From the Enterprise Level on Down
It’s impossible to escape the barrage of news about cyber attacks. At the enterprise level, we also observe varying degrees of insight into how to understand and manage it.
Boards of directors are turning attention from understanding the risk to understanding management’s readiness to deal with the risk. That translates into questions such as, “Do we understand the risk well enough to prevent, mitigate and recover from a large-scale cyber event?”
Common sense risk analysis
Risk analysis starts with awareness of the risks an organization faces. The better an organization understands the risks it’s dealing with, the more robust its risk analysis and risk-based decision making will be.
Some common suggestions for improving risk awareness include the following:
- Harvest the risk information you already have. Whether it’s through formal risk assessment activities already underway, through your enterprise risk management program, or through review of insightful information within business units.
- Address gaps in risk information and insight. Find ways to engage in risk conversations with colleagues who “see” and understand the risk; follow up with stakeholders who either influence or pay for the results of a risk event.
- Get help from external advisors. This is especially true for a dynamic risk like cyber, where both the profile of the risk and the range of potential risk mitigation options continues to evolve.
Qualitative, quantitative assessment
Risk analysis should incorporate both qualitative and quantitative assessment of risk by applying appropriate tools in each situation. In the cyber risk space, analysis should incorporate technical assessment of the organization’s existing cyber security posture, thereby identifying major gaps and areas for improvement.
By applying risk science to the age-old questions of “how likely” and “how big” enterprise risk managers gain further insight into the organization’s areas of vulnerability. And while risk quantification is often seen as the “Holy Grail” of risk assessment, it’s important to consider qualitative aspects:
- Do we tend to discuss risk well? What are the embedded risks that we don’t like to talk about or we feel we’re “stuck with” and need to accept?
- Do we understand the business impacts of the risk — including operational disruptions, implications for control and compliance, cross-functional risk, financial and reputational impacts? How could a cyber event affect our credibility with customers, suppliers and other stakeholders? Is cyber risk a D&O risk?
- How do the strategic decisions we make today affect our vulnerability to future cyber risk? What level of risk are we living with today or accepting for tomorrow by virtue of the decisions we make regarding our operations, acquisitions and partnerships?
The outcome of risk analysis should include a keener understanding of the organization’s risk resilience — how ready are we to prevent, uncover, mitigate and recover from a cyber risk event?
Although insurance plays a critical role in protecting an organization’s balance sheet from a cyber event, appropriate attention to both understanding and mitigating cyber risk is valuable at the enterprise level because it increases the entire organization’s readiness to deal with the risk at all levels. As with any other risk, the time and effort spent to analyze vulnerabilities and prioritize resources helps organizations maximize the value of their risk management investment. And as an added benefit, this work will help the insurance buyer determine appropriate limits, retentions and coverage options, and it will enhance the insurance broker’s ability to get the job done in the market.
Common sense risk mitigation
The process of understanding areas of cyber-related vulnerability across the enterprise, determining the best risk mitigation options, and executing the risk mitigation plan is the same for cyber risk as for any other risk. Benchmarking “best practices” in cyber mitigation, getting external advice and clean sheet exercises can help. The following are some areas for additional consideration:
- Contractual reviews. What duties and obligations have we accepted through commercial arrangements with customers, suppliers and other third parties?
- Business process reviews. What risks do we assume every day based on the way we conduct our business, and are there areas in which process change could provide a win/win for the business as well as for our cyber-risk exposure?
- Where should we spend time, money, and effort to improve?
- Risk transfer. What is the best insurance strategy that results in comprehensive, current coverages at a reasonable cost? How do we differentiate ourselves in the market?
- Continuous improvement. How do we stay ahead of the risk while enabling our business to thrive?
- Organizational barriers to success. How do we deal with aspects of the plan that cross organizational silos? How do we address different levels of understanding of the risk, the need for resources to address the risk, and the need for collaboration between technical and non-technical colleagues? How do we break down company-specific barriers to collaboration, including reliance on embedded processes and practices?
By building capability in cyber risk analysis, mitigation planning and execution, and risk monitoring you will help improve resiliency for today while enabling your organization for future success.