks that can make or break their bottom lines.