However, you are likely to get the question, “Where do the numbers come from?” That’s your opening to briefly describe the RiskLens platform and the FAIR process. But to truly impress, do it in terms that line up with board member concerns.
Let’s craft a 3-minute presentation that responds to four key director duties.
First, the set-up:
“To answer your question, the numbers come from our own subject matter experts complemented with industry-wide data, and the reporting is generated by the RiskLens platform. The platform guides us through entering the data for analysis with FAIR, the industry standard for cyber risk quantification, then the platform runs the numbers through a Monte Carlo engine, like the ones used to make financial projections, to generate a range of probable loss exposure in dollar terms. As a result, we can answer in terms you understand your questions about the value and financial impact of our cybersecurity program."
1. Cyber Risk Oversight Benefits
“With the RiskLens platform, we can generate reporting that shows our CEO and CFO if cybersecurity investments are being effectively and efficiently deployed when dollars are scarce, maximizing risk reduction for every dollar spent. RiskLens gives us a view of our cyber loss exposure that’s organization-wide or tightly focused on specific scenarios of concern. And the quantitative output of RiskLens analysis means we can integrate cyber risk management with the rest of enterprise risk management.”
2. Digital Disruption Benefits
“Thanks to the ease and speed of the RiskLens platform, we have been able to embed risk management into our digital initiative planning so, as we move forward on investments to break into new markets or digital services, or change our own processes to better compete with challengers, we can run risk assessments to make sure that we aren’t setting ourselves up for surprise losses and have all available information available to aid in decision making.”
3. Shareholder Value Benefits
“I know you are also concerned about a damaging cyber event leading to loss of reputation affecting market share or stock market value. With FAIR analysis we are able to identify our crown jewel assets, analyze the probable loss scenarios against them, and identify the most cost-effective defensive controls, giving ourselves the best chance of avoiding large-scale, reputation-damaging loss.”
4. Lawsuit or Regulatory Action Benefits
“You’re also concerned about falling afoul of lawsuits and regulatory compliance. For board members, the best defense against suits or regulatory actions is to demonstrate that they were not negligent in their oversight of cybersecurity – or in the case of Securities and Exchange Commission (SEC) regulation to proactively disclose material cyber loss exposure in financial terms. RiskLens reporting makes a perfect paper trail demonstrating that the board went above and beyond in meeting its fiduciary responsibilities.”