Putting a Price On Cyber Risk
To engage senior executives and boards of directors in cyber security issues, risk managers must equate cyber risks with direct impact to business operations and the bottom line.
As cyber threats become more sophisticated, risk managers and the organizations they serve face significant challenges in understanding and managing the evolving exposures.
Cyber criminals today are targeting high-value intellectual property and confidential data, and are exploiting web applications, mobile devices and social media sites to reach their desired targets. They operate in stealth mode, and their presence is increasingly hard to detect.
Trustwave’s 2013 Global Security Report revealed that attacks on e-commerce sites accounted for 48 percent of all investigations. The report also indicated that the detection of attacks is not immediate: 64 percent of the organizations attacked took more than 90 days to detect an intrusion and the average detection time was 210 days.
Additionally, nearly two-thirds of the investigations indicated that when a third party was responsible for system support, development or maintenance, it introduced security vulnerabilities that were exploited by hackers.
Today, every company is vulnerable. Cyber risks have increased with outsourcing and clouds, the vast amount of data available, and the use of personal devices for corporate business. The responsibility for managing cyber risks, however, extends beyond the risk manager and IT department. Cyber risks are an enterprise issue that must be managed throughout the organization, including top management and the board of directors.
Cyber Risks Require Governance
Boards and senior executives, however, aren’t adequately engaged in the management of cyber risks. According to the 2012 CyLab Governance of Enterprise Security Report, boards and senior executives aren’t involved in the risk management of privacy and security or focused on activities that represent effective governance in this area. For example, 57 percent of the respondents (from the Forbes Global 2000 list) indicated that their boards were not reviewing insurance coverage for cyber-related risks.”
In large part, they don’t know how to exercise appropriate governance over the privacy and security of their digital assets. The four primary challenges are organizational and informational:
* Knowledge. Most boards and executives don’t understand their organization’s cyber vulnerabilities and their roles and responsibilities in effectively governing these risks, and they don’t have adequate informational flows established to keep them apprised of their organization’s security profile.
* Access. Most risk managers aren’t closely linked to their IT departments. They don’t have adequate information about cyber risks, and aren’t equipped to manage technology risks.
* Communication. Most CIOs and CISOs (chief information security officers) don’t know how to effectively communicate with the C-suite (much less the board) to get their attention and assistance on cyber security matters.
* Prioritization. Risk managers and senior executives have not endeavored to quantify the financial impact of potential cyber events, and are therefore unable to prioritize mitigation spending or establish proper limits of liability on cyber liability insurance programs.
The connection between the lack of governance and insurance should not be ignored. Most boards regularly review their insurance coverage and risk profile. So why is cyber neglected? Senior executives and boards may not have been engaged on cyber security issues because they haven’t been able to equate cyber risks with direct impact to business operations and the bottom line.
Getting Attention at the Top
Risk managers play an important role in bringing cyber risks to the attention of senior management and coordinating resources to assess and mitigate cyber exposures. The key may lie in the risk manager’s ability to translate all risks, including those involving cyber, into financial numbers that can be used by executives and boards to set strategies, allocate funding and integrate the issue into corporate planning and financial management. Valuations associated with business interruptions and exposures associated with cyber risks enable executives to incorporate cyber considerations into their decision-making processes, including appropriate insurance coverage.
Experience-based methodologies can help management better understand, manage and quantify cyber risk exposures. Risk managers need to work with IT and security personnel to establish a baseline assessment of an organization’s cyber exposures and vulnerabilities, and to use that for a comprehensive analysis and quantification of the financial consequences of first-party and third-party loss exposures. This process requires significant expertise in security risks, cross-functional capabilities, and loss and exposure assessment.
Effective cyber risk valuations should encompass assessments of the following:
* Risks associated with IT architecture and privacy and security programs.
* Cyber-related business interruption and supply chain risks.
* Business impacts resulting from the loss, disclosure or sabotage of intellectual property and/or confidential information.
* Loss potential from breaches of personally identifiable information.
* Cyber risks associated with third-party providers.
* Reputational impacts of cyber incidents.
* Response costs of forensic investigations, malware eradication, and system clean-up.
* First- and third-party loss exposures.”
A cyber risk assessment that is translated into business interruption valuations provides quantifiable information that boards and senior executives need to allocate resources for the effective management of cyber exposures. Armed with this information, and with the backing of leadership, risk managers can collaborate with finance, IT, operations, marketing, HR and individual business units to ensure that appropriate cyber risk mitigation strategies and effective emergency response and business continuity plans are developed. Moreover, the process also establishes factual input that helps an organization determine what cyber insurance coverage it needs and what levels of coverage are appropriate.
Often, however, these exercises aren’t undertaken prior to a cyber incident. Nevertheless, such a process is useful in helping establish appropriate limits of liability and establishing a basis for claims.
Cyber evaluations and risk quantifications are equally valuable after a cyber event occurs. In many cases, an assessment/valuation process can be useful in assessing what happened, determining the cost of appropriate investigative and response measures, and helping establish appropriate limits of liability and a basis for claims.
Post-event assessments provide an excellent financial basis for informing boards and senior executives of IT and security issues, and providing a justification for executive attention to digital threats. In many cases, assessment and valuation expertise is needed to support claim preparation.
A cyber incident can spill into numerous business operations and create the kind of havoc that clarifies interdependencies between business units and IT systems. When assessing and valuing a cyber event, it is important to consider the entire financial impact that the event had upon business operations and to tabulate the costs associated with the forensic investigation, restoration of data and systems, corrective IT measures, notification costs, legal fees, down time for operations and reputational damage.
The cyber evaluation and risk quantification process can be useful to risk management and other functions within an enterprise both before and after an event. By identifying and quantifying cyber exposures and translating them into financial impacts to the organization, risk managers can more successfully get their leadership’s attention and support for cyber risk management initiatives. This process enables cyber risks to be managed as enterprise risks. Additionally, cyber risk management is an excellent avenue for paving relationships with IT, security, operational, and legal personnel.
A note of caution: Assigning financial valuations to cyber risks is a simple solution, but one that requires sophisticated expertise, both on the cyber evaluation and valuation sides of the exercise. Ensure that the professionals engaged have substantial expertise in both cyber assessments and business interruption valuations and have developed proven methodologies.