The recent Marriott data breach, which exposed the personal information of around 500 million guests, has put cyber risk back in the headlines and exposed the fact that many businesses still don’t invest enough in mitigation.
Corporate Risk and Insurance spoke with Robert Vescio (pictured), chief analytics officer of cyber risk management firm SSIC and inventor of the X-Analytics cyber risk quantification model, regarding the aspects many businesses neglect when managing cyber risk.
“Financial analysis of cyber risk is at best significantly overlooked and at worse, not even considered,” Vescio said. “Each and every cyber risk decision should factor in how to generate revenue and/or control expenses – the same way other business risks are addressed. Once cyber risks are assessed the same way as other business risks, an organisation can determine what is missing in its cybersecurity risk program. Maybe the answer is patch management, improved monitoring and incident response, better data encryption, or stronger authentication. The answer - just like the risk - is unique to every organisation. The approach, however, should be the same: identify and manage risk.”
With regard to mitigation of risks, he advised risk managers that the basics still apply, just like with other risks.
“My recommendation is to remediate where it makes sense and where you can earn a positive return on investment,” he said. “For other cyber risks, consider transfer to an insurance policy. If you transfer risk, ensure you have the right type and size of policy.”
Additionally, Vescio stressed the importance of adapting risk management to an organisation’s profile in order to minimize losses.
“From a general perspective, risk transfer has and continues to be an incredible - yet underutilized - option,” he said. “In comparison to most cyber risk options, insurance is still relatively inexpensive.”
However, he noted that insurance isn’t the be-all-end-all of risk transfer. He pointed out that in some instances, cyber risk can be transferred to SaaS services or other third party providers.
Furthermore, businesses and service providers, such as SSIC, should constantly work together to draw a delineation line between risk remediation and risk transfer. Once this line has been established, risk transfer decisions become objective and easy to make, according to Vescio.
“If a risk manager needs to move the risk transfer line, then we work out a remediation strategy to make that option possible,” he said.
SSIC’s X-Analytics tool, which was invented by Vescio, focuses on analysing cyber risk through financial or economic terms. This is an area which he believes many businesses are neglecting.
“We gather information about our customer and process their input with our model, publishing a set of dashboards that are easy to understand and full of guidance,” he said. “Via ongoing interaction, we help our customers make decisions via workshops, board presentations, and ‘what-if’ simulations. Over time, trending is used to see how the customer’s cyber risk posture is improving and the impact of emerging threat conditions. This process is repeated throughout the entire subscription period.”
Vescio believes that the model’s main advantage is that it is able to perform financial analysis of cyber risk through a rigorous data science process.
“The financial details are not estimated or set by using subjective levers,” he said. “They are objectively based and refined per organisation, ensuring our customers can rely on our expected loss, impact, and probability values. Additionally, our solution illustrates financial impact against known cyber peril categories - including data breach, business interruption, or intellectual property theft - that can be directly associated with remediation techniques or coverage types and limit amounts within insurance policies.”