As investments in Cyber Security increase, many Boards and C-Suite executives are asking “how much is our true exposure to potential cyber losses?”, “how do we know our investment in Cyber Security is proportional to our exposure?”, “how much investment is good enough?”. The answer to this often starts with quantification of an organisation’s Cyber Risk exposure. However, in our experience, very few organisations have a comprehensive understanding of how much they could potentially lose in case of a Cyber-attack.
Quantification would help organisations understand their exposure, and provide them a baseline to prioritise strategic investments. It brings about an awareness beyond the Technology function into Risk, Business and the Boardroom, where informed decisions around risk hedging and insurance policy can be taken. It creates a level of awareness on Cyber Exposure across the organisation (for example, with the Legal and Communications teams) that is difficult to achieve otherwise, enabling preparedness in scenario response.
Oliver Wyman’s paper on “Navigating Cyber Risk Quantification: The Art and Science of Quantification Through a Scenario-Based Approach” provides a structured approach to estimating Cyber Risk Exposures. The paper, through the use of real examples, describes how to avoid common pitfalls while detailing and quantifying scenarios. Quantifying cyber risk requires developing clear and precise scenarios specific to the organisation – this has not been attempted by many organisations and makes the process of quantification challenging. The process also requires working very closely with stakeholders across the organisation, and leveraging a combination of internal and external data as well as external subject matter expertise, and tailoring them to the organisation’s current context.
Conducting cyber risk quantification is a useful exercise to guide strategic conversations on Cyber Resilience around where to invest, how much to invest, and what kind of mitigation could be pursued, e.g. through Cyber Insurance coverage. By quantifying cyber risk, organisations can also open informed discussions throughout the organisation – on how and what the organisation can do to increase its cyber resilience and build capabilities. Ultimately, this will help the organisation realise that the fight to protect against cyber-attacks is not an IT or Risk function responsibility, but one for the whole organisation.
