Cyber breaches are one of the most likely and most expensive threats to companies. Yet few can quantify just how great their cyber risk exposure truly is, preventing them from effectively protecting themselves.
Most managers rely on qualitative guidance from “heat maps” that describe their vulnerability as “low” or “high” based on vague estimates that lump together frequent small losses and rare large losses, according to Oliver Wyman, the global risk manager in a new report.
But this approach doesn’t help managers understand if they have a US$10 million problem or a US$100 million one, let alone whether they should invest in malware defenses or email protection.
As a result, the risk specialist argued, companies continue to misjudge which cyber security capabilities they should prioritize and often obtain insufficient cyber security insurance protection as a result. Indeed the numbers beggar belief given the press exposure cyber attacks receive.
The research revealed a whopping 77 per cent of companies globally do not assess their suppliers or customers for cyber risk. Moreover, a solid 68 per cent have not estimated the financial impact of a cyber attack.
All possible repercussions
The analysis then becomes even more worrying. According to Oliver Wyman, about 43 per cent have failed to identify one or more cyber scenarios that would damage their company. And 30 per cent have less than a basic understanding of their cyber risk exposure.
Remarkably, a full 25 per cent don’t even include cyber risk in their risk registers.
"No institution has the resources to eliminate cyber risks," the risk management advisor said. "That means making the right strategic choices regarding which threats to mitigate is all the more important. But right now, these decisions are made based on an incomplete understanding of the cost of the various vulnerabilities.
"Organisations often fail to consider all the possible repercussions and have a weak grasp of how the investments in controls will decrease the probability of a threat. It’s often unclear whether they are stopping a threat or just decreasing its probability – and if so, by how much?"
Fast-changing cyber risks
The question is whether it is really possible to put a dollar sign on fast-changing cyber risks using data that is difficult to find and often even harder to interpret.
The trouble, according to Oliver Wyman, is that companies quantify cyber risks the same way they do other operational risks — focusing narrowly on potential direct revenue losses rather than evaluating cyber risks against a broader set of losses associated with cyberattacks.
"They should consider these risks from three perspectives — foregone revenue and ancillary payments, liability losses, and reputational damage.The direct revenue losses for the companies involved in a cyberattack can be nearly negligible compared to the reputational damage incurred, which in turn can lead to future revenue losses."
Liability losses, too, come into play in cases where critical data is accessed, the report found, as a company may need to provide customers years of remediation, such as offering credit monitoring services, along with legal fees and penalties to settle multiple class action lawsuits.
Finally, the risk firm said, companies must quantify how much their future revenues will fall if a cyberattack has damaged their brand.
"Using both internal and external data related to the health of their business and operations, managers should be able to predict their expected and maximum cyber losses over a one-to-three-year period, just as they can forecast their future revenues," the research concluded.