By Leslie Chacko, Evan Sekeris, and Claus Herbolzheimer
This article first appeared in the Harvard Business Review on October 5, 2016.
Cyber breaches are one of the most likely and most expensive threats to corporations. Yet few companies can quantify just how great their cyber risk exposure truly is, preventing them from effectively protecting themselves.
Most managers rely on qualitative guidance from “heat maps” that describe their vulnerability as “low” or “high” based on vague estimates that lump together frequent small losses and rare large losses. But this approach doesn’t help managers understand if they have a $10 million problem or a $100 million one, let alone whether they should invest in malware defenses or email protection. As a result, companies continue to misjudge which cybersecurity capabilities they should prioritize and often obtain insufficient cybersecurity insurance protection.
Companies come much closer to properly weighing how much they should spend to reduce their cyber risk and curb cybercrime when they consider these risks from three perspectives — foregone revenue and ancillary payments, liability losses, and reputational damage.
No institution has the resources to completely eliminate cyber risks. That means helping businesses to make the right strategic choices regarding which threats to mitigate is all the more important. But right now, these decisions are made based on an incomplete understanding of the cost of the various vulnerabilities. Organizations often fail to take into account all of the possible repercussions, and have a weak grasp of how the investments in controls will decrease the probability of a threat. It’s often unclear whether they are stopping a threat or just decreasing its probability — and if so, by how much?
It’s essential that companies develop the capability to quantify their cyber risk exposure in order to form strategies to mitigate that risk. The question is, is it really possible to put a dollar sign on fast-changing cyber risks with data that is difficult to find and often even harder to interpret?
Estimating the true cost of a potential cyber breach may never become an exact science. The good news is that our understanding of why cyber risk forecasts keep falling short is improving. The main culprit is that companies quantify cyber risks the same way they do other operational risks — focusing narrowly on potential direct revenue losses. But companies can make much more accurate forecasts if they evaluate cyber risks on a broader set of losses associated with cyberattacks.
Companies come much closer to properly weighing how much they should spend to reduce their cyber risk and curb cybercrime when they consider these risks from three perspectives — foregone revenue and ancillary payments, liability losses, and reputational damage. One reason for this is that they are able to capture one of the biggest differences between cyber threats and other risks to their business: Cyberattacks can hurt a company even if there is no gain for the perpetrator other than accessing sensitive information.
Cyber risks generally fall into two categories: 1) those involving services shutting down, and 2) those that compromise information, ranging from sensitive data, to corporate secrets, to bank accounts.
The direct revenue losses for the companies involved involved in a cyberattack can be nearly negligible compared to the reputational damage incurred, which in turn can lead to future revenue losses. That is why it is essential for managers to quantify cyber risks more broadly. It can be done, and can potentially save companies hundreds of billions of dollars every year.
The first step in putting a dollar figure on cyber risks is to identify your company’s most important assets and its greatest vulnerabilities. Cyber risks generally fall into two categories: 1) those involving services shutting down, and 2) those that compromise information, ranging from sensitive data, to corporate secrets, to bank accounts.
But assumptions differ greatly depending on a business and its customers. For example, a utility company’s greatest cyber risk could be a nuclear plant outage while a health insurer’s top cyber risk may be losing medical data or having a hacker unexpectedly cripple critical surgical equipment. For another business, the greatest cyber risk could be the abrupt inability to bill customers, or perhaps, in the case of a bank, a shutdown that prevents customers from getting paid.
The challenge then is to build a smart, well-designed, cyber risk model that’s able to analyze potential direct revenue, liability, and brand loss scenarios. For when a cyberattack happens, companies are hit not just with losses resulting from customers who stop buying products and services; they also face ancillary costs related to fixing their problem, such as regulatory fines, forensics, and consulting costs.
Liability losses, too, come into play in cases where critical data is accessed. A company may need to provide customers years of remediation, such as offering credit monitoring services, along with legal fees and penalties to settle multiple class action lawsuits. Finally, companies must quantify how much their future revenues will fall if a cyberattack has damaged their brand.
Quantifying cyber risks is challenging, but feasible — and you can’t afford not to do it.
To understand the upper and lower boundaries of their risk, companies must gather general business, operational, and technical data that can be modeled against expected and worst case scenarios. Using both internal and external data related to the health of their business and operations, managers should be able to predict their expected and maximum cyber losses over a one- to three-year period, just as they can forecast their future revenues. They can also estimate what percentage of their future customers will leave if an outage results from a cyber breach — or how much their stock valuation and margins could suffer if a cyberattack taints their reputation. Companies should also judge, in part from past incidents, which applications are at the highest risk.
Armed with this information, it’s much easier for managers to judge if their companies have the right level of cyber risk protection and to budget for potential additional spending. Answers to questions like how much the company should invest in evaluating the state of their vendors’ cybersecurity become much clearer. Or at what cost more authentication software is appropriate given the likelihood that critical data will be accessed.
Managers can also weigh if they should invest in more training of employees and vendors or in more technical controls to monitor potential cyber breaches. In some cases, managers may even discover that investing in a new product line may, or may not, be worthwhile given the cyber risks involved.
Quantifying cyber risks is challenging, but feasible — and you can’t afford not to do it. Most firms have the technical knowhow and a strong enough grasp of the risks involved to help managers evaluate the trade-offs involved in mitigating cyber risks with a much smaller margin for error than in the past. What’s needed now is leadership from managers to prioritize the need to gain a better understanding of how much they need to spend to curb their cyber risks and to put a halt to cybercrime.
1What market dynamics are increasing vulnerability to cyber attacks?
One major factor is that the quantity of data in circulation is doubling each year—kind of a new Moore’s Law—with estimates that there will be 50 billion connected devices in the world by 2020 (6.5 devices for every person on the planet, according to a study by DHL and Cisco). This explosion of data and interconnectedness provides unparalleled opportunities for customer engagement and differentiated experiences, but it also increases companies (and their clients) vulnerability to cyber crime.
2Who in the organization is responsible for cyber risk management?
Effective information security is an existential issue that involves the whole company, and it needs to be established as a permanent item on the board’s agenda. Even five years ago shareholders accepted that information security was a technology issue handled by the CIO or even a direct report. Today it demands the attention of the most senior executives, with company wide management.
3How significant a problem have cyber attacks become for enterprises and governments?
That is a pretty tough question – with these kind of events, many organizations have been very reluctant to acknowledge breaches. That said, even the tip of the iceberg is very large. The average annualized cost of cyber attacks is $8.9m per organization. $120.1BN is the expected size of the global cyber security market in 2017 – an estimated CAGR of 11.3% from $63.7BN in 2011.