Cybersecurity is increasingly a board-level concern so sometime soon, as a CISO or CIRO, you’re likely to be presenting on cyber risk to your board of directors. As a RiskLens customer and user of the FAIR™ model for cyber risk quantification, you are able to portray cyber risk to the board in financial terms – and that’s good since the typical board member doesn’t have a technical background but does know financial reporting.
However, you are likely to get the question, “Where do the numbers come from?” That’s your opening to briefly describe the RiskLens platform and the FAIR process. But to truly impress, do it in terms that line up with board member concerns.
Let’s craft a 3-minute presentation that responds to four key director duties.
- Oversight of management performance on cyber risk
- Oversight of management performance on adapting to business model disruption or digital transformation
- Protecting shareholder value
- Protecting themselves against shareholder lawsuits or regulatory actions that hold board members liable for data breaches or other cyber loss events
First, the set-up:
“To answer your question, the numbers come from our own subject matter experts complemented with industry-wide data, and the reporting is generated by the RiskLens platform. The platform guides us through entering the data for analysis with FAIR, the industry standard for cyber risk quantification, then the platform runs the numbers through a Monte Carlo engine, like the ones used to make financial projections, to generate a range of probable loss exposure in dollar terms. As a result, we can answer in terms you understand your questions about the value and financial impact of our cybersecurity program."
1. Cyber Risk Oversight Benefits
“With the RiskLens platform, we can generate reporting that shows our CEO and CFO if cybersecurity investments are being effectively and efficiently deployed when dollars are scarce, maximizing risk reduction for every dollar spent. RiskLens gives us a view of our cyber loss exposure that’s organization-wide or tightly focused on specific scenarios of concern. And the quantitative output of RiskLens analysis means we can integrate cyber risk management with the rest of enterprise risk management.”
2. Digital Disruption Benefits
“Thanks to the ease and speed of the RiskLens platform, we have been able to embed risk management into our digital initiative planning so, as we move forward on investments to break into new markets or digital services, or change our own processes to better compete with challengers, we can run risk assessments to make sure that we aren’t setting ourselves up for surprise losses and have all available information available to aid in decision making.”
3. Shareholder Value Benefits
“I know you are also concerned about a damaging cyber event leading to loss of reputation affecting market share or stock market value. With FAIR analysis we are able to identify our crown jewel assets, analyze the probable loss scenarios against them, and identify the most cost-effective defensive controls, giving ourselves the best chance of avoiding large-scale, reputation-damaging loss.”
4. Lawsuit or Regulatory Action Benefits
“You’re also concerned about falling afoul of lawsuits and regulatory compliance. For board members, the best defense against suits or regulatory actions is to demonstrate that they were not negligent in their oversight of cybersecurity – or in the case of Securities and Exchange Commission (SEC) regulation to proactively disclose material cyber loss exposure in financial terms. RiskLens reporting makes a perfect paper trail demonstrating that the board went above and beyond in meeting its fiduciary responsibilities.”