Financial Exposure: The Common Language of Cyber Risk

As cyberattacker capabilities continue to grow and companies push the boundaries of digital transformation, it is imperative for boards to oversee the development of effective strategies to manage enterprise cyber risk. Global cybercrime damages are projected to reach $6 trillion this year, and nation-state adversaries are increasingly leveraging widely used software suppliers to gain access to networks.

In this environment, enterprise cyber-resiliency efforts present an opportunity to approach cyber risk not as a mere information technology issue but as a way to gain an advantage in today’s competitive economy.

Most boards and senior executives acknowledge the serious threat that cyberattacks pose to businesses. Gartner’s 2020 Board of Directors Survey found that directors deem cybersecurity the second-greatest source of risk to businesses. Meanwhile, US Federal Reserve chair Jerome Powell asserted recently that “the risk that we keep our eyes on the most now is cyber risk” as it relates to potential systemic disruption in the financial sector and beyond.

As organizations develop digital transformation strategies to keep pace with today’s competitive business environment, it is essential for boards to shift from being underprepared and reactive to providing business-aligned cyber-risk oversight with an eye toward ensuring long-term cyber resilience.

A Path to Cyber Resiliency

Finding a clear and effective way for boards to provide cyber-risk oversight is, now more than ever, an expectation in the boardroom. This requires shifting the focus of boardroom conversations from nuanced, technical security discussions to economic analysis of cyber risk, looking at cybersecurity through the lens of how cyberattacks can cause short- and long-term economic impacts for an organization.

The insurance industry has been developing advancements in insurance underwriting standards that enable this understanding of highly technical cyber risk through financial exposure analysis. Leveraging these global market advancements, boards can clarify how to manage financial exposure to this complex risk area, thereby improving the effectiveness of their cyber-risk oversight. Boards can also now seek to align enterprise cybersecurity strategy with economic cyber-risk metrics as they pursue a path to cyber resiliency using a common language that everyone understands: dollars and cents.

In line with this financial framing of cybersecurity, boards should ask management the following questions:

• What is our financial exposure to cyber threats?
• What kinds of cyberattacks—and targeting what data and systems—could have the largest financial impact to our business?
• How much financial exposure are we accepting within the enterprise and through our digital supplier ecosystem?
• Are our digital initiatives being pursued in a cyber-resilient manner?

Related topics the board should discuss with management include:

• Developing cyber-risk appetite levels in financial terms based on the organization’s unique risk profile
• The most effective remediation and mitigation steps that can be taken to reduce financial exposure to cyberattacks, including worst-case or black-swan events
• How management is using return-on-investment analysis to align the cybersecurity budget with cyber-risk financial exposure reduction
• The steps management is taking to align cybersecurity strategy with risk-transfer optimization

While the success of a financial approach to cyber-risk oversight can and will vary based on personnel and organizational maturity, establishing cyber-risk metrics based on financial exposure analysis should be a priority goal on any organization’s enterprise cyber-risk maturity roadmap.

The Evolving Regulatory Environment

With ever-growing systemic cyber-risk exposure comes a growing volume of rules and legislation. Boards must act now to ensure that their cybersecurity programs allow their companies to stay ahead of the curve. Managing cyber risk by tracking metrics tied to financial exposure analysis and overall strategy can not only help identify optimal areas of cyber-defense investment, but also set the groundwork for corporate disclosures that foster trust among a company, its stakeholders, and regulators.

In 2018, the US Securities and Exchange Commission issued guidance on public company cybersecurity disclosures to assist businesses in preparing disclosures related to cyber risks and incidents. This guidance points to several recommended disclosure areas, including the probability of an occurrence and the potential magnitude of cyber incidents; the adequacy of preventative actions taken to reduce cyber risks and the associated costs (including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cyber risks); and the aspects of the company’s business and operations that give rise to material cyber risks and the potential costs and consequences of such risks, including industry-specific risks and third-party supplier and service provider risks.

Achieving Cyber-Risk Excellence in the Boardroom

Like all things in business, effective communication is the cornerstone of positive outcomes. Developing a common language for discussing the complex issue of cyber risk is essential to achieving cyber-risk excellence in the boardroom. Boards can use economic analysis as this common language to harmonize their cyber-risk oversight with effective enterprise cyber-risk management strategy as cyber-attacks lurk around the corner.

Chris Hetner is an expert advisor to the Institute for Defense Analyses (US Department of the Treasury), a special advisor for cyber risk for NACD, and a national board member of the Society of Hispanic Professional Engineers. Hetner also served as the senior cybersecurity advisor to SEC chair Walter J. Clayton. John Frazzini brings more than 20 years’ experience as a cyber-risk innovator to his role as president, CEO, and board member of Secure Systems Innovation Corp. He also serves on the board of the Internet Security Alliance and is NACD Directorship Certified™.