Know your cyber risk: the importance of assessment and quantification
November 2020 | PROFESSIONAL INSIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
November 2020 Issue
If questioned by a shareholder, no chief executive or chief financial officer would say that they intentionally leave their organisation’s most valuable assets vulnerable to a cyber attack. Yet, that does not explain why, according to our ‘Financial Impact of Intellectual Property & Cyber Assets: 2020 Aon-Ponemon Global Report’, 85 percent of the potential loss to businesses’ intangible information assets – those most vulnerable to a cyber attack – are not insured, despite those assets being worth considerably more than many organisations’ physical assets, such as property and equipment that attract far higher levels of insurance protection.
Assuming no board would deliberately want to see its most valuable assets stolen or held to ransom, what is the solution? The answer lies in an organisation undergoing a structured programme of risk assessment, risk quantification and risk transfer for its cyber exposures, a process that enables a business to understand where its exposures lie, what the potential costs of a cyber loss could be and how best it can protect its operations, balance sheet and, ultimately, limit potential reputational damage.
Everyone is a target
Unlike recent years, when cyber crime seemed to be a problem largely contained within retail or similar industries as hackers looked to steal customer data, criminals are now intent on targeting all industries where they can not only steal data but also infiltrate and encrypt systems to hold organisations to ransom. Undoubtedly, many organisations are ill-prepared to deal adequately with the attacks they face.
According to our report, approximately half (51 percent) of respondents report that their organisations had a material or significantly disruptive security exploit or data breach one or more times in the past 24 months. The average total financial impact of these incidents was $4.5m. And 70 percent say the incident increased their organisation’s concerns over cyber liability.
Held to ransom
The challenge for most businesses in securing their cyber borders is an increased reliance on the digital environment. The global pandemic-induced changes to ways of working in recent months means there is now a decentralised work environment that is harder to throw a ring of protection around than it had been previously. Couple this changing infrastructural setup with a fast-evolving threat environment and many organisations are in positions of material risk.
If that was not serious enough, hackers are increasingly using data exfiltration to help inflate any ransom payment. A business might be able to get its systems back up and running without paying a ransom, but if they know a hacker has managed to obtain confidential client information or intellectual property, then they are more likely to pay a bigger ransom.
Supply chains are also more vulnerable to cyber risk, which means businesses could suffer contingent business interruption as the result of a supplier experiencing a hack, providing another illustration of how the threat environment is growing exponentially.
Assess and quantify
All these factors mean that a comprehensive assessment and quantification of cyber risk should be critical steps for every business to help not only understand their levels of cyber exposure, but also as a vital stage in securing competitive cyber insurance if they choose to transfer the risk.
Assessment and quantification involves asking questions around focusing on what a loss could be like for a business: the assets they are trying to protect, the associated cyber security risks, how much risk an organisation is prepared to carry on its balance sheet, and, importantly, ensuring board-level understanding of the cyber risk.
Each organisation has a unique risk profile, encompassing not only the dynamic environment in which it operates, but also the construct of its own security posture. This is why an appropriate assessment is crucial – it identifies and frames the risk including the relative strengths and weaknesses. Aligned to a keen understanding of the threat environment, it means we can immediately make concerted decisions around security improvement and protection which dovetails with risk quantification methodologies. Ultimately, it facilitates better usage of data and analytics.
Once an organisation can put financial values to known exposures it can not only make the previously mentioned concerted decisions around investment, but also decide to what level. Finding the optimum level between risk retention, treatment and transfer means truly understanding the total cost of cyber risk and creating accessibility into the world of cyber risk for nontechnical stakeholders in organisations, allowing for increased levels of good governance.
A more considered approach to cyber insurance
As a consequence of going through this assessment and quantification process, organisations are taking a more considered approach to the cyber insurance market, developing a better understanding of what they are buying and why. This helps with value articulation, strategic spend initiatives and helps ensure an organisation has a cyber insurance policy that complements its cyber security strategic investment. When we talk about enterprise-wide initiatives, that is what we are looking to achieve – a cyber insurance policy that is appropriate and proportionate for the organisation itself and not a one size fits all solution.
Part of the challenge for the cyber insurance market, however, is that it is a nascent process. There are not yet the many years of data that the traditional property and casualty markets have to set rates. Instead, the cyber market is relying on a shallower pool of average claims levels and losses but in a relatively new environment.
What professional services firms across cyber security, risk and insurance need to do is to apply a potential loss in the right context, using the appropriate setting and loss scenarios for each business, and driving the use of enhanced data analytics. It is about getting away from averages, and finger in the air estimations. Once a business has those maximum loss numbers, it can stress test its existing insurances, risk appetite and risk tolerance to allow the crafting of a cyber insurance policy – adjusting limits and sub-limits and achieving coverage that most accurately reflects the risk profile of the organisation.
Differentiate your risk
We are facing challenging insurance market conditions where underwriters are demanding more and better quality information. The differentiation of buyers in the cyber insurance market is therefore increasingly important. A structured approach to assessment and quantification enables not only an informed cyber risk transfer strategy, but also provides a framework for mapping cyber maturity and progressed plans required for an insurance market submission.
Ultimately, this enables organisations to approach cyber as an enterprise risk by engaging non-traditional stakeholders, like chief technology officers, in the insurance process. The more an organisation can achieve a collective ‘groupthink’, the more comfortable it is with the risk and the better the outcomes it is likely to achieve.
Do not assume you are covered
Many organisations think they have cyber cover built into their property and liability policies, but that is not always the case. Moreover, as the traditional property and liability markets continue to review and retract elements of cyber coverage, this makes consideration of a standalone cyber insurance policy even more necessary. Cyber insurance plays a central role in how an organisation manages and mitigates cyber risk. It may protect an organisation’s balance sheet by not only providing financial indemnification after things have gone wrong, but also offering expert consultancy to improve security and on-the-ground incident response support during a period of crisis.
Changing technology continually shifts the goalposts
Looking ahead, rapid technological advancements are shifting everyday business practices leading to unpredictability and volatility in an organisation’s cyber risk profile. Those that successfully manage their way through this uncertain environment will be the businesses that adopt an ongoing enterprise-wide assessment and quantification process, to both reduce the risk and successfully manage any cyber attacks. Such an approach will certainly make conversations with shareholders easier.
We must accept that our organisations will continue to be susceptible to cyber attacks – it is part of the cost of doing business. However, it is the organisations that demonstrate resiliency and adaptability that will continue to capitalise on opportunities as we move forward into a new way of working.
David Molony is director of cyber risk consulting EMEA and Vanessa Leemans is chief broking officer, cyber solutions EMEA at Aon. Mr Molony can be contacted on +44 (0)20 7086 7043 or by email: david.molony@aon.co.uk. Ms Leemans can be contacted on +44 (0)20 7086 4465 or by email: vanessa.leemans@aon.co.uk.
© Financier Worldwide
BY
David Molony and Vanessa Leemans
Aon