Regulations such as the EU's General Data Protection Regulation (GDPR) and the NYDFS Cybersecurity Requirements represent efforts to ensure that organizations are taking the right steps to protect sensitive data. While the depth and breadth of these requirements may differ, their primary message is the same - protect your sensitive customer data, or pay a significant price.
As a result, we have seen a heightened interest from our customers in risk quantification to determine which investments will help meet these new regulatory requirements, while also maximizing risk reduction for the organization.
A global financial company used RiskLens and FAIR to answer this very question. One specific decision this organization faced was how to protect its customer data at rest via a “reasonable” form of encryption that met the legal requirements. Could management get by with implementing drive encryption, or should they invest in file encryption where this sensitive data is stored?
The organization’s conventional approach to risk rankings could not support executive management’s decision. In order to answer these questions, the organization needed to start communicating risk using the terms best understood by business stakeholders: dollars and cents.
We began by focusing our analysis on the amount of risk associated with a breach of a single database housing approximately 40K records of customer PII data, which was currently unencrypted. The analysis collected data through structured workshop questions on key risk and control factors including historical number of breach attempts, existence of monitoring tools such as database access monitoring and DLP, number of PII records to potentially be impacted, and resources required to respond to data breaches. The analysis also leveraged RiskLens industry loss tables to estimate the potential effect a data breach would have on customers and regulators, and adjusted these figures to account for additional fines imposed from GDPR and the NYDFS regulations, using data distributions.
Using the RiskLens cyber risk quantification application, we determined the current loss exposure, in dollars and cents, of a breach of customer data including the potential cost of fines imposed by GDPR and NYDFS. Additionally, we determined the amount of risk reduction, in dollars and cents, if either drive encryption or file encryption was implemented. The results were telling – one type of investment clearly outweighed the other in terms of risk reduction.
The RiskLens platform allowed the organization to rapidly quantify the loss exposure of a data breach in the event that their PII data was unencrypted. As a result, executive management was empowered by data to make a decision on the type of encryption to invest in that not only allowed them to meet GDPR and NYDFS regulatory requirements, but significantly reduce the amount of risk the organization faced related to protection of customer data. To learn more about how this organization helped quantify its risk reduction, read the full case study.