Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Setting a Cyber Resilience Meeting Agenda

Navigating digital opportunity and loss while under duress

by Travis Wong
Published

Achieving effective Cyber Resilience is a continuous process that requires collaboration across an entire organization in order to adequately assess, measure, and manage cyber-related operational risks. To achieve Cyber Resilience, the alignment of three key parties is essential: the CFO, CISO, and Risk Manager (referred to as the “committee” throughout this article). 

The CFO’s concern is with capital allocation and optimizing return on investment. The CISO’s focus is preventing and mitigating technology-based operational disruption. The risk manager’s role is to understand the organization’s risk, and develop an action plan for those risks which  includes making decisions around risk acceptance, avoidance, transfer, or mitigation. With three distinct disciplines and viewpoints coming together in pursuit of the common goal of Cyber Resilience, it’s important to create a meeting foundation that answers the question “what’s in it for me?” on an individual level as well as the greater organization.

Advanced Cybersecurity Visibility

The first and most important step to effective Cyber Resilience collaboration is to ensure everyone is operating from a common understanding of the problems being addressed and why those problems are important. The group can then collectively identify their operational exposures, evaluate their effectiveness at managing those exposures, target inadequately controlled exposures (deemed hazards), and pursue a risk decision.

Exposure Identification

The most common way of identifying and prioritizing exposures is via impact to revenue generation. The CFO should come to the table with a list of critical business functions and processes that impact revenue. The CISO should be able to match technology enablement against those revenue-generating functions. The Risk Manager should document these risks, have an understanding of risks outside of business disruption (i.e. reputational risk) and be able to discuss both first and third-party risks to critical business functions.

Controls Evaluation

For each of the financial impact exposures identified, the committee should evaluate how those exposures are controlled and the effectiveness of those controls. The financial consequences of the events should be detailed, including the cost of the controls implementation process, revenue reduction during the recovery period, and any long lasting effects that could result from an incident. The goal of this phase is to understand the real-world financial ramifications associated with each possible loss exposure. That sets the stage for risk analysis and decision making. It is important to highlight any exposures that are inadequately controlled in accordance with the organization’s risk tolerance. These should be labeled as hazards and prioritized for risk decisions.

Risk Decisions

Now that exposures and controls have been identified and assessed, risk decision strategies can be implemented based on the organization’s risk tolerance to each exposure. The key risk-based decisions which need to be made are: 

  • whether to accept the risk as-is and take no other actions, 
  • avoid the risk altogether by ceasing operations or transitioning to alternative operations, 
  • transfer the risk through insurance, contract indemnification clauses, risk pooling strategies, etc., or, 
  • mitigate the risk by finding ways to reduce the exposure or improve the effectiveness of the controls. 

The committee will need to collaboratively decide which risk decision is appropriate for each exposure, factoring in ease of implementation, cost associated with the decision, and the impact of the decision to organizational risk.

Questions to generate discussion:

  • What are our critical operations and what are the potential causes of disruption?
  • For each cause of disruption, what are the mitigation plans in place?
  • What do we project revenue losses to be during the disruption and recovery phases?
  • Are the projected losses acceptable to the organization?
  • What do we need to do to bring losses to an acceptable level?

Actionable Cyber Hygiene

If the committee chooses risk mitigation as the path forward, it’s important that a common organizational lexicon is used to justify risk mitigation expense decisions. This lexicon is dollars and cents. Determining the best course of action to mitigate risk should involve in-depth cost benefit analysis. It’s rare that an organization has an endless pool of funds to invest in cybersecurity. Therefore, it’s imperative that funds invested in cyber risk mitigation efforts are maximized to have the greatest risk reduction impact for the lowest cost. There are multiple paths to promoting cyber hygiene, and each risk should be analyzed on a case-by-case basis. Whether the decision is to reduce exposure or invest in additional mitigation efforts (people, processes, or technology), achieving and maintaining a level of cyber hygiene that is congruent with your organization’s risk tolerance must be a collaborative committee endeavor.

Accountable Risk Transfer

Cyber insurance is a commonly deployed and widely accessible form of risk transfer. The committee may decide insurance is the appropriate risk management strategy to cover either a portion or  the entirety of their operations. It’s important for the committee to understand the specific risks that need to be transferred to third parties to keep the organization adequately protected should an incident occur. This is especially true of organizations that have undergone significant operational changes including M&A activities, geographic expansions, or rapid growth/contraction.

Questions the committee should ask themselves:

  • Does the insurance policy adequately cover the organization’s most critical risks?
  • Will the insurance company meaningfully recognize any improvements I make to my risk posture?
  • What happens to my insurance policy if my operations change throughout the policy period?
  • Does the insurance company have any resources to assist my organization’s cyber risk management efforts beyond risk transfer? 

A cyber resilience meeting needs to be collaborative with each stakeholder (finance, security, and risk management) bringing their unique viewpoints and motivations to the table in a supportive manner. This holistic approach to risk analysis and mitigation sets the foundation for the organization to pursue cyber resilience effectively for the long term.

About the Author
Travis Wong

Travis is the VP of Customer Engagement. He has 15 years of risk management consulting experience with Fortune 250 insurance carriers. Specializing in the cyber, technology, and life sciences spaces, Travis assists clients with implementation of cybersecurity, privacy, business resiliency, and business process improvement best practices.

You might also like

third-party cyber risk management

New Frontier: Cyber Risk Mitigation with Superforecasting

You’re a CISO, bombarded from all sides. New vulnerabilities emerge daily, vendors tout countless security solutions, and your inbox overflows with security alerts. Your skilled analysts are stretched thin, struggling to keep pace with the ever-evolving threat landscape. How do you make sense of it all? How do you prioritize investments, allocate resources, and make […]

third-party cyber risk management

Cybersecurity Essentials: The Role of Vulnerability Management in Building Cyber Resilient IT Systems

Navigating the complexities of cybersecurity requires a strategic approach to mitigate risks and safeguard IT systems. Central to this approach is vulnerability management, a systematic process that identifies, assesses, and prioritizes vulnerabilities within organizations’ infrastructure. Understanding what vulnerability management entails and how it contributes to preemptive cyber defense is critical.  According to a recent report […]

third-party cyber risk management

Mastering Cybersecurity Risk Metrics: A New Way to Think About Cyber Risk

Digital threats are not just possibilities but inevitabilities; understanding and calculating cyber risk is more than a precaution – it’s a necessity. Understanding cybersecurity metrics is essential to safeguarding and improving business operations. Calculating cyber risks simplifies complex issues and empowers professionals to communicate them clearly to improve their organization’s digital security. This requires a […]

third-party cyber risk management

Evolving Cybersecurity: From Risk Management to Cyber Resilience

With an astonishing 95% of cybersecurity breaches attributed to human error, organizations must educate, train, and implement a security foundation for all employees. This staggering statistic highlights the vulnerability of humans within digital infrastructures and underscores the importance of building a security-forward mindset into the culture of resilient businesses.   As cyber threats continue to lead […]

third-party cyber risk management

Counting the Cost: Understanding the Financial Risk of Cybersecurity Breaches

Cybersecurity breaches stand as a relentless challenge for organizations worldwide, causing substantial financial repercussions. As cyber threats advance in complexity, the economic impact on businesses intensifies, affecting everything from upfront costs to sustained financial health.  A thorough investigation into the financial risks posed by cybersecurity breaches reveals the breadth of direct and indirect expenses that […]

third-party cyber risk management

Rewriting the Rules of Cyber Security Risks: Part II

Building Cyber Resilience requires a new approach to assessing, measuring, and managing risk. Traditional thinking from both the security and insurance sectors views risk management in binary silos that either stop an attack or fail to prevent loss. However, the truth is that cyber security risk is significantly more complex. Being resilient to cyber security […]