How to Measure and Manage Cyber Risk: A Quantitative Approach

Over the past year, cyber risk has grown, hand-in-hand, with the digital transformation of the financial services industry. As cloud computing and distributed transactional capabilities have been embraced as part of the digital shift, we’ve seen a huge surge in ransomware attacks and other types of cyber crime – which is projected to account for more than $10 trillion (annually) in global damages by 2025.

Christopher Hetner

But while cyber criminals have evolved, realizing the financial benefits of their creative schemes, traditional approaches to assessing cyber risk have remained fairly static. These qualitative strategies seem too reliant on technical components and do not properly align with business objectives, rendering them unable to account for a firm’s true exposure to cyber threats.

The more a firm understands its cyber exposure, the easier it will be for non-technical personnel across the enterprise to prioritize remediation and to guide risk-transfer decisions that are properly aligned with a firm’s enterprise risk management (ERM) strategy. To ensure that cyber risk is integrated with ERM, it’s wise to adopt an advanced (quantitative) approach that evaluates cyber threats from a financial perspective.

Calls for a More Advanced Approach

All financial services companies today have some level of cyber risk. In its 2021 “Board of Directors Survey,” Gartner Inc. found that directors see cybersecurity as one of the greatest business threats. Moreover, Jerome Powell, the U.S. Federal Reserve Chair, recently described cyberattacks as a “most significant financial stability risk.”

Cyber threats can be better managed through the adoption of a quantitative approach that offers (1) a means to identify and quantify cyber risk in financial terms; (2) a set of options to accept, remediate and transfer cyber risk; and (3) an ability to integrate cyber with all other business risks.

Keeping these requirements in mind, business leaders need to understand how cyber risk impacts operations, revenue and margins. If the consequences are too great, then business leaders must seek remediation and transfer options.

When formulating cyber-resiliency plans, boards should ask management the following questions:

• “What is our financial exposure to cyber threats?”
• “What cyber threats are most likely to have a major financial impact on our business?”
• “How much financial exposure are we willing to accept across our enterprise and digital-supplier ecosystem?”
• “How can we align our budget, implement controls and optimize risk transfers to address our cyber risk exposure?”
• “Are our digital initiatives being developed in a cyber-resilient way?”

Developing cyber resiliency in an organization requires proper oversight from the boardroom, based on a clear plan built on economic analysis. In the cyber insurance industry, for example, established and understandable financial exposure analyses are integrated into underwriting standards. The idea is to replace highly-technical cyber discussions with more straightforward, risk-based conversations, enabling board members to understand and more effectively manage their financial exposure to cyber risk.

To comply with your organization’s risk tolerance, cyber risk must be expressed in business, operational and financial terms. If financial exposures from cyber threats are clear, boards and executive management teams will find it easier to align cybersecurity strategies with economic cyber risk metrics.

KRIs and KRRs: Helpful Tools

There is no panacea for cyber crime, which will continue to disrupt and bring uncertainty and instability to the global financial markets. But there are additional tools financial institutions can leverage to mitigate this risk.

To help decide which cyber risks need remediation, and which are within their risk tolerance and budget, many financial services now use key risk indicators (KRIs) – a metric that identifies the risks that could materially impact one’s business.

Since they are working with limited budgets, financial institutions also require a way to compare all risks and to prioritize the most critical threats. One tool used for this purpose is they key risk register (KRR) – an enterprise-wide, top-down report that organizes the cluster of all KRIs into a single view for comparison purposes.

In alignment with ERM efforts, financial institutions must consider their financial exposure to cyber risk as part of their digital transformation strategies. These strategies must not only keep pace with today’s cybersecurity threats but also proactively guard against severe disruptions.

Christopher Hetner is a risk management expert with more than 25 years of experience in cyber risk, regulatory compliance and corporate governance. He currently serves as an expert advisor to the Institute for Defense Analyses (U.S. Department of the Treasury), a special advisor for cyber risk to the National Association of Corporate Directors, and a national board member of the Society of Hispanic Professional Engineers. Previously, he worked as the senior cybersecurity advisor to the Securities Exchange Commission Chairs Mary Jo White and Jay Clayton. He can be reached at chetner10@gmail.com.