The path to meaningful cyber loss and incident data.

 

Cyber risk is quickly emerging to be the prevailing focus for operational risk management.

As the digital economy is expanding, a diminishing percentage of risk professionals feel they have a complete understanding of cyber risk.  It was not long ago that cyber risk was typically identified in scenario analyses as a low to moderate likelihood.  It is now often assumed to be the highest risk within a company, with the questions being ‘when’ and ‘how big’ instead of ‘if’.  The healthcare and financial services industries are consistently the most cyber risk affected sectors.

There continues to be increased legal and regulatory focus on cybersecurity addressing data analysis, risk assessment, policy development, specific cyber risk management procedures, plans to secure data and mitigate risk, and training.  This focus has increased the C-suite representation and responsibility for cyber risk between the Chief Risk Officer (CRO), Chief Information Officer (CIO), and the Chief Information Security Officer (CISO).  This enhanced representation works best when responsibilities are clearly defined in an Enterprise Risk Management (ERM) program.  Cyber insurance carriers consistently view companies with strong, cyber risk-inclusive ERM programs as a safer bet when it comes to providing coverage.

Cyber risk assessment is foundational to cyber security and ERM programs.  Meaningful assessment requires combining IT security expertise, business expertise, and risk management expertise to identify the ‘crown jewel’ data assets of the enterprise and internally transparent identification of vulnerable areas.  A key to successful risk assessment is the availability of consistent loss data.  Losses can be direct, such as business interruption, regulatory fines, crises services, and legal defense; and/or indirect such as reputational, customer defection, and loss of strategic momentum.

Loss data continues to be a stumbling block to cyber risk assessment at both micro (enterprise) and macro (industry) levels.  Cyber events reported in the media are believed to be a small sub-set of actual loss data.  Due to the negative regulatory and reputational consequences, many companies are less likely to report data publicly, unless it is a large enough breach to require public disclosure.  The lack of loss data leads to a lack of actuarial data and aggregation concerns, and sheds less light onto the nature of potential cyber threats.  Without a secure method through which organizations could pool and share cyber incident information anonymously, obtaining this information is unlikely.

In the absence of centralized loss event data sources, underlying data that is currently the basis for analysis tends to be fractured, incomplete, and inconsistent.  These multiple datasets lead to inconsistent conclusions and ultimately, flawed industry level risk assessment.

Key actions are needed to bring about a change to the current environment.  First and foremost is data scrubbing, creating a consistent methodology for mapping raw cyber risk loss event data bringing together enterprise specific data, insurance claims data, and cyber loss data.  This will enable relevant risk scoring, transforming individual risks into quantitative values.  Aggregation of risk scores then enables risk prioritization, insurance gap analysis, and cost-benefit analysis of insurance coverages or further enhanced mitigation practices.

The following diagram illustrates the process at a high level:

 

flowchart

 

Risk Lighthouse is seeking client business partners for data scrubbing and risk scoring engagements to develop consistent methodologies.  These methodologies will directly benefit participating clients by enhancing their cyber risk management practices, in turn enhancing their overall operational risk management and ERM.

 

Go to top