When the going gets tough, the tough get going.
Article Synopsis :
Boards of Directors are increasingly requesting from senior management a coherent articulation of the institution’s cyber risk appetite linked to business model and strategy and integrated into enterprise risk management. The starting position of most Boards of Directors and senior management is a ‘close-to-zero’ acceptance of cyber risk.
In an increasingly digital world ‘close-to-zero’, though understandable, isn’t really practicable. So what to do? This paper from Oliver Wyman walks us through their approach to developing an appropriate cyber risk appetite.
Four primary challenges explain why some institutions have tried but failed (or haven’t even tried) to define a meaningful cyber risk appetite:
Quantification: The industry has not yet agreed upon a standard approach to quantifying cyber risk (outside of scenario analysis for operational risk more broadly). Institutions have only rudimentary cyber-related data encompassing a limited time-series, complicating the identification of metrics that can be tracked on an ongoing basis supported by historical data to define ‘normal’ ranges.
Data: Given the rapidly-evolving nature of cyber risk, the relevance of historical data for the design of a cyber risk appetite is limited. Forward-looking statements and metrics are needed to enable institutions to identify potential issues before falling victim to the next headline-grabbing cyber incident.
Communication: Cyber risk metrics and reporting tend to be very technical and overwhelmingly detailed, especially for the Board. To ensure that cyber risk appetite is actionable, institutions need to strike the right balance between being too technical and too abstract, which is difficult.
Embedding: Cyber risk is far more than an IT problem. It spans people, processes, and technology. Therefore, it is difficult to design top-of-the-house risk appetite statements that are meaningful and communicable, can be cascaded to granular levels of the institutions, and can be translated into actionable business decisions.
A cyber risk appetite statement, adopted by and communicated throughout an institution, can have tangible impact on business activity and behavior. Poorly articulated statements can cause confusion and may even cause employees to take unproductive or potentially harmful actions. Examples of cyber risk appetite statements that can lead to unintended consequences are provided in the report.
Designing an effective cyber risk appetite starts at the Board of Directors level, cascaded to lower levels of the institution. The report recommends a structured seven-step approach to designing an institution’s cyber risk appetite framework:
- Identify key cyber risks for the institution: Articulate a cyber risk taxonomy and link the institution’s cyber risk identification outcome to the taxonomy.
- Define the objectives and constraints: Consider the broad range of constraints and associated objectives (e.g., financial, reputational, regulatory) that impact cyber risk appetite.
- Create qualitative statements and identify metrics: Define cyber risk appetite statements and associated quantitative metrics linked to the cyber risk taxonomy and threats.
- Test the implications and consequences: Review the emerging cyber risk statements and explore what the outcomes would be if these were solidified (e.g., target customer segments, changes in the use of third parties, changes in access rights, changes in controls).
- Calibrate metric thresholds: Consider the metric type, available data, and the institution’s analytical capabilities in determining the correct approach to establishing thresholds for the quantitative metrics.
- Define cascading approach: Determine the level of organizational granularity to which cyber risk appetite statements and metrics will be cascaded – considering risk profile, business model, and structure of the overall risk appetite.
- Define cyber risk appetite maintenance operating model: Link risk appetite threshold breaches to tangible actions that allow the institution to ‘return to green’.
Link to Full Article:: click here
Digital Insurer's CommentsDesigning an effective cyber risk appetite is crucial for any institution that has exposure to the internet – which is just about every institution nowadays. The right cyber risk appetite, with formal statements and metrics, is a powerful tool for prioritizing cybersecurity investment, making sound cyber risk management decisions, and creating awareness for cyber risk across the institution.
Viewed by many leaders as ‘thou shalt not’ documents, cyber risk appetites, done right, are actually liberating, allowing the organization to more aggressively pursue winning digital strategies in increasingly dynamic digital markets.
Link to Source:: click here