How do you think about and calculate cyber risk exposure?

In today’s interconnected world, businesses must face up to the ever-increasing threat posed by cyber-attacks. According to Gallagher’s recent Cyber Market Update for Q1 2024, 2023 saw a sharp rise in cyber-related claims, with ransomware remaining the ever-present scourge for businesses and insurers alike.

Similarly, according to IBM, the average cost of a data breach reached a record high of $4.45m USD in 2023, with associated costs relating to incident response, business interruption and other legal/contractual liabilities remaining significant for businesses across all industry verticals.

As organisations become more reliant on their digital infrastructure, and the vast interdependencies they face across different technologies, platforms and suppliers, understanding and calculating cyber risk exposure has become crucial for effective cyber risk management.

From understanding your exposure, to transferring your risk

Understanding your organisation’s exposure to cyber risk sounds simple: what are my vulnerabilities and what potential threats does my business face? But it’s much more complicated in practice.

The IT organisation has to identify critical business operations and systems or assets that support them, their potential downtime in the event of an incident, the likelihood of an attack, and then estimate the potential impact.

A Business Impact Analysis (BIA) is the first step in building out an enterprise-wide understanding of potential disruption during a breach and financial impacts due to a loss of operations. This activity is crucial in mapping dependencies across your organisation and understanding where impacts can aggregate.

The likelihood of an attack is the next step in calculating exposure and this is primarily driven by threat intelligence, your specific industry and the territories in which you operate.

Quantifying risk exposure for cyber can provide effective decision support when considering how much risk an organisation is comfortable to hold ‘on its balance sheet’, and when considering risk transfer into the insurance market, insurance can help mitigate the financial impact of a breach and ensures organizations can better protect their financial stability, focus on recovery efforts, and leverage often best-in-class response services.

Surviving business interruption and breach costs

The cost of a major breach usually includes incident response support, direct business interruption losses, digital forensics, legal fees, customer notification, and public relations costs. If an organisation decides to pay a ransom, this must also be factored into the cost of the breach overall. Additionally, there may be regulatory fines and penalties, as well as potential lawsuits from affected parties.

This leads businesses to see risk transfer as an option to mitigate the future financial impact of a breach. Because ultimately, it’s not a question of if a business will be victim to a breach, but rather when.

A significant unknown cost to a breach is downtime, i.e. business interruption, which can often run into the tens of millions for global enterprises, and the value of losses are largely dependent on the type of business, system and services involved.

For example, a food manufacturer with several large factories and poor IT/OT segmentation might suffer from a breach that results in multiple processing facilities unable to produce consumer goods. If the business has a large amount of stock already produced that would fulfil many of its orders during the period of downtime, the business interruption losses could be quite low. However, if they built a business model that fulfils orders as they come in, they could suffer significant losses, including penalties based on their Service Level Agreements with customers.

Therefore, business interruption losses result from the disruption of normal operations, leading to lost revenue, productivity, and customer trust.

Recovering from a cyber breach often requires the assistance of third-party services, such as breach counsel, forensic experts, and sometimes ransomware negotiators. These professionals help organisations investigate the breach, identify the extent of the damage, and develop a comprehensive recovery plan.

The costs associated with these services can be significant, but they are essential for minimizing the impact of the breach and restoring normal operations. Organizations must consider these recovery costs when calculating their cyber risk exposure and budgeting for potential incidents.

Minimising cyber risk exposure

While it is impossible to eliminate all cyber risks, organisations can take proactive measures to mitigate their exposure. Implementing robust cyber security measures, such as firewalls, encryption, and multi-factor authentication, can significantly reduce the likelihood of a successful attack.

Regular employee training and awareness programs also play a crucial role in minimising human error, which is often exploited by cybercriminals.

In conclusion, understanding and calculating cyber risk exposure is vital for organisations to effectively manage the potential financial and reputational losses associated with cyber threats.

By comprehensively assessing their exposure, organisations can make informed decisions regarding risk transfer, implement appropriate cyber security measures, and budget for potential recovery costs.

Mitigating cyber risk exposure requires a proactive approach that involves continuous monitoring, employee training, and the establishment of robust incident response plans. By prioritising cyber risk management, organizations can safeguard their operations, data, and customer trust in an increasingly digital world.