Cyber risk is something every company should get better at assessing. Source: Shutterstock

Cyber risk is something every company should get better at assessing. Source: Shutterstock

How can business leaders better quantify their organization’s cyber risk?

THIS YEAR, some of the largest companies in the world including Equifax, British Airways, and Marriott International were in the limelight for enormous fines imposed on them in relation to data breaches they suffered.

Consumers around the world are demanding that data be managed and protected more proactively and effectively, and regulators are taking action to ensure businesses take those demands seriously.

As a result, business leaders have been getting more concerned about their cybersecurity posture and are looking for new ways to quantify their cyber risk in order to better protect their organization.

According to a new report published by Marsh & McLennan, very few organizations have a comprehensive understanding of their cyber risk because it is often difficult to quantify it with limited historical data.

A section of that report, put together by Oliver Wyman Engagement Manager Tanishq Goyal and Partner — Finance & Risk Management Jayant Raman, however, points out that “quantification is all about probability and is meant to provide a directional view around the level of risk an organization should be prepared to manage, rather than a definitive answer that provides an accurate measure.”

Goyal and Raman explain that business leaders should think of cyber risk quantification as an exercise that helps the organization not only understand the implications of an attack or breach from a financial standpoint but also map any probable cyber exposure and its impact.

When organizations have some visibility into their cyber risks, they can make better decisions about managing and mitigating that risk — either through security solutions, strategies, or even insurance.

Of course, performing an assessment of an organization’s cyber risk is easier said than done.

The Marsh & McLennan report highlights several challenges that business leaders typically face when embarking on such an exercise.

The constantly changing landscape of attacks and the ever-increasing sophistication of hackers and bad actors in cyberspace are chief among the challenges — but others include the lack of a formally defined risk appetite and limited historical data and scarcity of detailed publicly available information on cost of cyber attacks, among other things.

However, Goyal and Raman point out that these challenges, although seemingly beyond the control of business leaders, don’t necessarily need to limit the organization’s assessment of cyber risk.

Instead, the duo recommends that businesses come up with realistic scenarios in order to make assessments of their cyber risks and liabilities.

“Quantification becomes challenging in the absence of clarity. Therefore, the more specific we can be in the scenario narratives, the easier it is to guide the conversations on estimation.”

Obviously, speaking of scenario analysis, the cyber risk though leaders recommend sticking to the top three to five scenarios that impact the wider business, avoid getting too caught up with the (lack of) availability of data, and ensure that their scenarios are free from bias brought in by stakeholders.

At the end of the day, the process of modeling cyber risk, even through scenarios, is likely to be challenging and complex — but that shouldn’t stop business leaders.

Gaining a better understanding of cyber risk is bound to help the organization. Here are three immediate benefits that Marsh & McLennan list down in their report:

# 1 | Prioritizing cybersecurity investments

Vendors in the cybersecurity space today are doing a lot of exciting work with new and emerging technologies — and although some of those products might seem expensive, they are a good investment because they help the organization guard against sophisticated cyberattacks.

However, unless an organization understands its cyber risk and exposure, it will find it difficult to invest in the right tools and solutions to defend itself in a way that is most suited to its needs.

# 2 | Creating a strategy for cyber insurance

Cyber insurance is something that many organizations are beginning to evaluate — including small- and mid-sized businesses.

Given the damage that ransomware can cause and the hefty fines that regulators are now imposing on companies that failed to protect customer data, cyber insurance is becoming an essential tool.

Understanding the organization’s cyber risk is obviously key when creating a cyber insurance strategy and investing in a plan that safeguards the business from all kinds of threats.

# 3 | Ongoing monitoring of cyber readiness

The threats landscape in cyberspace is constantly changing as are the laws that affect companies operating in the digital-first world.

While assessing cyber risk is key to setting up the right defense and improving the cybersecurity posture of most organizations, ongoing monitoring is key to ensuring that adequate cover and steps are taken to secure the business every single day, irrespective of any changes — whether internal to the business or external.