Taming Cyber

Article Synopsis :

New methods of quantifying Cyber risk help CxOs and boards better manage it  

Identifying and quantifying Cyber risk is different from quantifying other “financial” risks. This report from Oliver Wyman shares new methods for measuring Cyber in a more structured way.

Many institutions assess Cyber risk by soliciting the opinions of in-house IT experts on the topic. These exercises are typically sub-optimal given the answers are more guesstimates than proper risk quantification exercises. As a result, the outcomes are relatively ineffective risk management tools.

Cyber risk quantification is tricky for three main reasons:

1. Institutions lack historical data. Cyber risk is an emerging risk with limited useful historical data. And the situation is unlikely to change soon, because institutions are often unwilling to disclose the details of successful attacks, and especially the true cost of incurred losses.
2. The threat environment is rapidly changing. Attackers are constantly finding new ways to access IT systems and infrastructure. What an institution knows about current vulnerabilities today is likely to become obsolete tomorrow. Without a structured process, institutions will find the task of keeping up with these changes extremely difficult.
3. Cyber attack outcomes are not always comparable. The impact and cost of various Cyber risk events such as a data breach or disruption are typically unique to the institution and highly dependent on the individual operational, IT, system, or data environment.

Based on structured-scenario analysis, the report outlines the following four-step approach to risk identification and quantification:

STEP 1: IDENTIFY INSTITUTION-WIDE HIGH-VALUE ASSETS

To begin, business, risk, and information technology personnel should identify assets from all business and functional units (e.g., HR) potentially subject to Cyber attacks. The list should include both digital assets – such as critical data that should be protected or operational services that can be disrupted – and physical assets, including computing hardware and connected infrastructure that can be damaged or destroyed. Next, Cyber security experts should assess the materiality of each Cyber-relevant asset based on inputs from each business and functional unit. The goal is to identify assets that, if lost or compromised, would lead to significant loss to the institution.

STEP 2: IDENTIFY RISKS TO HIGH-VALUE ASSETS

Once institution-wide high-value assets are identified, the business or functional unit should develop a list of Cyber risk events by identifying each potential malicious action to which each high-value asset could be subject, ordered by relevance.

STEP 3: ESTIMATE FREQUENCY OF CYBER RISK EVENTS

Industry resources exist to help calculate the frequency of various types of Cyber attacks on various sorts of systems in a given time frame. The data allows for a historical view of not only the overall volume of Cyber attacks, but also the volume of attacks and success rates by vector of attack. When analysing the frequency of Cyber attacks, institutions should consider not only the number of attacks, but also the number of loss-triggering attacks (which are typically a small subset of the total attacks).

STEP 4: ESTIMATE SEVERITY OF CYBER RISK EVENTS

Given the challenges inherent to traditional quantification approaches commonly used for “financial” risks (e.g., credit, market), use structured scenarios as a mechanism for quantifying the severity of potential Cyber risk events. These scenarios, which are typically used for the quantification of “hard to quantify” operational risks, consist of a series of table-top exercises/workshops with key stakeholders from the business, risk, and information technology units.

Better Cyber risk quantification enables more informed business decision-making in the following areas:

• Risk management: Better understand Cyber risk exposure and the underlying drivers of the losses, and improve response to attacks
• Investments: Prioritize investments across the Cyber risk mitigation spectrum and relative to competing investment demands
• Insurance: Determine Cyber coverage strategy and the nature/extent of premiums
• Executive oversight: Understand Cyber risk exposure status, trends/outlook and impact of investments over time

By converting qualitative concerns from boards and senior management into dollar amounts, an institution will be able to integrate Cyber risk management more fully into the overall risk management strategy – which is the ultimate goal.

Link to Full Article:: click here

Link to Source:: click here