Cyber Risk Economics: Building Exposure Into ERM

Mounting financial losses due to cyberattacks have business leaders scrambling for answers and cyber insurance carriers searching for cost-effective solutions. Damages from cybercrime are projected to reach $6 trillion in 2021, and rise all the way to an astounding $10.5 trillion (annually) by 2025.

So, a key issue that financial institutions urgently need to address is the steps they can take to account for their economic and operational exposure to cyber risk. Undoubtedly, this is currently a board-level conundrum. Indeed, competitive firms now understand clearly that they can no longer keep their heads in the sand about cybersecurity - via, e.g., taking the myopic view that it's a technical problem in need of a technical fix.

The trend toward digitization, in which more and more banks are offering an array of digitized products and services in lieu of the traditional brick-and-mortar approach, complicates the cybersecurity problem further. Post-pandemic, to fortify their standing in a charged, digital economy, banks will need to understand both their systemic weaknesses and their complete cyber exposure.

But how, exactly, can such goals be met?

The Playbook for Success

It is now possible to comprehend cyber risk through the lens of economic analysis. To understand the potential (full) impact of cyber hazards, a firm's risk management team must address five questions: (1) What is our financial exposure introduced by cyber risk? (2) What threats and risk scenarios are most likely to cause financial damage? (3) What mitigation strategy most effectively reduces the likelihood of financial impact? (4) How can we better align and optimize our risk mitigation and risk transfer strategies? and (5) How can we use stress analysis of our cyber-risk balance sheet to lower our cost of capital?

Answers to some of these questions can be facilitated through the integration of cyber risks with a firm's established enterprise risk management (ERM) framework. To meld cybersecurity with ERM, take the following steps:

• Develop cyber-risk appetite levels in financial terms, based on the organization's unique risk profile;
• Investigate the remediation and mitigation actions that can be taken to reduce financial exposure to cyberattacks, including worst-case or black-swan events;
• Use return-on-investment analysis to align the cybersecurity budget with cyber-risk financial exposure reduction; and
• Align cybersecurity strategy with risk-transfer optimization.

The Insurance Perspective

Like banks, insurance companies have also struggled to wrap their heads around cyber risk exposure. Indeed, insurers cannot yet bring enough capacity to cover the true cost of cyber losses. This means, in short, that some banks are essentially self-insured against cyber risks, leaving them potentially more exposed to the financial impact of cyberattacks.

Although the insurance markets are largely unable to absorb the true cost of cyber risk today, advancements are being made in underwriting and systemic risk analysis. Eventually, these innovations should give them a more accurate actuarial view of their clients' cyber-risk exposures.

Just as it is well understood that smoking increases health care costs, or that seat belts save lives, the insurance industry has been working to understand the cyber risk scenarios most likely to cause financial impact - and, more importantly, the mitigation actions that best reduce underlying financial exposure.

The Bottom Line

The American industrialist Henry Ford II once said that no one can guarantee the future. “The best we can do is size up the chances, calculate risks involved, estimate our ability to deal with them and make our plans with confidence,” he elaborated. This still holds true today, particularly in the volatile cyber-risk realm.

Estimating one's cyber risk exposure remains a significant challenge, but integrating cyber risk within a firm's existing ERM framework is an excellent first step. The most successful firms view the development of cyber resiliency not merely as a “cost of doing business” compliance exercise but as a competitive advantage that will ultimately yield decreased losses and a reduced cost of capital.

Christopher Hetner is a risk management expert with more than 25 years of experience in cyber risk, regulatory compliance and corporate governance. He currently serves as an expert advisor to the Institute for Defense Analyses (U.S. Department of the Treasury), a special advisor for cyber risk for NACD, and a national board member of the Society of Hispanic Professional Engineers. Previously, he worked as the senior cybersecurity advisor to the Securities Exchange Commission Chairs Mary Jo White and Jay Clayton. He can be reached at chetner10@gmail.com