Author Marc Barrachin,  Managing Director, Product Research and Innovation at S&P Global Market Intelligence

Cyber risk the risk of financial loss, disruption, or damage to the reputation of an organization from some sort of failure of its information technology systems is systemic and immediate. The World Economic Forum1 says the vulnerability of critical technological infrastructure is a growing national security concern, and ranks massive data fraud as the number four global risk by likelihood over a 10-year horizon, with cyber-attacks being number five. Yet, this important business challenge is hard to quantify, making it difficult to assess the financial impact of a potential breach and the investment an organization should make to protect its infrastructure.

Exposure to cyber risk continues to build throughout the system, as companies deploy more products without appropriate cyber risk practices in place. For companies big and small, there needs to be a proper understanding of the potential threats to adequately inform stakeholders.

Only when operational cyber risk data is translated into financial risk scenarios will investors and other market participants have the means to compare cyber risk in a standard and informed way within and across companies and, ultimately, foster more secure and responsible innovation.

The problem is that there is a lack of standards, metrics, and processes for cyber risk that can create a common language to be used by business executives, Chief Information Security Officers (CISOs), policymakers, and regulators to put everyone on the same page. This is due to a number of factors:

  • Some of the necessary data is highly proprietary, and many companies are reluctant to share information about their technology and processes externally. Rather than helping to tighten security, this sharing could actually increase exposure if the data is not properly protected.
  • While regulators and policymakers in some states require information on cyber-attacks to be reported, this information is often not disclosed publicly or, if disclosed, it contains little usable data.
  • Many mid-sized companies do not have CISOs who can translate ‘technology speak’ into ‘business speak’ and, instead, rely on technology generalists who may struggle to thoroughly explain cyber risks and security to their business leaders. These companies often don’t recognize the need for a CISO until there is a breach of information.

Let’s look at a few relevant personas and observe how finding solutions to cyber risk without a common language can be problematic:

  • Management/Board of directors: You have ultimate accountability for the company and need to decide where and how to deploy your limited resources. But, most of the conversations you have with your CISO or Chief Technology Officer (CTO) are technical in nature, and you may not fully understand the subject matter. You can’t always quantify the benefits of spending a money on specific hardware/software/people to bolster your cyber security.
  • Risk managers: You are used to dealing with data and models and can measure, quantify, and stress test liquidity, credit exposure, and market risks. While you live in statistical probabilities, one day your purview extends to managing cyber and broader technology risks. You may not understand the language being used, and don’t have the models needed to help quantify the impact of cyber risk on operational, legal, and reputational risk.
  • Regulators/Policymakers: You have to take cyber risk into consideration, both for your decision-making as well as for oversight and protection of industries/companies in your jurisdiction. Cyber security laws need to evolve with the changing times, while being mindful of implementation and infrastructure costs that may make compliance difficult.
  • Cyber security vendors: You may be part of a broad group of companies that offer products that fall under the cyber security umbrella. Given the diversity of firms in this category, you may use highly-specialized jargon and examples that are difficult for others to fully understand.
  • CISO: You are responsible for your company’s cyber security policies, implementation, and monitoring. You are an expert and understand technical jargon, can sift through noise, and are part of a community of cyber risk experts. But, sometimes it’s not easy to explain to your management why policies need to change and the costs and benefits of deploying new technology. You have to balance the complex technical details with an easy-to-understand business case.

These examples point out some of the challenges that exist and the potential gaps in the cyber security/risk dialogue among important stakeholders. So, what steps can be taken to help address these challenges?

There are macro steps that can be considered:

  • The debate should be escalated to a broader societal challenge. For example, it could be said that great progress had been made in getting climate change on the agenda as a societal risk that needs to be addressed. The same needs to be done with cyber risk to create a broad understanding of how cyber-attacks can negatively impact individuals, governments, and businesses.
  • Developing a common language needs to go hand-in-hand with defining a view of successful cyber security management and being more open to responsible information sharing. Policymakers should establish parameters for information transparency versus protection, and become more comfortable themselves with sharing data that can benefit companies as they try to tighten their security measures.
  • Private sector cyber risk solutions and data companies can also help, such as those that collect public data and assess cyber exposure using common frameworks. This is a nascent industry and there is a need for companies to combine outside-in data collection with the ability to get an inside perspective to take their cyber security to the next level.

As stated earlier, operational cyber risk data needs to be translated into financial risk scenarios to help companies make appropriate investment decisions. This calls for a fact-based approach that leverages sound data and modelling to create a common ground for stakeholders.

Source: S&P Global