Introducing Financial Quantification for Enterprise Cyber Risk

‍Overview

With cybercrime said to have cost the global economy $1 trillion dollars[1]; understanding the financial impact of cyber risk has become even more critical for C-level decision makers and Boards of Directors. 

With Financial Quantification for Enterprise Cyber Risk (FQ-ECR), Kovrr in partnership with BitSight enables business decision makers to understand and financially quantify the changing profile of their cyber risk exposure.

‍

Highlights

• FQ-ECR leverages Bitsight’s market-leading cyber security and ratings data in combination with Kovrr’s pioneering multi-model approach for analyzing and financially quantifying cyber risk, used in the (re)insurance industry to underwrite companies and manage tens of billions of dollars in cyber risk exposure.
• Access on-demand analytics without time intensive and demanding data collection efforts or the need for additional headcount. 
• Prioritize cyber risk management decisions with easy to understand business relevant metrics presented in financial terms.

FQ-ECR  delivers a seamless way to financially quantify cyber risk in dollar terms, enabling more robust cyber risk management decisions that ensure business resilience. 

The increasing pace of digitalization

The $88 trillion global economy in the 21st century is powered by companies who are becoming more and more reliant on technological infrastructures and third party service providers. The magnitude of this transformation is evidenced by research showing that while only 10 years ago one in four companies relied on the internet for their business operations, today the number is 100%[2].

Companies today are moving faster than ever to technologically transform themselves with 91% of companies engaged in some kind of digital initiative[3]and 87% of senior business leaders say digitalization is a priority[4].  These initiatives are being further accelerated due to the ongoing pandemic with 69% boards of directors accelerating their digital business initiatives due to the COVID-19 disruptions[5].

Cyber attacks can be costly

The obvious advantages that digitalization delivers also come with potential downside risks. It seems every day brings news of another costly cyber event hitting another company. 

In recent weeks we’ve seen:

• Facebook suffer a data breach which leaked personal information, including phone numbers, for half a billion users.[6]
• Acer, a global computing company, suffer a $50 million ransomware attack.[7]
• A ransomware attack against CompuCom, the parent company of Home Depot, that’s said to have initial costs of $25 million. [8]

Other notable examples of past cyber incidents include:

• NHS: The 2017 WannaCry ransomware attack that hit the UK’s National Health Service (NHS) among other companies and organizations, costing the NHS alone over $100 million.[9]
• Equifax: The 2017 Equifax breach which affected 147.9 million consumers costing the company over $4 billion in total. [10]
• Merck: Notpetya, a 2017 Ransomware that also affected companies such as Mondelez, WPP and Maersk, costingMerck $1.3 Billion. [11]

It's no wonder that as this phenomenon continues to cascade, 68% of business leaders feel their cybersecurity risks are increasing[12].

Translating Cyber Risk into Business Risk: What are the Challenges?

One of the key gaps to bridge is providing the necessary data to support the CISO, the CRO and Board members in their decisions surrounding how they justify cyber related investments, and deciding on budgets and risk transfer programs for the business. 

In order to do so, all key stakeholders need to have a level of understanding of the potential frequency and severity of potential cyber events and how they might affect their business.

Given that board directors now rate cybersecurity as the second-highest source of risk to threatening their enterprise[13], the question remains: what’s obstructing companies from feeling confident that they are adequately prepared to manage their cyber risk exposure?

Challenges

1. Cyber risk is discussed in technical terms: 

One reason is that traditionally cyber risk has been presented in technical terms or against a variety of compliance frameworks. This has made it challenging for the CISO and their team to communicate with others such as the CRO, CFO, C-Suite and Board. 

2. Cyber risk is constantly changing:

Cyber threats are constantly changing with hundreds of thousands of events occurring on a daily basis. Furthermore, companies themselves are continuously changing, adding new tools, technologies. clients and partners. 

Efficiently monitoring and delivering regular and consistent updates on a company’s cyber risk exposure as it changes over time can be taxing, resource heavy and expensive. This is especially accurate if extensive data gathering is required across multiple entities, management levels and stakeholders. 

3. Communicating the multiple ways that cyber risk may impact the business:

Today, cyber risk goes beyond just referring to potential cyber attacks. Risks to a company's ability to operate without interruption or damage also means being able to assess the risks that can potentially manifest from one or more of their third party providers failing. 

Furthermore, having the ability to explain and understand which cyber events are likely to affect a part of your business specifically through some kind of targeted action as well as understand which events could cause systemic damage across the enterprise and its subsidiaries at a single point in time helps prioritize risk management investments and decisions. 

FQ-ECR seeks to overcome these challenges by analyzing and calculating the financial cyber risk to create a shared language of cyber risk. 

‍

Companies need a tool that allows for a seamless and constant flow of data regarding global cyber threats and attacks, ongoing visibility to security posture and controls of the business and it’s different entities and risk models that are designed to differentiate between different types of impacts and financial losses.

This way all stakeholders can have a data-driven conversation around possible options to manage and reduce their cyber risk exposure by mitigating through enhanced cyber security programs or managed more effectively via risk transfers protections. 

‍

How FQ-ECR helps solve this problem

1. Leverage best in class data and cyber risk models to make data-driven decisions:

• FQ-ECR leverages Bitsight’s extensive market-leading cyber security and ratings data in combination with Kovrr’s pioneering multi-model approach for analyzing and financially quantifying cyber risk. 
• Access a turn-key solution that delivers on-demand analytics and overcomes the need for painful and often unsustainable manual data collection efforts or the need for additional headcount. 
• FQ-ECR continually evolves to factor in changes in a company's firmographic and technographic profiles, global cyber event frequencies and their financial impact, leveraging a wide range of sources including global cyber insurance claims data.
• Enable businesses to do a financial quantification on their primary enterprise, or drill down into the quantification of business units and/or subsidiaries.

2. Translate cyber risk into a commercial language understood by the whole team 

• Create a financially quantified view of cyber risk that complements the BitSight rating utilizing multiple data sets from real-world cyber events combined with details of an  organization’s digital assets and security posture to simulate hundreds of thousands of potential cyber events. and their financial impact. 
• Assess progress across multiple easy to understand business impact scenarios that serve as measurable metrics including: Ransomware, Denial of Service, Third Party Service Provider Failure, Liability and more. These metrics uniquely enable decision makers to focus their efforts on improving the programs and controls that will have the most significant impact on risk reduction and cyber exposure. 
• View granular insights about the different types of cyber events that could lead to extreme financial losses.

3. Make risk management decisions with confidence and consistency 

FQ-ECR enables businesses to use real-time data to make more informed decisions about managing cyber risk  whether to accept, mitigate, or transfer the risk), prioritizing new technology investments, and measuring the ROI of those investments in specific controls or programs.

‍