Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Setting a Cyber Resilience Meeting Agenda

Navigating digital opportunity and loss while under duress

by Travis Wong
Published

Achieving effective Cyber Resilience is a continuous process that requires collaboration across an entire organization in order to adequately assess, measure, and manage cyber-related operational risks. To achieve Cyber Resilience, the alignment of three key parties is essential: the CFO, CISO, and Risk Manager (referred to as the “committee” throughout this article). 

The CFO’s concern is with capital allocation and optimizing return on investment. The CISO’s focus is preventing and mitigating technology-based operational disruption. The risk manager’s role is to understand the organization’s risk, and develop an action plan for those risks which  includes making decisions around risk acceptance, avoidance, transfer, or mitigation. With three distinct disciplines and viewpoints coming together in pursuit of the common goal of Cyber Resilience, it’s important to create a meeting foundation that answers the question “what’s in it for me?” on an individual level as well as the greater organization.

Advanced Cybersecurity Visibility

The first and most important step to effective Cyber Resilience collaboration is to ensure everyone is operating from a common understanding of the problems being addressed and why those problems are important. The group can then collectively identify their operational exposures, evaluate their effectiveness at managing those exposures, target inadequately controlled exposures (deemed hazards), and pursue a risk decision.

Exposure Identification

The most common way of identifying and prioritizing exposures is via impact to revenue generation. The CFO should come to the table with a list of critical business functions and processes that impact revenue. The CISO should be able to match technology enablement against those revenue-generating functions. The Risk Manager should document these risks, have an understanding of risks outside of business disruption (i.e. reputational risk) and be able to discuss both first and third-party risks to critical business functions.

Controls Evaluation

For each of the financial impact exposures identified, the committee should evaluate how those exposures are controlled and the effectiveness of those controls. The financial consequences of the events should be detailed, including the cost of the controls implementation process, revenue reduction during the recovery period, and any long lasting effects that could result from an incident. The goal of this phase is to understand the real-world financial ramifications associated with each possible loss exposure. That sets the stage for risk analysis and decision making. It is important to highlight any exposures that are inadequately controlled in accordance with the organization’s risk tolerance. These should be labeled as hazards and prioritized for risk decisions.

Risk Decisions

Now that exposures and controls have been identified and assessed, risk decision strategies can be implemented based on the organization’s risk tolerance to each exposure. The key risk-based decisions which need to be made are: 

  • whether to accept the risk as-is and take no other actions, 
  • avoid the risk altogether by ceasing operations or transitioning to alternative operations, 
  • transfer the risk through insurance, contract indemnification clauses, risk pooling strategies, etc., or, 
  • mitigate the risk by finding ways to reduce the exposure or improve the effectiveness of the controls. 

The committee will need to collaboratively decide which risk decision is appropriate for each exposure, factoring in ease of implementation, cost associated with the decision, and the impact of the decision to organizational risk.

Questions to generate discussion:

  • What are our critical operations and what are the potential causes of disruption?
  • For each cause of disruption, what are the mitigation plans in place?
  • What do we project revenue losses to be during the disruption and recovery phases?
  • Are the projected losses acceptable to the organization?
  • What do we need to do to bring losses to an acceptable level?

Actionable Cyber Hygiene

If the committee chooses risk mitigation as the path forward, it’s important that a common organizational lexicon is used to justify risk mitigation expense decisions. This lexicon is dollars and cents. Determining the best course of action to mitigate risk should involve in-depth cost benefit analysis. It’s rare that an organization has an endless pool of funds to invest in cybersecurity. Therefore, it’s imperative that funds invested in cyber risk mitigation efforts are maximized to have the greatest risk reduction impact for the lowest cost. There are multiple paths to promoting cyber hygiene, and each risk should be analyzed on a case-by-case basis. Whether the decision is to reduce exposure or invest in additional mitigation efforts (people, processes, or technology), achieving and maintaining a level of cyber hygiene that is congruent with your organization’s risk tolerance must be a collaborative committee endeavor.

Accountable Risk Transfer

Cyber insurance is a commonly deployed and widely accessible form of risk transfer. The committee may decide insurance is the appropriate risk management strategy to cover either a portion or  the entirety of their operations. It’s important for the committee to understand the specific risks that need to be transferred to third parties to keep the organization adequately protected should an incident occur. This is especially true of organizations that have undergone significant operational changes including M&A activities, geographic expansions, or rapid growth/contraction.

Questions the committee should ask themselves:

  • Does the insurance policy adequately cover the organization’s most critical risks?
  • Will the insurance company meaningfully recognize any improvements I make to my risk posture?
  • What happens to my insurance policy if my operations change throughout the policy period?
  • Does the insurance company have any resources to assist my organization’s cyber risk management efforts beyond risk transfer? 

A cyber resilience meeting needs to be collaborative with each stakeholder (finance, security, and risk management) bringing their unique viewpoints and motivations to the table in a supportive manner. This holistic approach to risk analysis and mitigation sets the foundation for the organization to pursue cyber resilience effectively for the long term.

About the Author
Travis Wong

Travis is the VP of Customer Engagement. He has 15 years of risk management consulting experience with Fortune 250 insurance carriers. Specializing in the cyber, technology, and life sciences spaces, Travis assists clients with implementation of cybersecurity, privacy, business resiliency, and business process improvement best practices.

You might also like

How to prepare your organization for a post-quantum world

Quantum computing is on the horizon, and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections, what we call quantum decryption, could undermine the trust, confidentiality, and resilience of digital business. This briefing series distills a highly technical topic […]

When will quantum decryption become practical?

As part of Cybersecurity Awareness Month, we’re publishing this three-part series that distills a highly technical topic into strategic insights for leaders. Part 1 explained why quantum decryption poses a threat to current encryption systems. Part 2 lays out credible timelines for when the disruption may arrive. Part 3 will offer practical guidance on how […]

What business leaders need to know about post-quantum cyber risk

Quantum computing is on the horizon and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections–what we call quantum decryption–could undermine the trust, confidentiality, and resilience of digital business.                                                                                          As part of Cybersecurity Awareness Month, throughout October we are […]

The false promise of paying criminals to delete your data

On October 6, 2025, hackers demanded ransom from Salesforce for nearly one billion stolen customer records. The company’s response was unequivocal: no payment, no negotiation. While the refusal made headlines, the more important question is why Salesforce—and increasingly, other mature organizations—are walking away from the table when criminals offer to “suppress” stolen data. The answer […]

A CISO’s guide to winning the annual budgeting battle

It’s that time of year again. Finance has sent the email with the budget template attached. Your CFO wants preliminary numbers by next week. And you’re staring at a spreadsheet wondering how to justify the security investments your organization desperately needs when last quarter’s board meeting included the phrase “do more with less.” Welcome to […]

How brokers and CISOs can lead the charge for Cybersecurity Awareness Month 2025

October is Cybersecurity Awareness Month, and this year’s theme—”Building a Cyber Strong America“—has never been more relevant. For over two decades, this initiative led by CISA and the National Cybersecurity Alliance has spotlighted the importance of taking daily action to reduce online risks. In 2025, the focus shifts to the government entities and small-to-medium businesses […]