No company is fully secure from cyber breaches, no matter how sophisticated its cyber defense mechanisms, which is why every company should develop a cyber risk management strategy, according Marsh & McLennan Co.’s “Cyber Risk Handbook 2016.”
Research reveals that few companies have made “the concerted organizational effort to identify the range of cyber scenarios that could affect them, assess the cyber risk of their suppliers and customers, and build fully operational cyber risk prevention and response plans,” said the forward to the report, which was authored by John Drzik, president, Global Risk & Specialties, Marsh. He also is chairman of the broker’s Cyber Risk Working Group.
“Cyber is a ‘risk’ issue, not an ‘IT’ issue, and managing it effectively requires broad cross‑functional engagement,” said Drzik in the forward of the handbook, which consists of a series of articles by Marsh & McLennan experts.
The report cautioned that companies ignore cyber risks at their peril. “Consider that just last year 500 million personal records were stolen or lost. Ransomware attacks grew by 35 percent and spear-phishing incidents by 55 percent,” said an article in the handbook, titled “Go to Cyber Extremes – What to Do When Digitalization Goes Wrong.” (This article was authored by Claus Herbolzheimer, a Berlin-based partner in Oliver Wyman’s Digital practice.)
“These types of attacks are no longer just harming desktop computing. They are starting to cause the malfunctioning of critical medical equipment, emergency services and fundamental communications,” said the article, which cautioned that few organizations’ cyber defenses are keeping pace.
“We estimate that only a third of companies are sufficiently prepared to prevent a worst-case attack. Based on a recent survey by Marsh, Oliver Wyman’s sister company, a quarter of companies do not even treat cyber risks as significant corporate risks. Nearly 80 percent do not assess their customers and suppliers for cyber risk,” the article continued.
An article titled “The Evolving Cyber Risk Landscape” discussed the growing purchase of cyber insurance.
“Total annual cyber premiums have reached an estimated $2 billion and may reach $20 billion by 2025,” said the article authored by San Francisco-based Alex Wittenberg, executive director of Marsh & McLennan Cos.’ Global Risk Center.
“The U.S. remains the largest cyber insurance market, where nearly 20 percent of all organizations have cyber insurance and there are yearly increases in the number of companies purchasing cyber insurance and increases in the limits,” he said, noting, however, that interest is also growing elsewhere in the world.
The article quoted a recent Marsh survey of European risk managers, which found that nearly 25 percent planned to explore cyber insurance options over the next 24 months.
In addition, a survey of U.K. risk managers shows that 20.6 percent of companies are buying insurance, but the same survey shows few companies are quantifying their risk exposures, Wittenberg’s article continued.
“Without a complete understanding of their company’s exposure to cyber risk (75 percent) and/or a calculation of the financial impact should an event occur (64.6 percent), these organizations are in a poor position to approach the insurance market and place a value on transferring the risk,” the article continued.
Quantifying Cyber Risk
While cyber breaches are one of the most likely and expensive threats to corporations, “few companies can quantify how great their cyber risk exposure is, which prevents them from protecting themselves,” according to an article in the handbook titled “Can You Put a Dollar Amount on Your Company’s Cyber Risk?”
“Most managers rely on qualitative guidance from ‘heat maps’ that describe their vulnerability as ‘low’ or ‘high’ based on vague estimates that lump together frequent small losses and rare large losses,” added the article.
“But this approach doesn’t help managers understand if they have a $10 million problem or a $100 million one, let alone whether they should invest in malware defenses or email protection. As a result, companies continue to misjudge which cybersecurity capabilities they should prioritize and often obtain insufficient cybersecurity insurance protection,” said the article authored by Leslie Chacko, San Francisco-based principal in Oliver Wyman’s Digital and Strategic IT practices; Evan Sekeris, Washington, D.C.-based partner in Oliver Wyman’s Financial Services practice; and Claus Herbolzheimer, a Berlin-based partner in Oliver Wyman’s Digital and Strategic IT practices.
The article noted that no institution has the resources to completely eliminate cyber risks. As a result, businesses need to make the right strategic choices regarding which threats to mitigate.
“It’s essential that companies develop the capability to quantify their cyber risk exposure in order to form strategies to mitigate that risk. The question is, is it really possible to put a dollar sign on fast-changing cyber risks with data that is difficult to find and often even harder to interpret?” the article asked.
“Companies come much closer to properly weighing how much they should spend to reduce their cyber risk and curb cyber crime when they consider these risks from three perspectives: foregone revenue and ancillary payments, liability losses, and reputational damage,” the article said.
“The direct revenue losses for the companies involved in a cyber attack can be nearly negligible compared to the reputational damage incurred, which in turn can lead to future revenue losses,” the handbook article added. “That is why it is essential for managers to quantify cyber risks more broadly. It can be done and can potentially save companies hundreds of billions of dollars every year.”
The article recommended that the first step in putting a dollar figure on cyber risks is to identify your company’s most important assets and its greatest vulnerabilities.
It explained that cyber risks generally fall into two categories: 1) those involving services shutting down, and 2) those that compromise information, ranging from sensitive data to corporate secrets or bank accounts.
The challenge is “to build a smart, well-designed cyber risk model that’s able to analyze potential direct revenue, liability and brand loss scenarios. For when a cyber attack happens, companies are hit not just with losses resulting from customers who stop buying products and services; they also face ancillary costs related to fixing their problem, such as regulatory fines, forensics and consulting costs,” the article said.
When critical data is accessed by hackers, the article confirmed that liability losses also become a factor. “A company may need to provide customers years of remediation, such as offering credit monitoring services, along with legal fees and penalties to settle multiple class action lawsuits,” the Marsh & McLennan handbook said.
Finally, companies must quantify how much their future revenues will fall if a cyber attack has damaged their brand, it continued.
“To understand the upper and lower boundaries of their risk, companies must gather general business, operational and technical data that can be modeled against expected and worst-case scenarios,” the article said.
“Using both internal and external data related to the health of their business and operations, managers should be able to predict their expected and maximum cyber losses over a one- to three-year period, just as they can forecast their future revenues,” it said.
They also should estimate what percentage of their customers will leave if an outage results from a cyber breach – or how much their stock valuation and margins could suffer if a cyber attack causes damage to their reputation, the article said, adding that past incidents will help determine the applications that are at the highest risk. “Armed with this information, it’s much easier for managers to judge if their companies have the right level of cyber risk protection and to budget for potential additional spending.”
Articles in MMC’s “Cyber Risk Handbook 2016” cover “Strategy,” “Risks” and “People” topics. (The People section includes a discussion of the “people factor” in cyber threat management as well as staffing and organizing a cyber risk management team.)
Source: Marsh & McLennan