Blog Post
The Need For a Shift Up Strategy, Using CRQ for Resilience, Part 3
January 22, 2024
Whether it’s supporting initiative prioritization, as discussed in Part 1, or justifying budget requests, pursuing cost-effective strategies, and calculating risk appetite levels, as discussed in Part 2, CRQ has the power to transform an organization’s mindset to include cybersecurity in strategic risk planning conversations. This transformation, known as a Shift Up strategy toward cyber management, has become more critical than ever as cyber threats evolve.
Indeed, mitigating cyber risk has become a necessary, higher-level business process that can make the difference between operational resiliency and failure. By convening all executive stakeholders to discuss the organization’s cybersecurity management programs and risk landscape, chief information security officers (CISOs) can build a more robust digital defense system that simultaneously withstands malicious attacks and aligns with broader goals.
Nurturing a Shift Up Strategy With Cyber Risk Quantification (CRQ)
In today’s market, cyber risk is widely accepted as a general business risk. Still, board and C-suite members find it challenging to incorporate the topic into their strategic discussions due to its technical aspects. While some organizations have consequently found it simpler to delegate all cyber-related responsibilities to the CISOs, others have explored more innovative methods that can bridge the gap between these tech terms and a broader business language.
Those companies that have pursued these alternative approaches to cybersecurity not only enjoy a more thorough understanding of their risk landscape but also increase their overall success rates. A recent Accenture study found that organizations that align their cyber programs with business objectives are 18% more likely to have the ability to boost revenue, increase market share, and improve customer satisfaction.
CISOs have similarly recognized the benefits of demanding that cyber governance and management be incorporated into high-level strategy meetings, understanding that it’s going to take a concerted, coordinated effort to create a resilient system in the face of a cyber attack. To make sure that this necessary collaboration and alignment can take place, cybersecurity leaders have been adopting financial CRQ solutions into their arsenal.
Cyber risk quantification transforms cyber risk into potential financial loss and event likelihood, terms that key executives are deeply familiar with. A CRQ tool effectively allows organizations to adopt a Shift Up strategy, equipping board members, C-suite executives, and personnel without a technical cyber background to meaningfully discuss how they plan to allocate cybersecurity resources. Working together, key stakeholders can ensure simultaneously that cyber initiatives target the most significant risks and propel the business forward in its overarching mission.
Addressing and Preparing for Regulatory Disclosures
As cyber risk becomes increasingly complex and costly, governmental bodies worldwide have begun implementing reporting regulations that require organizations to document various aspects of their cybersecurity activities. Specifically, in July 2023, the US SEC mandated that corporations must disclose "material" cyber incidents within four days of determination and annually submit their cybersecurity risk management, strategy, and governance policies.
Other international governing bodies have similarly required registrants to report “material” risks and incidents in hopes of fostering a more transparent marketplace. The Australian Prudential Regulation Authority (APRA), for instance, mandates that relevant institutions report material cyber events within 72 hours. These institutions must also notify APRA of any system vulnerabilities that cannot be immediately addressed that would result in material loss.
Kovrr's cutting-edge cyber risk quantification (CRQ) methodology and reporting engine simplify these processes by offering automated calculations that determine materiality thresholds. By leveraging a basis point of revenue, CISOs can collaborate with board members and other executives with fiduciary and regulatory responsibilities to guarantee reporting alignment.
With the Cyber Materiality Report pictured in Figure 6, organizations can access real-time quantifications of cyber loss exposure tailored to their unique business model and generate data-driven thresholds that guide reporting decisions. For instance, the Preliminary Material Financial Loss figure, as seen in Figure 7, indicates that any cyber incident that has or may cost a minimum of $2 million should be seriously considered in terms of its materiality.
Organizations can also evaluate material loss in terms of data records or outage time. For eMerchify, a record loss of 4 million records, or 10% of the total, potentially equates to a material event. This company would also use a 26-hour outage as a baseline for determining materiality. By benchmarking these metrics, CISOs can provide decision-makers with a starting point for fulfilling disclosure obligations.
It's important to note that these loss thresholds are not the singular factor that defines materiality. Material incidents should be determined on a case-by-case basis and include more qualitative potential damages. However, these values, along with their likelihood of occurrence, serve as a baseline for the necessary materiality conversations, offering businesses a contextual understanding of their cyber risks and attacks and facilitating speedier decision-making and incident response planning processes.
The SEC is merely one government agency that's starting to take a more active role in cybersecurity management due to the enormous impact cyber attacks can have on the market. Authorities in the EU and Australia have recently enacted cyber regulations, and roughly 80% of countries worldwide have, at least, drafted relevant legislation that helps bring cybersecurity to the forefront of corporate concerns.
With a CRQ platform that transforms material cyber risk into terms executives are more familiar with, CISOs can significantly aid board and C-suite members in shifting up, ensuring disclosures are accurate and include the appropriate, relevant information. As reporting requirements continue to tighten, it's crucial that organizations harness objective data and benchmarks and discern how material cyber risks will affect overall business operations.
Analyzing Cyber Insurance Policies to Dispute Redundant Terms
Although cybersecurity has typically been considered a cost drainer, a CRQ platform like the one from Kovrr can help CISOs transform this perception amongst senior stakeholders, especially when it comes to adopting cyber insurance. Insurance is one of the main strategies organizational leaders pursue to manage their business risk more cost-effectively. Just as with other types of insurance, cyber policies exist to provide organizations with an economical way to offset the costs of a potential cyber attack.
Unfortunately, due to the rate at which cyber risks evolve, along with their increasing sophistication, cyber insurance can't always accurately calculate the likely damages. However, with the financial insights gleaned from cyber risk quantification, CISOs support executives when negotiating the best coverage, providing them with tailored loss forecasts according to the organization's risk landscape.
By comparing the expected loss distribution with the company's insurance coverage, business leaders can determine if the deductible truly provides a financial safety net. For example, the organization in Figure 8 has an Average Annual Loss (AAL) expectancy of $11 million. Their deductible, on the other hand, is $5 million. When the AAL exceeds the deductible, the insurance policy is, on the whole, likely an economically logical risk mitigation choice.
However, it's also important to consider the probability that these annual losses will exceed the deductible, a figure Kovrr's CRQ models also reveal based on a Monte Carlo statistical simulation. In Figure 8, there is a 29% (or nearly 1:3) chance that the deductible will be surpassed. There is also a small 2% chance that the $100 million limit will be exceeded within the next year. This indicates it might be worth it for the organization to pursue a lower deductible and limit amount, depending on their risk appetite.
Kovrr’s cyber risk quantification platform also breaks down a company’s insurance coverage according to the event type that causes the financial loss. By isolating loss according to the incident classification, organizations can optimize the allocated budget for insurance into a coverage area more likely to cause significant damage.
For the company evaluated in Figure 9, there is only a 2% probability that their losses due to an extortion incident will exceed the event deductible. The extortion coverage only protects this company in the case of tail events (events with a low likelihood of occurrence). In this case, although similarly dependent on risk appetite, the company in question may decide to completely lose this specific coverage and either save on the premium or push for a higher sub-limit for their Business Interruption policy, considering the 24% chance of premium exceedance.
Cyber insurance aims to minimize financial losses, rendering it an inherently high-level issue that should be discussed amongst executives with budget approval authority. Leveraging financial CRQ, CISOs can easily elevate this process and ensure that all stakeholders can tangibly understand the ramifications and ROI of specific coverage areas. Together, these executives can optimize their cyber policies based on the business’s overall risk landscape.
Learning More About the "Shift Up" Strategy at the Shift Up Summit
In March 2024, Kovrr, along with Microsoft, ISS-Corporate, Valence, and Silverfox, hosted the Shift Up Summit to help key industry professionals learn more about elevating cyber risk management to the C-suite, board room, and beyond. Several CISOs from global enterprises shared their experiences, and there was in-depth discussion and practical tips shared on how to best facilitate this necessary cybersecurity transition.
While the event has passed, the presentation slides are available, offering you insights on other ways to incorporate a Shift Up Strategy within an organizational framework.
Elevating the Importance of Cybersecurity for High-Level Cyber Resiliency
Embracing a Shift Up mindset equips organizations with the necessary insights to navigate the nuanced, volatile landscape of cyber threats from a holistic perspective. By translating technical jargon into a language comprehensible to the broader business world, CRQ facilitates this elevation and creates a company culture that fully understands the value of a unified approach to cyber risk management.
Cyber risk quantification empowers organizations to bring high-level cybersecurity discussions, such as regulatory obligations and insurance options, to the boardroom, fostering collaboration and coordination crucial for building resilient defense systems. In an era of heightened cyber threats, increased event costs, slashed budgets, and evolving regulations policies, organizations must work together to manage their risk proactively if they are to withstand the impact of the inevitable cyber attack.
If you’re interested in establishing a Shift Up approach throughout your organization when it comes to cybersecurity, contact our CRQ experts today.