How to Value Your Cyber Risk

When considering cyber security, the question of the financial impact of a breach is always one that challenges even the most experienced of professionals.  To start with it could cover a multitude of elements in a range of scenarios, and that is even before we get into the effect on intangible assets and the like.  One of the main reasons for wanting to get an idea of the valuation though is that insurance cover might be a sensible option but to cover what, for how much and in what circumstances?  Indeed, there is a bigger question of how the insurance underwriters address cyber threats and the risk of a breach, but that is probably another blog.

There have been a number of reports issued by a variety of organisations, from private companies to governments, estimating the financial impact of a cyber breach.  The main problem with these reports is that there is little consistency between the terms used, and therefore the evidence they offer.  Some will include all the costs of a breach encompassing potential fines, system-rectification costs, data-recovery costs, system-cleansing costs, reputational damage and other financial impacts.  Others will simply be the immediate impact costs – the costs of getting the affected systems back up and running as soon as possible.  The impact is also very dependent on the governance framework within which the organisation that is breached is operating.  For a public listed company, the impact could be financially significant but manageable, whereas for an SME it could bring about bankruptcy and closure of the company even though the actual financial costs are perhaps much smaller. After the World Trade Center was bombed way back in February 1993, many of the companies based there never traded again because they didn’t have access to their business records and so lost their cashflow.  All these factors make estimating the impact of a cyber-attack very difficult certainly in financial terms.

So what process should be employed when trying to put a value on cyber risk?  To start with there has to be an effective Business Impact Assessment (BIA).  This will list at all the assets of an organisation and assesses the impact of, for example, losing them entirely, losing access to them, suffering a breach by failing to prevent an unauthorised person gaining access to them, or any one of a number of other issues.  The BIA should be comprehensive.  It should clearly be based on the worst-case scenario of the effects on the most valuable assets, but it must also consider all the assets including hardware, software, buildings, people, fines and of course any intangible assets like reputation, market share and the like.  It should also consider the whole range of potential impacts from catastrophic down to mere annoyance.  Values for metrics including the Maximum Tolerable Period of Disruption (MTPD), Recovery Time Objective (RTO) and Maximum Tolerable Data Loss (MTDL) should be calculated for each group of assets. The BIA should provide a clear understanding of what the “crown jewels” are and where they are held, be they information or something else.  What is the asset that, if it was lost, would cause the most serious impact on the normal operations of the organisation?  This BIA then forms the foundation for subsequent work to determine the security measures taken across the organisation.

The next step is then to consider the risks to those assets, a “traditional” risk assessment.  However, the traditional methods will usually look at all potential risks and determine, in particular, their likelihood often allocating a percentage to each risk.  In cyber terms that is not the best approach.  There is no clear understanding of the potential threats posed by criminals, competitors or nation states – very few experts agree where the next cyber-attack will come from or what it will look like

Whilst it might be comforting, for example, to consider that your organisation is too small to warrant an attack by a nation state, the very nature of such attacks means that virtually everyone connected to the internet could be a victim as collateral damage at the very least.  WannaCry was not targeted at the NHS in the UK, indeed there is now evidence it was clearly targeted at the Ukraine.  Nevertheless, it did untold damage to the NHS systems causing serious operational impact. It is therefore far more practical to assume all applicable cyber risks are effectively 100% likely.  This helps to determine a much more agile method for implementing controls to reduce the effect of, and increase the defences against, such attacks.

A better way to undertake a risk assessment is to consider the controls that are already in place within the organisation.  This will include technical controls, physical controls and procedural controls. A review of how well they are operating currently, based on a maturity assessment, should then facilitate the decision as to how much better they need to be in order to meet the risk appetite of the person in charge.

Once the gaps in the performance of the existing have been identified, there is then the need to have a sensible business discussion about which areas of the cyber controls need to be improved and which are probably adequate.  This will vary across the organisation from asset to asset.  Whilst there might be a desire to protect everything equally and to the highest levels, that is rarely an option for most organisations due to financial limitations if nothing else.  Therefore, a set of “control levels” must be set allowing the different assets, however they are classified, to be given a “bespoke” level of security based on the BIA and their value to the organisation.  Controls in cyber security are rarely free and so inevitably the senior management must balance the value of the risk they are taking against the cost of even more controls implemented at ever increasing levels of maturity.