Skip to main content
The Actuary: The magazine of the Institute and Faculty of Actuaries - return to the homepage Logo of The Actuary website
  • Search
  • Visit The Actuary Magazine on Facebook
  • Visit The Actuary Magazine on LinkedIn
  • Visit @TheActuaryMag on Twitter
Visit the website of the Institute and Faculty of Actuaries Logo of the Institute and Faculty of Actuaries

Main navigation

  • News
  • Features
    • General Features
    • Interviews
    • Students
    • Opinion
  • Topics
  • Knowledge
    • Business Skills
    • Careers
    • Events
    • Predictions by The Actuary
    • Whitepapers
    • Moody's - Climate Risk Insurers series
    • Webinars
    • Podcasts
  • Jobs
  • IFoA
    • CEO Comment
    • IFoA News
    • People & Social News
    • President Comment
  • Archive
Quick links:
  • Home
  • The Actuary Issues
  • February 2013
02

Soapbox: Cyber reality - time to quantify risk

Open-access content Thursday 7th February 2013 — updated 5.13pm, Wednesday 29th April 2020

Marie Gemma Dequae calls for improved data to counter the rapidly growing threat to information security

2

Cyber risk is a large and growing threat to business. Quantifying exposure is in its very early stages because of the scant data currently available and the evolving nature of the risks.

But pressure will increase for more precise estimates of exposure. Last autumn, a survey of members of the Federation of European Risk Management Associations (FERMA) revealed a majority saying that board involvement in cyber risk in their companies was growing.

In Europe, draft legislation will add to company obligations on data security breaches, while, in the US, the Securities and Exchange Commission is looking for and sometimes requiring disclosure of security issues.

Information security is a classic "enterprise risk" and should not be viewed as the sole domain of the chief information officer. The ability to assess potential maximum loss will enable companies to judge what financial provision is needed for cyber risks, including whether to buy insurance and what limits are worthwhile. The accuracy of insurers' pricing of cyber risk policies is a separate, but clearly related, issue.

Such risks are a threat to the digital assets of a business: client details, confidential information, intellectual property and operating systems. Most common are attacks on client data to get at financially valuable information. At the other end of the frequency distribution are efforts to capture intangible assets or assaults on operating systems. These do, however, occur, and governments are taking the potential for interference with critical infrastructure organisations seriously.

The cost implications of these risks range from predictable items, such as customer notification and call centre expenses, to open-ended business exposure, including loss of income from intellectual property and loss of competitive advantage.

Data, however, is poor, especially outside the US. Companies do not want to air their problems in public, and, in Europe, notifying customers that their information has been compromised has not been compulsory. Most estimates are based on US cases or have a very wide margin of error. Quoted figures tend to be broad - so many billions a year lost to cyber crime, for example, or an estimated mean loss per company. Businesses cannot rely on this information to benchmark their own exposure except in the simplest way.

The first step in overcoming these limitations is for the risk manager to collaborate on developing scenarios that are truly representative of the company's exposure. They can also draw on examples where the companies involved have disclosed the financial impact of cyber incidents. This can be useful in engaging board interest. In this way, companies can estimate the consequences of cyber risk - from immediate costs to the longer-term impact on reputation.

Next, combining this scenario analysis with suitable quantitative analytical tools will help to estimate probable loss distribution from a wide range of events. The critical issue is that the assumptions underpinning any model are grounded to the specific business model and capture the extraordinarily dynamic nature of cyber risk; the instigators are very inventive.

Ideally, the risk manager will also be able to see how changing various assumptions affects the risk profile, stress-testing the results without rerunning the whole model.

This approach of combining scenario and quantitative analysis could also be useful for communicating cyber risks to senior management. The higher you venture into an organisation's structure, the more straightforward the message needs to be.

Colleagues have told me that they have seen well embedded principles and practices associated with risk management and risk financing discarded when information and cyber security are considered. By working as outlined above, businesses can avoid over-reacting to scare stories about cyber risks while acknowledging the true dangers and bringing them under a proper risk management approach.

Marie Gemma Dequae is scientific advisor to the Federation of European Risk Management Associations. She is a board member of Belfius Bank and Belfius Insurance in Belgium.

More information on the research on cyber risk, conducted in cooperation with Harvard Business Review and sponsored by Zurich Insurance, is available at www.ferma.eu

Digital risks will also be on the programme at the FERMA Forum, which takes place from 29 September to 2 October in Maastricht.

This article appeared in our February 2013 issue of The Actuary.
Click here to view this issue
Filed in
02
Topics
Soft skills

You might also like...

Share
  • Twitter
  • Facebook
  • Linked in
  • Mail
  • Print

Latest Jobs

Calling all GI Actuaries looking to move into contracting

England, London
£700 - £1000 per day
Reference
146169

A chance to gain capital modelling experience.

London, England
£70000 - £110000 per annum
Reference
146168

Capital Contractor GI

England, London
£700 - £1000 per day
Reference
146166
See all jobs »
 
 

Today's top reads

 
 

Sign up to our newsletter

News, jobs and updates

Sign up

Subscribe to The Actuary

Receive the print edition straight to your door

Subscribe
Spread-iPad-slantB-june.png

Topics

  • Data Science
  • Investment
  • Risk & ERM
  • Pensions
  • Environment
  • Soft skills
  • General Insurance
  • Regulation Standards
  • Health care
  • Technology
  • Reinsurance
  • Global
  • Life insurance
​
FOLLOW US
The Actuary on LinkedIn
@TheActuaryMag on Twitter
Facebook: The Actuary Magazine
CONTACT US
The Actuary
Tel: (+44) 020 7880 6200
​

IFoA

About IFoA
Become an actuary
IFoA Events
About membership

Information

Privacy Policy
Terms & Conditions
Cookie Policy
Think Green

Get in touch

Contact us
Advertise with us
Subscribe to The Actuary Magazine
Contribute

The Actuary Jobs

Actuarial job search
Pensions jobs
General insurance jobs
Solvency II jobs

© 2023 The Actuary. The Actuary is published on behalf of the Institute and Faculty of Actuaries by Redactive Publishing Limited. All rights reserved. Reproduction of any part is not allowed without written permission.

Redactive Media Group Ltd, 71-75 Shelton Street, London WC2H 9JQ