Putting numbers to cyber risks

Marie-Gemma Dequae

Dr Marie-Gemma Dequae

 

No risk manager can be unaware of cyber risks, but a much more difficult issue is how to put some numbers on the exposure for the specific company. This is a question that risk committees and boards are increasingly likely to ask. Their concern is growing, as FERMA’s work with Zurich Insurance and Harvard Business Review shows.

Quantifying the exposures is in its very early stages because there is little data currently available, and the risks are evolving so rapidly. Risk managers can, however, begin to communicate to their companies a reasoned approach to managing the risks by combining scenario and quantitative analysis, through collaborating with colleagues and using expert advice.

The cost implications of some cyber risks are comparatively predictable, such as customer notifications and call centre expenses for data breaches. Much more difficult to quantify are open-ended business exposures from an attack that deliberately targets the operations of the business, such as loss of confidential information or intellectual property.

Under pressure from regulators and a sense of common purpose, companies are beginning to be more open about cyber attacks, but the figures quoted still tend to be very broad. Most estimates are based on US cases or have a very wide margin of error.

Overcoming the information limits

The first step in overcoming these limitations is for the risk manager to collaborate with colleagues in the business and with other risk managers to develop scenarios that are truly representative of the company’s operations.

They can also draw on that information which is widely available, including highly publicised examples where the companies involved have disclosed the financial impact of cyber incidents. Such external examples are also useful in engaging board interest.

Combining this scenario analysis with suitable quantitative analytical tools can then produce estimates of a probable loss distribution from a wide range of possible events.

Ideally, the risk manager will also be able to examine the effect of changing various assumptions to see how the risk profile would be affected and stress test the results without a need to rerun the whole model.

By working in this way, I believe that businesses can avoid over-reacting to generalised scare stories about cyber risks but acknowledge the true dangers and bring them under a proper risk management approach.

Cyber risks – not just a domain for the CIO – but an enterprise-wide risk is the subject of a workshop at the FERMA Forum 2013, which takes place from 29 September to 2 October in Maastricht. For more information, see www.ferma-forum.eu

Marie Gemma Dequae is scientific advisor to FERMA. She is a board member of Belfius Bank and Belfius Insurance in Belgium. She received her PhD in applied economics from the Catholic University of Leuven.

Share with others

Subscribe to our newsletter

* indicates required
Interests

By subscribing to our newsletter, you agree that we may process your information in accordance with our Privacy policy.

You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, or by contacting us at enquiries@ferma.eu.

We use MailChimp as our marketing platform. By subscribing to our newsletter, you acknowledge that your information will be transferred to MailChimp for processing. Learn more about MailChimp’s privacy practices here.

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.

3rd Party Cookies

This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping this cookie enabled helps us to improve our website.