Are Cyber Risks well integrated into your ERM?

This blog post has been on my mind for years. I kept putting it off in the hope that there would be new findings from practice and science that could give this article a happy ending. Well, I must warn you that I will probably disappoint you. The year is 2024, and we are still at the beginning of the following question: How can cyber risk management be integrated into enterprise risk management? We are facing a paradoxical situation, which I would like to explain briefly. Now that cyber risks have undeniably become of paramount importance, we can assume that there is a high degree of maturity and consensus in practice and research regarding the following aspects:

• Definition of cyber risks
• Risk analysis and risk management of cyber risks (incl. insurance)
• Awareness, roles, responsibilities, and reporting channels (cyber risk governance)
• Coordinated standards, norms, frameworks, and guidelines.
• Alignment of cyber risk management, ERM, corporate strategy, and decision making

There isn't. The current professional and academic literature tells us that there is no consensus on the aspects mentioned above, that research has become bogged down in individual "research streams," and that cyber risk management is generally not (!) an integral part of enterprise risk management.

Let's start with the allegedly clear definition of cyber risks: The confusion continues, although various attempts have already been made to resolve it. Terms such as information security, cybersecurity, cyber risk management, IT risks, and IT risk management coexist. Sometimes, information security is equated with cybersecurity, meaning that cyber risks concern information availability, integrity, and confidentiality. Of course, they do, but not only that. Do you think definitions are not that important? Research shows that this confusion is a significant obstacle to the holistic, interdisciplinary management of cyber risks (whatever they are).

Information and cyber security overlap but are not the same as "security." The former is about the security of information, whether it is available in or out of cyberspace. The latter concerns information security and all other assets (people, IoT devices, physical assets, etc.) vulnerable via cyberspace. Do we all see it that way? The answer is no. But there's still something missing: how does cyber security relate to cyber risks? All risks potentially jeopardizing cyber security are cyber risks. And because we want to manage these systematically, we talk about cyber risk management. It's all straightforward, isn't it?

What about risk analysis and risk management? Here, too, there are a lot of inconsistencies and practical challenges to report. This also applies to many other risk categories. I put forward the following maturity ranking of risk categories for you to talk about: I see the former as the most advanced in methodology and research and the former as the least.

1. Financial risks
2. Operational risks (excluding cyber risks)
3. Strategic risks
4. Cyber risks

?The decision between 3 and 4 was challenging for me. And 4 is a subcategory of 2, that's clear. But for the statement to be made here, I am happy to accept this non-disjunctive, non-exhaustive order. Now, without claiming to be exhaustive and not following a list of priorities, I spontaneously see the following problems in analyzing and managing cyber risks.

Cyber risks are operational risks. However, they have some characteristics compared to other operational risks that make them particularly difficult to manage. For example, cyber risks are "emergent," i.e., classified as emerging risks. This means that we are dealing with risks that are yet to emerge due to innovations in the IT area. We don't even know many of them yet. In addition, emerging risks are often low-probability, high-impact risks that can be very dynamic, especially in the IT environment (new risks arise quickly and unexpectedly and constantly change over time). There is a high degree of uncertainty when assessing the probability of occurrence and financial loss. The problem: ERM manages known risks (preferably those for which a lot of data is available) and even more preferably risks with a lot of loss data. Most of today's ERM systems are suitable for dealing appropriately with emerging risks.

Furthermore, the risk analysis of cyber risks traditionally focuses more on the technical aspects (as they are often assessed in "technical silos" at the system level and use technical standards). A scenario analysis that makes secondary risks (human, reputational, financial, strategic, etc.) visible and analyses risk dependencies with other company areas is usually still lacking or is, at best, ad-hoc and unsystematic. In the case of risks in an ERM portfolio, it is possible that the occurrence of a cyber risk, for example, could lead to a loss of reputation and trust among the public or customers. The focus of risk management is also more on prevention. There is often little systematic analysis of the impact of risk and how to deal with it (residual risk acceptable? insurance?). To make matters worse, a "cyber risk appetite" defined by the Board of Directors does not even exist (to be fair, I must add that this is not purely a "cyber problem," but the risk appetite is often wholly absent).

How are risks defined in a mature ERM? Uncertainty that may impact the company's objectives. Uncertainty also has something good about it; one could also speak of opportunity management. How are cyber (or related risks, see definition problem above) defined? Correct, as purely adverse events. This distinction is not strictly academic; it is a practical obstacle to integrating cyber risks into the ERM risk landscape.

Is investment in cyber risk management worthwhile? Information security experts may now consider the ROSI (Return on Security Investment) and answer my question with yes. Two things: most companies cannot (or do not want to?) calculate this, and secondly, only costs versus costs are compared. A "real" return on investment, which can be measured directly via additional revenue or cost savings, is not available with ROSI. In addition, the parameters to be used are only as good as the underlying cyber risk management process, which has to produce the input factors "(credible) loss expectations," "frequency of occurrence," and "effectiveness of measures." Do you think this will convince your decision-makers?

Fortunately, initial empirical findings show that there can indeed be a return, which can be of a "strategic nature": Competitive advantages (revenues, profits, achievement of business objectives), organizational effectiveness, and increased resilience. However, although cyber risks - as mentioned at the beginning - are among the most critical risks of all, there is a latent "underinvestment" in cyber security in corporate practice. There are various reasons for this: In addition to the perception that cyber risks are not only company-specific threats but also social and state threats, the usually not directly apparent and complex cause-and-effect chains (cyber risk leads directly to assessable financial impact) and the focus on cost avoidance (and not on increasing profits) tend to lead to underinvestment in this risk category. I could also add many more psychological aspects explaining this "underinvestment."

"Risk governance eats risk management for breakfast," inspired by Peter Drucker's famous quote, fits cyber risks like a glove. I'll summarize all the challenges in terms of roles, responsibilities, risk silos, risk culture, tone at the top, and awareness without being academically correct (risk culture should, of course, be defined in a more differentiated way and distinguished from risk governance, so please forgive me for this simplistic summary). Have you ever heard someone say that the IT department is responsible for cyber risks? Or that cyber risks are an IT problem? Probably yes. If that were the case, we wouldn't get very far. Not legally, not economically, and not in terms of definitions. For example, a horror scenario would be if the CISO combined all "lines of defense" (I'm borrowing from the Three Lines model here, even if I think it's partially wrong and not empirically tested) about cyber risk management. Of course, it would be better if the CISO (together with the risk manager!) took on the second-line function and critically scrutinized the activities of the IT/CIO (first line).

Ultimately, the Board of Directors (or, more generally, the supervisory body) is responsible for cyber risks. And this responsibility cannot be delegated. Of course, IT has an essential function in the cyber risk puzzle. However, it is neither responsible for cyber risks nor able to manage them holistically. Cyber risks are operational risks with strategic impact; they are part of ERM and require a company-wide perspective. Specifically, a holistic risk analysis is only possible with cooperation between IT, HR, data protection, legal, compliance, and business (yes, the C-suite!).

One wonders whether there are already good standards, norms, frameworks, and guidelines on how cyber risks can be integrated into ERM so that all risks can be compared and managed at the highest corporate level. There are two answers to this: It is no coincidence that these "risk silos" exist in practice. If you look at the current standards and norms for ERM (ISO, COSO) or information security (ISO, BSI, NIST, etc.), they are difficult to reconcile. Paradoxically, ISO and COSO advocate company-wide coordinated risk management but then say very little about exactly how this integration of cyber risk management should be done. The standards speak a different language, define and assess risks differently, or do not pursue a risk-oriented approach (but a control-oriented approach that cannot be translated into ERM). It was not uncommon for risk managers to look at me with wide eyes when asked about assessing cyber risks in their ERM approach. I was often referred to the IT department. We already know the problem from above.

It must be said that initial efforts are visible (and published) to give cyber risks the attention they deserve in ERM. I mention two documents here briefly: firstly, the paper "Managing Cyber Risk in a Digital Age," published by COSO and Deloitte in 2019, and the document published by the National Institute of Standards and Technology (NIST) with the promising title "Integrating Cybersecurity and Enterprise Risk Management (ERM)." I read both with high expectations. I fully support the call for integration ("alignment") in ERM in both publications. However, I believe there is still a lot to do, and it doesn't remain easy, even after reading this. Still, a first foundation stone has been laid (I remain deliberately diplomatic because the research doesn't have much more to offer either; see last section).

Researchers agree on three things: firstly, the theoretical and conceptual alignment of cyber risk management, ERM, and the corporate strategy appears to be the dominant approach to fostering risk governance that increases the chances of achieving the company's objectives. Secondly, it must be put into perspective that there needs to be more reliable empirical research on how this alignment is best implemented (a new field of research). And thirdly, there is a consensus that risk managers play a crucial role in this alignment of cyber risk management and ERM. Are today's risk managers up to these challenges? They have a lot to do in the future (sensitizing company management, overcoming risk silos, (co-)examining cyber insurance, (co-)assessing the "big, new" risks, building strategic partnerships with CIO, CFO, CISO, and others, helping to shape risk governance, and much more). With this in mind, let's tackle it together - research and practice, hand in hand so that I can soon write another blog about the "happy ending" in this matter.

Do you see something completely different? Can you prove me wrong? Great! Disagreeing promotes discourse. I'm looking forward to your feedback.