It's impossible to escape the barrage of news about cyber attacks. At the enterprise level, we also observe varying degrees of insight into how to understand and manage it.
Boards of directors are turning attention from understanding the risk to understanding management's readiness to deal with the risk. That translates into questions such as, "Do we understand the risk well enough to prevent, mitigate and recover from a large-scale cyber event?"
|Common sense risk analysis
Risk analysis starts with awareness of the risks an organization faces. The better an organization understands the risks it's dealing with, the more robust its risk analysis and risk-based decision making will be.
Some common suggestions for improving risk awareness include the following:
- Harvest the risk information you already have. Whether it's through formal risk assessment activities already underway, through your enterprise risk management program, or through review of insightful information within business units.
- Address gaps in risk information and insight. Find ways to engage in risk conversations with colleagues who "see" and understand the risk; follow up with stakeholders who either influence or pay for the results of a risk event.
- Get help from external advisors. This is especially true for a dynamic risk like cyber, where both the profile of the risk and the range of potential risk mitigation options continues to evolve.
Qualitative, quantitative assessment
Risk analysis should incorporate both qualitative and quantitative assessment of risk by applying appropriate tools in each situation. In the cyber risk space, analysis should incorporate technical assessment of the organization's existing cyber security posture, thereby identifying major gaps and areas for improvement.
By applying risk science to the age-old questions of "how likely" and "how big" enterprise risk managers gain further insight into the organization's areas of vulnerability. And while risk quantification is often seen as the "Holy Grail" of risk assessment, it's important to consider qualitative aspects:
- Do we tend to discuss risk well? What are the embedded risks that we don't like to talk about or we feel we're "stuck with" and need to accept?
- Do we understand the business impacts of the risk — including operational disruptions, implications for control and compliance, cross-functional risk, financial and reputational impacts? How could a cyber event affect our credibility with customers, suppliers and other stakeholders? Is cyber risk a D&O risk?
- How do the strategic decisions we make today affect our vulnerability to future cyber risk? What level of risk are we living with today or accepting for tomorrow by virtue of the decisions we make regarding our operations, acquisitions and partnerships?
The outcome of risk analysis should include a keener understanding of the organization's risk resilience — how ready are we to prevent, uncover, mitigate and recover from a cyber risk event?
|Enterprise-level understanding
Although insurance plays a critical role in protecting an organization's balance sheet from a cyber event, appropriate attention to both understanding and mitigating cyber risk is valuable at the enterprise level because it increases the entire organization's readiness to deal with the risk at all levels. As with any other risk, the time and effort spent to analyze vulnerabilities and prioritize resources helps organizations maximize the value of their risk management investment. And as an added benefit, this work will help the insurance buyer determine appropriate limits, retentions and coverage options, and it will enhance the insurance broker's ability to get the job done in the market.
|Common sense risk mitigation
The process of understanding areas of cyber-related vulnerability across the enterprise, determining the best risk mitigation options, and executing the risk mitigation plan is the same for cyber risk as for any other risk. Benchmarking "best practices" in cyber mitigation, getting external advice and clean sheet exercises can help. The following are some areas for additional consideration:
- Contractual reviews. What duties and obligations have we accepted through commercial arrangements with customers, suppliers and other third parties?
- Business process reviews. What risks do we assume every day based on the way we conduct our business, and are there areas in which process change could provide a win/win for the business as well as for our cyber-risk exposure?
- Where should we spend time, money, and effort to improve?
- Risk transfer. What is the best insurance strategy that results in comprehensive, current coverages at a reasonable cost? How do we differentiate ourselves in the market?
- Continuous improvement. How do we stay ahead of the risk while enabling our business to thrive?
- Organizational barriers to success. How do we deal with aspects of the plan that cross organizational silos? How do we address different levels of understanding of the risk, the need for resources to address the risk, and the need for collaboration between technical and non-technical colleagues? How do we break down company-specific barriers to collaboration, including reliance on embedded processes and practices?
By building capability in cyber risk analysis, mitigation planning and execution, and risk monitoring you will help improve resiliency for today while enabling your organization for future success.
Laurie Champion is managing director and strategic account manager for Aon Risk Solutions. She can be reached at [email protected].
The opinions expressed here are the writer's own.
See also:
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.