Marie Gemma Dequae calls for improved data to counter the rapidly growing threat to information security
Cyber risk is a large and growing threat to business. Quantifying exposure is in its very early stages because of the scant data currently available and the evolving nature of the risks.
But pressure will increase for more precise estimates of exposure. Last autumn, a survey of members of the Federation of European Risk Management Associations (FERMA) revealed a majority saying that board involvement in cyber risk in their companies was growing.
In Europe, draft legislation will add to company obligations on data security breaches, while, in the US, the Securities and Exchange Commission is looking for and sometimes requiring disclosure of security issues.
Information security is a classic "enterprise risk" and should not be viewed as the sole domain of the chief information officer. The ability to assess potential maximum loss will enable companies to judge what financial provision is needed for cyber risks, including whether to buy insurance and what limits are worthwhile. The accuracy of insurers' pricing of cyber risk policies is a separate, but clearly related, issue.
Such risks are a threat to the digital assets of a business: client details, confidential information, intellectual property and operating systems. Most common are attacks on client data to get at financially valuable information. At the other end of the frequency distribution are efforts to capture intangible assets or assaults on operating systems. These do, however, occur, and governments are taking the potential for interference with critical infrastructure organisations seriously.
The cost implications of these risks range from predictable items, such as customer notification and call centre expenses, to open-ended business exposure, including loss of income from intellectual property and loss of competitive advantage.
Data, however, is poor, especially outside the US. Companies do not want to air their problems in public, and, in Europe, notifying customers that their information has been compromised has not been compulsory. Most estimates are based on US cases or have a very wide margin of error. Quoted figures tend to be broad - so many billions a year lost to cyber crime, for example, or an estimated mean loss per company. Businesses cannot rely on this information to benchmark their own exposure except in the simplest way.
The first step in overcoming these limitations is for the risk manager to collaborate on developing scenarios that are truly representative of the company's exposure. They can also draw on examples where the companies involved have disclosed the financial impact of cyber incidents. This can be useful in engaging board interest. In this way, companies can estimate the consequences of cyber risk - from immediate costs to the longer-term impact on reputation.
Next, combining this scenario analysis with suitable quantitative analytical tools will help to estimate probable loss distribution from a wide range of events. The critical issue is that the assumptions underpinning any model are grounded to the specific business model and capture the extraordinarily dynamic nature of cyber risk; the instigators are very inventive.
Ideally, the risk manager will also be able to see how changing various assumptions affects the risk profile, stress-testing the results without rerunning the whole model.
This approach of combining scenario and quantitative analysis could also be useful for communicating cyber risks to senior management. The higher you venture into an organisation's structure, the more straightforward the message needs to be.
Colleagues have told me that they have seen well embedded principles and practices associated with risk management and risk financing discarded when information and cyber security are considered. By working as outlined above, businesses can avoid over-reacting to scare stories about cyber risks while acknowledging the true dangers and bringing them under a proper risk management approach.
Marie Gemma Dequae is scientific advisor to the Federation of European Risk Management Associations. She is a board member of Belfius Bank and Belfius Insurance in Belgium.
More information on the research on cyber risk, conducted in cooperation with Harvard Business Review and sponsored by Zurich Insurance, is available at www.ferma.eu
Digital risks will also be on the programme at the FERMA Forum, which takes place from 29 September to 2 October in Maastricht.