Quantifying Cyber Risk

There are three options for risk – mitigate, accept or transfer. But a vital element in the decision process is quantifying the cost or value loss a company would incur if a threat comes to pass. When it comes to cybersecurity risks, these facts do not change, but how to quantify the real-world impact is a task companies are struggling with, including insurance companies which are becoming more engaged in the transfer solution.

While there are direct measurable impacts of the financial losses companies have incurred from data breaches, that loss may be inconsequential compared to the reputation loss that often accompanies a breach. Allianz, a major player in business insurance, recently estimated the annual financial impact of cyber crime at $445 Billion across the 10 largest markets. This level of risk is driving significant investment in cybersecurity infrastructure as it should, but companies are beginning to look for insurance products to provide a backstop or safety net as a second line of support.

In their publication A Guide to Cyber Risk: Managing the Impact of Increasing Connectivity, Allianz indicates that insuring against cyber crime is growing rapidly, but continues to evolve rapidly as well. Further, they go on to explain that quantification is “challenging, but feasible,” Companies must go look beyond traditional operational-risk tools that focus only on revenue losses, and evaluate “a broader set of losses associated with cyber attacks . . . The direct revenue losses for the companies involved in a cyber attack can be nearly negligible compared to the reputational damage incurred, which in turn can lead to future revenue losses. That is why it is essential for managers to quantify cyber risks more broadly.” Consider what the reputational damage must be if $445 Billion in financial losses is considered negligible!

Preventing a breach and avoiding the media attention it would bring is better than purchasing insurance to shield your company from the effects. According to Emily Cummins, a RIMS board member and managing director of tax and risk management for the National Rifle Association, “most reportable data breaches are triggered by unintentional employee error,” and, “emphasizing year-round employee security training sends a strong message that an organization is a good insurance risk because they’re doing the best they can to prevent a reportable event.” This is a common theme across cybersecurity conversations. Employee training needs to be a major part of the fight against cyber crime. In the same article, Christine Todd Whitman, former governor of New Jersey quoted saying “In some of the companies with which I’ve been involved, one of the biggest problems is employees inadvertently opening an infected email or document because cyber hackers have gotten so good at disguising who and what they are.”

Modern training techniques utilize quantifiable and measurable methodologies to drive long-term behavior changes in employees. A traditional “one-and-done” annual review program is not going to keep up with the constantly changing threat approaches. For example, “Spear Phishing” is not new. One might think with the experience and history we have with this attack vector it would be extinct. Yet it continues to flourish as a key means for attacks to be perpetrated and thwart the first line of cybersecurity defense. This is primarily because the quality of the bait keeps changing and improving, luring employees to take that bite. Instead of just purchasing insurance to protect against financial loss, get aggressive with providing your employees the skills they need to detect and prevent some of the most common sources for attacks! Engage a training methodology that is continuous, measurable, and adaptable that keeps up with the times!