Dr Marie-Gemma Dequae
No risk manager can be unaware of cyber risks, but a much more difficult issue is how to put some numbers on the exposure for the specific company. This is a question that risk committees and boards are increasingly likely to ask. Their concern is growing, as FERMA’s work with Zurich Insurance and Harvard Business Review shows.
Quantifying the exposures is in its very early stages because there is little data currently available, and the risks are evolving so rapidly. Risk managers can, however, begin to communicate to their companies a reasoned approach to managing the risks by combining scenario and quantitative analysis, through collaborating with colleagues and using expert advice.
The cost implications of some cyber risks are comparatively predictable, such as customer notifications and call centre expenses for data breaches. Much more difficult to quantify are open-ended business exposures from an attack that deliberately targets the operations of the business, such as loss of confidential information or intellectual property.
Under pressure from regulators and a sense of common purpose, companies are beginning to be more open about cyber attacks, but the figures quoted still tend to be very broad. Most estimates are based on US cases or have a very wide margin of error.
Overcoming the information limits
The first step in overcoming these limitations is for the risk manager to collaborate with colleagues in the business and with other risk managers to develop scenarios that are truly representative of the company’s operations.
They can also draw on that information which is widely available, including highly publicised examples where the companies involved have disclosed the financial impact of cyber incidents. Such external examples are also useful in engaging board interest.
Combining this scenario analysis with suitable quantitative analytical tools can then produce estimates of a probable loss distribution from a wide range of possible events.
Ideally, the risk manager will also be able to examine the effect of changing various assumptions to see how the risk profile would be affected and stress test the results without a need to rerun the whole model.
By working in this way, I believe that businesses can avoid over-reacting to generalised scare stories about cyber risks but acknowledge the true dangers and bring them under a proper risk management approach.
Cyber risks – not just a domain for the CIO – but an enterprise-wide risk is the subject of a workshop at the FERMA Forum 2013, which takes place from 29 September to 2 October in Maastricht. For more information, see www.ferma-forum.eu
Marie Gemma Dequae is scientific advisor to FERMA. She is a board member of Belfius Bank and Belfius Insurance in Belgium. She received her PhD in applied economics from the Catholic University of Leuven.