Quantifying Cyber Risk

Consider the following common scenario, which is unfolding in executive suites and corporate boardrooms across the world: A Chief Information Security Officer (CISO) presents the Chief Financial Officer (CFO) with a proposal to invest $10 million in upgrading the company’s cyber defenses. A figure that high will mean taking the proposal to the CEO, and then the board of directors for approval. “Do we really need this?” the CFO asks. “Yes,” the CISO replies. “It’s a ‘must-have.’”

What should the CFO do? Should she/he take the CISO’s word for it? That’s not always a good look in the boardroom. “We need it because the CISO said so” is not a compelling argument, even if the CISO is a credible person. Corporations need data to justify cyber defense investments. In particular, they need data about the financial impact of their cyber risk exposure. If the CFO can present a coherent argument in favor of the investment, she will have a better chance of gaining board approval—and the company will become better protected against cyber risk.

“We need it because the CISO said so” is not a compelling argument, even if the CISO is a credible person.

This process, which seems simple, has emerged as a surprisingly challenging arena for corporate decision-making. C-level executives and boards grasp the concept of risk quantification quite well, in general. They deal with debt risk, market risk, compliance risk, weather risks and all manner of threats to the company’s bottom line. For cyber, it’s turning out to be a lot harder to figure out the costs of failing at risk mitigation.

There are a variety of reasons for this. One issue is communication. The language of IT and cybersecurity is not native to the boardroom. This is partly a generational problem, but it’s also because cybersecurity presents itself as an arcane, almost mystical sphere of activity. Scare tactics and vague notions of catastrophe tend to predominate: sign this check or we face a multi-billion dollar loss at the hands of teens wearing hoodies and the Russian military. Why? I could tell you, but you wouldn’t understand.

To some extent, it’s an emotion-driven decision. Executives are afraid of cyber threats, often with good reason, but fear leads to exaggerated reactions. This is not a good way to run a business. Risks come with costs, and if businesses can get a good sense of what those costs are, they can make intelligent, informed decisions about how much security they need to buy.

This brings up the second major challenge to quantifying cyber risk. It’s just not that easy to do. One approach is to engage with a big consulting firm that will conduct audits and analyze a company’s risk. They present a report that captures the financial impact of cyber risks and then move on. Two difficulties arise with this approach. One is that the analysis is typically static, reflecting risks for a fixed period of time. Cyber risks continually evolve, however, so the analysis will soon become obsolete. And, these firms also often neglect subsidiaries and third-party partners in their assessments.

“Decisions about cyber security should be informed by facts and not guesses…”

I spoke about this challenge with Tom Boltman, VP of Strategic Initiatives at Kovrr, a company that offers technology for financially quantifying cyber risk on demand. According to Boltman, putting a financial price tag on cyber risks involves taking a dynamic, continuous approach. And, it should be data-driven at all times. “Decisions about cyber security should be informed by facts and not guesses,” he said. “What we do is incorporate  multiple sources of data including insurance cyber claims data… to give companies a more grounded view of what a potential loss could be.”

Kovrr’s methodology is complex, but it rests on two core dimensions of cyber risk: frequency and severity. A certain form of cyber incident may be frequent, but not severe. For example, a company might suffer a dozen successful phishing attacks a week. However, if they are quickly remediated, and adequate protections are in place, their financial impact will be quite low. In contrast, if a company’s cloud provider goes down, or becomes a conduit for an attack, that may be a rare but very costly episode.

From there, Kovrr adds factors like the nature of the business and the cyber loss characteristics of its industry peers. They apply multiple cyber  risk models to determine the costs of their potential losses from targeted and systemic cyber events that could result from a cyber attack or the failure of the third-party service provider that they rely on. The process takes into account subsidiaries and third-party relationships. They also evaluate the company’s technology stack, looking at its cyber loss history across multiple industries.

The Kovrr type of risk quantification process yields data that decision-makers can use to evaluate the financial impact of a cyber event. This in turn enables them to better understand the ROI of the cyber investments they are making as well as more strategic risk transfer and insurance placements.  Should they spend $10 million? If their potential loss is $1 million, then the answer is probably “no.” If a data-driven risk quantification pegs their risk at $100 million, then that $10 million investment starts to look like a really smart move.

Photo by Tima Miroshnichenko from Pexels