Managing Risk Is Its Own Reward

From the beginning of 2013 through yesterday, there have been 9,198,580,293 personal records stolen or lost due to security breaches, and in the last twelve months ransomware attacks grew by 55 percent and spear-phishing incidents increased by 65 percent. No company is fully secure from cyber breaches now, no matter how sophisticated its cyber defense mechanisms have become.

And, we have seen repeated research indicating that very few companies have made the organizational effort to identify the range of cyber scenarios that could affect them, assess the cybersecurity risk of their suppliers and customers, and build fully operational cybersecurity risk prevention and response plans.

Given the steady rise in cyber-crime coupled with an increase in the sophistication of tools and technologies, we are hard pressed to understand why businesses in general continue to ignore the risk.

These attacks are no longer just harming desktop and network computing infrastructure. They are starting to cause the malfunctioning of critical medical equipment, emergency services, and fundamental communications. A few months ago we saw a simple ransomware attack in the SF Bay Area take out the entire municipal transportation system for 48 hours.

According to a recent survey by Marsh & McLennan, only a third of companies are sufficiently prepared to prevent a worst-case attack, and a quarter of companies do not even treat cyber risks as significant corporate risks. In addition, nearly 80 percent don’t assess their customers and suppliers for cyber risk at all - ever. We suspect that maybe companies are simply transferring the bulk of their risk to cyber-insurance.

The U.S. represents the largest cyber insurance market, wherein almost 20 percent of all organizations have cyber insurance today and the number of companies purchasing cyber insurance and increasing their coverage limits continues to grow. The total annual premiums for cyber insurance are now at $4 billion and estimated to hit $39 billion within 7 years.

Among the obvious problems with this approach, is that few companies are able to or even bother with trying to quantify their risk. The majority of companies surveyed (75%) had failed to adequately assess or document their company’s exposure to cyber risk and were unable to calculate the financial impact should a breach event occur. 

As a result, these organizations are in a poor position to approach the insurance market and place a value on transferring the risk. The dilemma compounds due to the scant amount of actuarial data available to the insurers related to the cost of breach and the success of breach prevention programs.

So, what we have is an organization that can’t assess and quantify their risk and an insurer who can’t determine the likelihood of a breach under varying protection determinants or the value of a payout. In order to protect themselves from this dangerous set of unknowns, insurers must charge rates that are exorbitantly high along with low coverage limits, and organizations have almost no way to determine whether they can or should afford that coverage.

Most organizational risk managers try to rely on qualitative guidance from ‘heat maps’ that describe their vulnerability as ‘low’ or ‘high’ based on vague estimates that lump together frequent small losses and rare large losses. Some have tried to rely on the risk management mechanisms of NIST’s cybersecurity framework or the Baldrige performance program.

But these approaches alone don’t help risk managers understand if they have a $10 million problem or a $1 billion looming disaster, let alone whether they should invest in perimeter malware defenses, network behavioral analytics or email protection. It is hard to get your management to approve a $1m for an advanced SIEM platform when the best you can do is describe your risk as “high”. Is it “higher” than $1m?

I know. You don’t know.

As a result, organizations will continue to misjudge which cyber security capabilities they should prioritize and they frequently obtain insufficient or completely inappropriate cyber security insurance protection. On the other side, insurers need more time and more data to begin vectoring their coverage and costs in to a target with reasonable risk boundaries.

An organization has a much better chance of gauging its risk if it would limit their assessment to four factors:

1)       The value of the assets at risk,

2)       Lost revenue,

3)       Liability losses, and

4)       Reputational damage.

The direct revenue losses for an organization involved in a cyber-attack can be nearly negligible compared to the reputational damage incurred, which in turn can lead to future revenue losses.

This is why it is essential for owners and managers to quantify cyber risks more broadly.

The first step in dollar quantifying your cyber risk is to identify your company’s most important assets and your greatest vulnerabilities in terms of those involving services shutting down (like SF Muni), and those that compromise information, ranging from sensitive data, to corporate secrets, to bank accounts.

The key is to build an informed and well-designed cyber-risk model that’s able to analyze potential direct revenue, liability, and reputational loss scenarios. When a cyber-attack occurs, organizations are hit not just with losses resulting from customers who stop buying products and services; they also face ancillary costs related to fixing their problem, such as regulatory fines, forensics, legal, equipment and recovery consulting costs.

In addition, an organization may need to provide customers with long-term and expensive remediation, such as offering credit monitoring services, along with legal fees and penalties to settle multiple class action lawsuits (uh, does Equifax ring any bells?). These lawsuits are gaining in popularity as individuals are not now required to show proof of impact or immediate damages from stolen PII or sensitive information.

Predicting expected and maximum cyber losses over a one, three and five year horizon is just as important to determining today’s operating environment as predicting future revenue and profit. The business of forecasting profit and loss is not foreign to any business owner and predicting future loss resulting from cyber-crime should be part of that process.

The operational and technical data is readily available and can be modeled against expected and worst case scenarios . The elements of risk and defense are known or knowable. The cost of cyber-insurance while onerous at this moment is factual and should only be one of the factors in determining the risk model.

Addressing all of this honestly is one of the burdens of management’s responsibility to its stakeholders. Failing to do so and continuing to operate under the guidance of a crossed-fingers strategy is almost certain to result in a bad outcome for everyone.

Stay calm and bite the bullet. Managing risk is its own reward.