Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Setting a Cyber Resilience Meeting Agenda

Navigating digital opportunity and loss while under duress

by Travis Wong
Published

Achieving effective Cyber Resilience is a continuous process that requires collaboration across an entire organization in order to adequately assess, measure, and manage cyber-related operational risks. To achieve Cyber Resilience, the alignment of three key parties is essential: the CFO, CISO, and Risk Manager (referred to as the “committee” throughout this article). 

The CFO’s concern is with capital allocation and optimizing return on investment. The CISO’s focus is preventing and mitigating technology-based operational disruption. The risk manager’s role is to understand the organization’s risk, and develop an action plan for those risks which  includes making decisions around risk acceptance, avoidance, transfer, or mitigation. With three distinct disciplines and viewpoints coming together in pursuit of the common goal of Cyber Resilience, it’s important to create a meeting foundation that answers the question “what’s in it for me?” on an individual level as well as the greater organization.

Advanced Cybersecurity Visibility

The first and most important step to effective Cyber Resilience collaboration is to ensure everyone is operating from a common understanding of the problems being addressed and why those problems are important. The group can then collectively identify their operational exposures, evaluate their effectiveness at managing those exposures, target inadequately controlled exposures (deemed hazards), and pursue a risk decision.

Exposure Identification

The most common way of identifying and prioritizing exposures is via impact to revenue generation. The CFO should come to the table with a list of critical business functions and processes that impact revenue. The CISO should be able to match technology enablement against those revenue-generating functions. The Risk Manager should document these risks, have an understanding of risks outside of business disruption (i.e. reputational risk) and be able to discuss both first and third-party risks to critical business functions.

Controls Evaluation

For each of the financial impact exposures identified, the committee should evaluate how those exposures are controlled and the effectiveness of those controls. The financial consequences of the events should be detailed, including the cost of the controls implementation process, revenue reduction during the recovery period, and any long lasting effects that could result from an incident. The goal of this phase is to understand the real-world financial ramifications associated with each possible loss exposure. That sets the stage for risk analysis and decision making. It is important to highlight any exposures that are inadequately controlled in accordance with the organization’s risk tolerance. These should be labeled as hazards and prioritized for risk decisions.

Risk Decisions

Now that exposures and controls have been identified and assessed, risk decision strategies can be implemented based on the organization’s risk tolerance to each exposure. The key risk-based decisions which need to be made are: 

  • whether to accept the risk as-is and take no other actions, 
  • avoid the risk altogether by ceasing operations or transitioning to alternative operations, 
  • transfer the risk through insurance, contract indemnification clauses, risk pooling strategies, etc., or, 
  • mitigate the risk by finding ways to reduce the exposure or improve the effectiveness of the controls. 

The committee will need to collaboratively decide which risk decision is appropriate for each exposure, factoring in ease of implementation, cost associated with the decision, and the impact of the decision to organizational risk.

Questions to generate discussion:

  • What are our critical operations and what are the potential causes of disruption?
  • For each cause of disruption, what are the mitigation plans in place?
  • What do we project revenue losses to be during the disruption and recovery phases?
  • Are the projected losses acceptable to the organization?
  • What do we need to do to bring losses to an acceptable level?

Actionable Cyber Hygiene

If the committee chooses risk mitigation as the path forward, it’s important that a common organizational lexicon is used to justify risk mitigation expense decisions. This lexicon is dollars and cents. Determining the best course of action to mitigate risk should involve in-depth cost benefit analysis. It’s rare that an organization has an endless pool of funds to invest in cybersecurity. Therefore, it’s imperative that funds invested in cyber risk mitigation efforts are maximized to have the greatest risk reduction impact for the lowest cost. There are multiple paths to promoting cyber hygiene, and each risk should be analyzed on a case-by-case basis. Whether the decision is to reduce exposure or invest in additional mitigation efforts (people, processes, or technology), achieving and maintaining a level of cyber hygiene that is congruent with your organization’s risk tolerance must be a collaborative committee endeavor.

Accountable Risk Transfer

Cyber insurance is a commonly deployed and widely accessible form of risk transfer. The committee may decide insurance is the appropriate risk management strategy to cover either a portion or  the entirety of their operations. It’s important for the committee to understand the specific risks that need to be transferred to third parties to keep the organization adequately protected should an incident occur. This is especially true of organizations that have undergone significant operational changes including M&A activities, geographic expansions, or rapid growth/contraction.

Questions the committee should ask themselves:

  • Does the insurance policy adequately cover the organization’s most critical risks?
  • Will the insurance company meaningfully recognize any improvements I make to my risk posture?
  • What happens to my insurance policy if my operations change throughout the policy period?
  • Does the insurance company have any resources to assist my organization’s cyber risk management efforts beyond risk transfer? 

A cyber resilience meeting needs to be collaborative with each stakeholder (finance, security, and risk management) bringing their unique viewpoints and motivations to the table in a supportive manner. This holistic approach to risk analysis and mitigation sets the foundation for the organization to pursue cyber resilience effectively for the long term.

About the Author
Travis Wong

Travis is the VP of Customer Engagement. He has 15 years of risk management consulting experience with Fortune 250 insurance carriers. Specializing in the cyber, technology, and life sciences spaces, Travis assists clients with implementation of cybersecurity, privacy, business resiliency, and business process improvement best practices.

You might also like

How does Resilience establish the probabilities presented in my LEC?

Managing risk successfully at any level requires an understanding of a concept called “probability.” As both an insurance company (risk transfer) and a cyber risk management company, Resilience relies on understanding probabilities to price our services and to guide our clients to greater levels of cyber resilience. As we often receive questions from our clients […]

Moving beyond heat maps for better risk management

Heat maps are among the most widely used—and debated—tools for risk managers worldwide to communicate risks in their registries or project portfolios. Despite their popularity, we advise leaders seeking transparency in discussing risk and value to avoid relying on them. What are heat maps? Risk managers often use heat maps (or risk matrices) to represent […]

Breaking Lemonade: Understanding Value at Risk

I talk a lot about value-at-risk among my colleagues, with our customers, and the broader market. Value-at-risk may be the single most important measure to grasp, without which one cannot accurately measure risk transfer, excess risk, risk acceptance, and return on controls. Yet, these are all important concepts that leadership in modern organizations need to […]

Would you fall for a live deepfake?

The Office of Senate Security revealed last week that the head of the Senate Foreign Relations Committee was targeted in a deep fake video call. An unknown person, claiming to be the former Ukrainian Minister of Foreign Affairs, Dmytro Kuleba, lured the Senator onto a Zoom call. The attack was thwarted when the Senator and […]

Artificial Intelligence for Cyber Resilience

AI tools are shifting the calculus for cyber defense by enhancing key areas such as vulnerability mapping, breach detection, incident response, and penetration testing. This integration could help an organization bolster its cyber resilience against an ever-evolving threat landscape. AI tools could automate the discovery and monitoring of vulnerabilities, providing real-time updates of an organization’s […]

cyber resilience framework

AI and Misuse

Welcome to part two in our series on AI and cyber risk. Be sure to read the first installment “What you need to know: Artificial Intelligence at the Heart of Cyber,” here. Key takeaways Background In February 2024, OpenAI – in collaboration with Microsoft— tracked adversaries from Russia, North Korea, Iran, and China, leveraging their […]