Clear and present danger: the pressing need to address cyber risk requires its better understanding and adequate quantification
August 2014 | SPECIAL REPORT: TECHNOLOGY IN BUSINESS
Financier Worldwide Magazine
Cyber risk continues to grow, yet it remains underestimated. This important enterprise risk can only be managed if properly understood and quantified. One must consider the full array of options, which range from employing new cybersecurity tools to purchasing cyber insurance.
Commercial enterprises, not-for-profit organisations and government entities have consistently underestimated their risk exposure. Cyber-related events such as data breaches have been occurring with a greater frequency than expected. The severity of many of these events has also been greater than probably considered possible by the enterprises that suffered the losses. Target Corp. and the NSA are among the better known examples. Many unpleasant surprises are yet to come.
Today’s concerns should be addressed. It is essential to pay sufficient attention to risks such as those associated with mobile devices and applications or the ever more sophisticated spear phishing attacks based on social engineering. However, a more strategic approach also requires a structured framework for risk analysis and management.
Comprehensive risk management
In order to manage cyber risks, they first have to be properly identified. All too often, major risks are overlooked and focus is given to components of cyber risk that are relatively insignificant.
Compliance is of paramount importance to every company. Laws and regulations relevant to cyber risk exposure have been growing in number and scope while differing by jurisdiction. We believe that a large number of US companies (for example, many business associates of covered entities under HIPAA) do not follow the requirements related to cybersecurity and in some cases are unaware of them.
Mechanical implementation of compliance procedures may make it difficult to justify doing anything beyond the minimum requirements. This is a serious danger because cyber risks are unique to companies and may not always be properly addressed by merely following government standards. A checklist approach is rarely adequate. Standards and best practices are important in cybersecurity, but true risk analysis and management involve much more than blind application of generic approaches to complex risks.
Corporate governance plays an important role in the management of cyber risk. The Chief Information Security Officer (CISO) function should continue to grow in importance. It is the responsibility of the top management and the board of directors to instil risk discipline throughout the organisation and to ensure that proper policies and procedures are instituted and followed. The ultimate responsibility for cyber risk management rests at the very top and cannot be delegated.
Training is an essential component of cybersecurity and risk management. It is as important as the use of proper technical cybersecurity tools. In many industries, the human factor is the reason for the majority of serious data breaches and other cyber-related events. In what is likely to be the most severe data breach known to date, insider Edward Snowden reportedly had access beyond the level warranted by his job responsibilities at the NSA and also had coworkers provide him with their login credentials. This reported sharing of login credentials could be seen as a result of inadequate training and controls.
Closer attention is needed not only to face potential attacks but also to account for unanticipated cyber failures not resulting from malicious intent. It is particularly true in the case of complex systems that are part of critical infrastructure. This danger has to be recognised and guarded against to avoid severe self-inflicted wounds.
Even though the primary focus should always remain on improving resilience and security, cyber insurance should also be considered in making risk management decisions. The landscape has changed so dramatically that not considering the purchase of cyber insurance as a risk management option may sometimes be seen as negligence. Insurance may not be the right option but it should be considered along with all others.
Risk quantification and decision-making
It is impossible to precisely measure cyber risk. However, its quantitative assessment is still necessary for proper risk management. It is used to decide what technical cybersecurity measures to implement, what cyber risk policies to adopt, what type of training to conduct, and whether to purchase cyber insurance.
The qualitative part of the analysis and decision-making process is always critical, but the purely qualitative approach is rarely sufficient. To the degree possible, it is necessary to have risks expressed in terms of dollars and associated probabilities. Having a probabilistic view of risk is at least as important in analysing contingent cyber-related events as it is in the analysis of other complex risks. A comprehensive framework for cyber risk analysis requires aggregating all risk components while taking into account their possible interdependencies. Elements of the traditional insurance analysis can be used to accomplish this task.
Where possible, cyber risk should be considered together with other risks faced by the enterprise and be incorporated into a broader enterprise risk management framework. The analytical framework should be comprehensive yet transparent, and not overly complicated. Even a complex model should produce results that are not difficult to interpret.
The degree of uncertainty involved in any such analysis is always going to be significant. Taking into account every risk and eventuality is impossible. Doing so would require too many assumptions and guesstimates that may, when combined, produce results that are totally wrong and misleading.
To make decisions and choices among the many alternatives, one has to clearly formulate overall objectives in terms of specific risk and return measures. Risk measures used in the analysis should allow the comparison of various options. Risk measure choice may also depend on the objectives and the level of uncertainty.
A number of risk measures can be employed. We utilise Value at Cyber Risk (VaCR) or Marginal Value at Cyber Risk (MVaCR) for the analysis and decision-making unless the degree of uncertainty is too high to make these measures unusable. In some ways similar to the traditional measures of Value at Risk (VaR), these cyber-specific risk measures allow the analysis to be used directly in the risk management decision-making process.
Cyber risk and insurance companies
For insurance companies that underwrite cyber insurance, it is particularly important to be able to assess and quantify cyber risk. Not being able to do so can result in setting cyber insurance prices below profitability levels. It can also lead to unknown accumulation of undiversified risk.
A growing number of insurance companies offer some form of protection to cover losses resulting from cyber-related events. There is little uniformity, however, in the breadth of insurance coverage and the way premiums are determined.
Cyber risk is difficult to analyse in general; it is also very different from the traditional types of insurance risk. Some insurance companies currently lack the expertise required for its proper assessment. The case of Target Corp. is instructive: while that specific data breach was impossible to predict, the potential of an event of this or greater magnitude should not come as a surprise to anybody in the insurance industry.
The currently available analytical tools to evaluate cyber risk and determine appropriate insurance premiums are inadequate. The task is complicated by the difficulty of obtaining reliable data on the cyber risk exposure of insurance applicants, but we rarely see even this data fully used in the analysis.
While the challenges are significant, a number of significant improvements can be made in the area of cyber risk analytics.
With the scope and complexity of cyber risk steadily increasing, it is imperative for enterprises to utilise a structured framework for risk analysis and decision-making. Quantification of cyber risk and explicit consideration of options such as cyber insurance are integral parts of such a framework.
Alex Krutov is president of Navigation Advisors LLC. He can be contacted on +1 (646) 361 3255 or by email: email@example.com.
© Financier Worldwide