Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Setting a Cyber Resilience Meeting Agenda

Navigating digital opportunity and loss while under duress

by Travis Wong
Published

Achieving effective Cyber Resilience is a continuous process that requires collaboration across an entire organization in order to adequately assess, measure, and manage cyber-related operational risks. To achieve Cyber Resilience, the alignment of three key parties is essential: the CFO, CISO, and Risk Manager (referred to as the “committee” throughout this article). 

The CFO’s concern is with capital allocation and optimizing return on investment. The CISO’s focus is preventing and mitigating technology-based operational disruption. The risk manager’s role is to understand the organization’s risk, and develop an action plan for those risks which  includes making decisions around risk acceptance, avoidance, transfer, or mitigation. With three distinct disciplines and viewpoints coming together in pursuit of the common goal of Cyber Resilience, it’s important to create a meeting foundation that answers the question “what’s in it for me?” on an individual level as well as the greater organization.

Advanced Cybersecurity Visibility

The first and most important step to effective Cyber Resilience collaboration is to ensure everyone is operating from a common understanding of the problems being addressed and why those problems are important. The group can then collectively identify their operational exposures, evaluate their effectiveness at managing those exposures, target inadequately controlled exposures (deemed hazards), and pursue a risk decision.

Exposure Identification

The most common way of identifying and prioritizing exposures is via impact to revenue generation. The CFO should come to the table with a list of critical business functions and processes that impact revenue. The CISO should be able to match technology enablement against those revenue-generating functions. The Risk Manager should document these risks, have an understanding of risks outside of business disruption (i.e. reputational risk) and be able to discuss both first and third-party risks to critical business functions.

Controls Evaluation

For each of the financial impact exposures identified, the committee should evaluate how those exposures are controlled and the effectiveness of those controls. The financial consequences of the events should be detailed, including the cost of the controls implementation process, revenue reduction during the recovery period, and any long lasting effects that could result from an incident. The goal of this phase is to understand the real-world financial ramifications associated with each possible loss exposure. That sets the stage for risk analysis and decision making. It is important to highlight any exposures that are inadequately controlled in accordance with the organization’s risk tolerance. These should be labeled as hazards and prioritized for risk decisions.

Risk Decisions

Now that exposures and controls have been identified and assessed, risk decision strategies can be implemented based on the organization’s risk tolerance to each exposure. The key risk-based decisions which need to be made are: 

  • whether to accept the risk as-is and take no other actions, 
  • avoid the risk altogether by ceasing operations or transitioning to alternative operations, 
  • transfer the risk through insurance, contract indemnification clauses, risk pooling strategies, etc., or, 
  • mitigate the risk by finding ways to reduce the exposure or improve the effectiveness of the controls. 

The committee will need to collaboratively decide which risk decision is appropriate for each exposure, factoring in ease of implementation, cost associated with the decision, and the impact of the decision to organizational risk.

Questions to generate discussion:

  • What are our critical operations and what are the potential causes of disruption?
  • For each cause of disruption, what are the mitigation plans in place?
  • What do we project revenue losses to be during the disruption and recovery phases?
  • Are the projected losses acceptable to the organization?
  • What do we need to do to bring losses to an acceptable level?

Actionable Cyber Hygiene

If the committee chooses risk mitigation as the path forward, it’s important that a common organizational lexicon is used to justify risk mitigation expense decisions. This lexicon is dollars and cents. Determining the best course of action to mitigate risk should involve in-depth cost benefit analysis. It’s rare that an organization has an endless pool of funds to invest in cybersecurity. Therefore, it’s imperative that funds invested in cyber risk mitigation efforts are maximized to have the greatest risk reduction impact for the lowest cost. There are multiple paths to promoting cyber hygiene, and each risk should be analyzed on a case-by-case basis. Whether the decision is to reduce exposure or invest in additional mitigation efforts (people, processes, or technology), achieving and maintaining a level of cyber hygiene that is congruent with your organization’s risk tolerance must be a collaborative committee endeavor.

Accountable Risk Transfer

Cyber insurance is a commonly deployed and widely accessible form of risk transfer. The committee may decide insurance is the appropriate risk management strategy to cover either a portion or  the entirety of their operations. It’s important for the committee to understand the specific risks that need to be transferred to third parties to keep the organization adequately protected should an incident occur. This is especially true of organizations that have undergone significant operational changes including M&A activities, geographic expansions, or rapid growth/contraction.

Questions the committee should ask themselves:

  • Does the insurance policy adequately cover the organization’s most critical risks?
  • Will the insurance company meaningfully recognize any improvements I make to my risk posture?
  • What happens to my insurance policy if my operations change throughout the policy period?
  • Does the insurance company have any resources to assist my organization’s cyber risk management efforts beyond risk transfer? 

A cyber resilience meeting needs to be collaborative with each stakeholder (finance, security, and risk management) bringing their unique viewpoints and motivations to the table in a supportive manner. This holistic approach to risk analysis and mitigation sets the foundation for the organization to pursue cyber resilience effectively for the long term.

About the Author
Travis Wong

Travis is the VP of Customer Engagement. He has 15 years of risk management consulting experience with Fortune 250 insurance carriers. Specializing in the cyber, technology, and life sciences spaces, Travis assists clients with implementation of cybersecurity, privacy, business resiliency, and business process improvement best practices.

You might also like

Resilience Threat Researchers Identify New Campaigns from Scattered Spider

Following their attacks on MGM and Caesars’ casinos, threat actor group Scattered Spider is believed to be behind attacks on multiple companies in the finance and insurance industries. Using convincing lookalike domains and login pages as well as efficiently timed attacks, the group is aggressively targeting a wider array of companies. We have also observed […]

Breach and Attack Simulations: A Proactive Approach to Loss Prevention 

Today’s CISOs and risk managers need to see around corners to proactively reduce risks before they turn into losses. Increasingly, CISOs also answer directly to the board of directors. No matter how tight you think your controls are or how big your budget is, I promise you things are happening in your environment that you […]

Seven Essential Steps to Vulnerability Management: Learnings from the Ivanti Exposures  

In light of the most recent Ivanti vulnerability, the importance of a robust vulnerability management strategy and incident response plan has never been clearer.  The Ivanti vulnerabilities, particularly CVE-2024-22024, unveiled on February 8th, 2024, serve as a stark reminder of the relentless nature of cyber threats. These vulnerabilities, which allow unauthenticated, remote attackers to access […]

Five Predictions on the State of Cyber Claims in 2024

Unravel the complexities of cyber risk with the 2023 Mid-Year Claims Report by Resilience. Dive into our analysis and predictions for the cyber insurance industry in 2024, including the pivotal role of AI and regulatory changes.

Knowing Your Risk Surface: A Risk-Focused Approach to Incident Response

After decades of more damaging and less predictable cyber attacks, modern cybersecurity practitioners have recognized the critical need to incorporate more risk-based approaches to their planning efforts. However, despite the continuing advances within the cybersecurity field, analytics firms are noting record years for cybercriminals and breaches against some of the most well-defended organizations in the […]