Demystifying Cyber Risk: Executives, champion your cyber risk management
Posted in: Commercial Insurance
Effective cyber risk management involves every part of an organization. Cybersecurity policies guide employee behavior and shape culture. Cybersecurity training helps employees — from IT staff to administrative professionals to C-suite executives — understand and protect the organization from cyber threats. Technology helps enforce policies and provides essential defense and detection capabilities. But the success of any initiative on this scale — one that impacts the entire organization —will succeed or fail based on the vision and engagement of executive leadership.
Developing and implementing an effective cyber risk management strategy is a vital element of your business’ success. Yet, for many leaders interested in improving cyber risk management, getting started can be one of the hardest parts.
Today, I’ll provide foundational information on the nature of cyber risk. My goals is to help you and your Information Technology team be on the same page when discussing cyber risk and how it can potentially impact your business. Then, in an upcoming post, I’ll provide best practices you can follow to begin a cyber risk review, which will help you better understand your unique cyber exposures and aid in creating a high-level cyber risk profile for your organization.
What Is Cyber Risk?
Cyber risk is typically portrayed as a mysterious hacker hiding in the shadows, breaking into your network and infecting it with malware. In reality, your organization’s cyber risk is comprised of a variety of factors — some that are unique to your organization, and some that are pertinent to all businesses. The diagram below provides a simplified visual representation of a cyber risk equation that helps define cyber risk.
Figure 1. Cyber Risk Equation
Why Is Cyber Risk Different from Traditional Risk?
The complex nature of cyber risk makes it unique compared to traditional risks. For example, one familiar risk category for most organizations is their physical property. On any given day, it is possible that your property could be destroyed by a fire, flood, storm, vandalism or other incidents. In this instance, there is a maximum loss value associated with the property, making the risk linear and relatively predictable based on historical data and other known factors.
In contrast, internet-connected technology creates a risk model that is fluid and unpredictable. By “plugging in,” each business, person, device becomes a node in a complex global system. In this system, cyber risk has the potential for exponential growth that is difficult to plot on a graph or predict with historical insurance models.
For example, if the network of an organization is infected with a virus, it is possible that the virus could damage the enterprise’s network and spread to every vendor, client, individual or another third party that is connected to the infected network. The virus may also allow a criminal to steal money or sensitive data, leading to other financial and legal implications for the business. Physical damage, such as a building burning down, could be devastating and may impact other nearby buildings. However, it is not possible for the fire to spread to the buildings of every third party that interacts with your business or lead to other unpredictable consequences like those a business might experience after a major data breach.