It’s Time To Quantify Cyber Risk ExposureCyber Practice Leader at Marsh
The last 40 years have seen a transformation in where value lies for most organizations. In 1975, more than 80 percent of the market cap of the S&P 500 was derived from physical assets and infrastructure—plants, machinery, and heavy equipment—with the rest tied to intangibles. Today, the numbers have flipped, and market value is tied to data, intellectual property, and other technologies—the intangible assets that fuel our information economy.
Businesses are struggling to adjust to the significant shift in risk that accompanies this shift in value. Technological advances bring a near-universal vulnerability to cyberattacks, where a single incident can inflict damage in the hundreds of millions of dollars—as borne out by the NotPetya and WannaCry events of last summer. Cyber-related risks are two of the top five risks facing corporations, according to the World Economic Forum’s 2018 Global Risks Report—the first time that two tech-related risks have been in the top five.
The recent Marsh-Microsoft Cyber Perception Survey shows that companies are recognizing the potentially massive impact of a cyber event more than ever. Nearly two-thirds of survey respondents said that cyber risk is among their organization’s top five risk management priorities, roughly double the number who rated cyber as such in a survey Marsh conducted in 2016.
But despite recognizing the magnitude of the risk, few companies seem to be managing these numbers. Fewer than half of survey respondents—45 percent—said they formally estimate the financial impact of a potential cyber event as part of risk management, and only 11 percent conduct economic quantification based on estimated financial losses within a timeframe, such as value-at-risk modeling.
Among those that do quantify their cyber risk, more than 40 percent of companies with over $1 billion in revenue estimate the financial impact from an event would exceed $50 million.
An organization needs to work as a team to effectively manage cyber risks. By sharing oversight responsibility among stakeholders—including corporate boards, C-suite executives, risk professionals, and technologists—the managerial and technological challenges presented can be reduced. However, a majority of companies are not employing a truly collaborative governance model to manage cyber risk: 70 percent of survey respondents point to their IT department as a primary owner and decision-maker around cyber-risk management, with smaller numbers citing the CEO, board, risk managers, and legal/compliance.
There is evidence that the largest firms are moving in the direction of shared cyber-risk governance; organizations with more than $5 billion in revenue were more likely to cite directors and risk management teams as among the primary owners and decision-makers than did smaller firms, possibly reflecting the resources available to larger firms.
That there is both appropriate concern about cyber risk and room for improvement in its management was evident among the board members in our survey population. Roughly 70 percent of respondents who identified as board members said they ranked cyber risk as a top five concern, yet only 14 percent reported that they were “highly confident” in their organization’s ability to respond to a cyberattack. We also found evidence that directors may not be receiving—or perhaps understanding—the information about cyber risk that is being sent to them.
Like other major enterprise risks that face an organization, cyber threats should be managed strategically, comprehensively, and quantitatively. Proper economic quantification of an organization’s cyber exposure is essential to help board members and other decision-makers understand their cyber value at risk, determine optimal investment strategies, and achieve measurable outcomes within their cyber-risk management program.