Quantifying the financial impact of a cyber-attack is an effective way to drive strategic decision-making around cyber-risk mitigation strategies. Here’s how to do it.
The WannaCry ransomware attack of May this year was one of the highest profile cyber-attacks to date. It infected at least 300,000 computers in over 150 countries, severely disrupting many businesses including household names such as Hitachi, Honda and 02.
A second global attack, coined Petra, followed a little under a month later. This infamously disrupted government systems in Kiev, and disabled operations at companies including Rosneft, WPP and Maersk.
The economic impact of these attacks on the affected businesses has been substantial. American news service CBS, for instance, reported that the losses from the WannaCry attack could reach US$4bn. Maersk has recently announced that the Petra attack caused up to US$300m in lost revenues.
The economic consequences of a cyber-attack are now all too clear to companies impacted by WannaCry and Petra. However, most businesses are unaware of the full impact a cyber-incident can have on their balance sheet. This was a key finding of a recent study by the Ponemon Institute, which also found that companies typically only become really concerned about cyber-security after a breach.
Why should you quantify the risk?
Increasing awareness of the impact a cyber-attack can have on the balance sheet and quantifying cyber-risk should be a first line of defence according to a recent webinar by risk management services firm, Aon.
In the presentation, Adam Peckman, Global Practice Leader, Cyber Risk Consulting at Aon explained that quantifying cyber-risk gives decision-makers actionable data to work with, allowing them to calculate the return on any security investment just as they would any other investment. This can help focus the mind and facilitate more informed decision-making around the value of different risk mitigation strategies.
Quantifying cyber-risk can also help businesses better understand this risk within its overall enterprise risk management framework. Most importantly for Peckman, it allows risk managers to ascertain if they are comfortable to have these exposures on the balance sheet or if the risks should be transferred off the balance sheet using insurance products, for instance.
Finally, quantifying cyber-risk can also help with the company’s response to a cyber-incident. Peckman states that this is not always an obvious application. He explains that having a better understanding of the impact an incident will have on the balance sheet enables businesses to better prepare their insurance claim.
Building a quantitative approach
Quantifying cyber-risk is not an easy exercise though. Peckman notes that the sheer scope and scale of cyber-risks that businesses face means that no one department can do this. He stresses that a multifunctional team of experts from across the business must be formed to lead the project.
This team should use its holistic view of the company to identify the critical assets that the business has. These assets will vary from business to business. A cloud service provider, for instance, may hold its servers and network infrastructure in high regard. However, an eCommerce marketplace might regard its customers’ data and digital storefront as its most valuable assets.
Once the critical assets are defined, Peckman says the team’s next job is to build a profile of the credible cyber-threats these assets might face based on current security, privacy and operational controls. This includes understanding the ‘bad actors’ who might target the company (such as nation states, hacktivists and insiders) and their potential entry points into the business (malware, hacking and misuse for example).
With knowledge of the critical assets, the actors who might wish to attack the company, and how they might do so, the next stage is to conduct scenario analysis. This can be used to map the impact of cyber events on the business. With this analysis, the first-party financial losses (those direct costs absorbed by the business) and the third-party costs (caused by damage to clients and customers) can be predicted, enabling the business to start putting in place risk-mitigation strategies.
Strategies for mitigating risk
Treasury Today has widely reported on many of the internal changes that companies can make to mitigate cyber-risk. However, increasingly companies are looking to transfer the risk off the balance sheet using cyber insurance.
Indeed, in the wake of the WannaCry attacks, the FT reported a big increase in demand for cyber insurance products. As the risks posed by cyber continue to grow, it is likely that more companies will consider this approach.
If this is the case, quantifying the financial risk of attack should become part of the treasurer’s arsenal.