The Cyber Future Foundation held its annual Cyber Future Dialogue this week atop the largest mountain in the city of Davos, Switzerland, one of the many events during the World Economic Forum.
This year, Cyber Risk Quantification was well-represented in the conversation by FAIR Institute Fellow, and Director, Risk Science from RiskLens, Jack Freund, Ph.D, appearing on the panel on cyber risk and cyber insurance. Jack was flanked by Maya Bundt, Ph.D., from SwissRe, Allison Martin from Zurich Insurance, as well as former CRO and Australian entrepreneur Peter Deans. Watch a video of the panel discussion.
As Jack reports, the two main questions discussed in the Cyber Risk panel was whether cyber risk could be quantified and what role insurance plays in cyber risk. The opening question was whether all companies faced cyber risk concerns and how could they quantify that risk.
Jack indicated that outside of small, cash only businesses, there is an interconnectedness that all businesses share, depending on the level of digital transformation they have undergone. He then talked about the history and purpose of FAIR™ (operationalized by the RiskLens platform), bringing actuarial methods to the security industry in the form of powerful scoping and computation models.
The conversation then turned to a discussion about the use of risk profiles in communication to boards of directors. Jack discussed how too much of risk profile presentations focus on security control standards and maturity assessments. This is broken thinking and presumes we live in a world where buying more security controls necessarily means we are more secure, he argued. Such linear models of security have been debunked in favor of traditional value-at-risk loss distribution models. (Learn more in Jack’s blog post for the FAIR Institute: Win Converts to FAIR™. Quote Jack Freund’s Manifesto in the ISACA Newsletter)
Risk computation was up next with an overview of the loss distribution approach done by FAIR. There was a review of how such approaches can be used in organizations to better understand risk-based capital (RBC) obligations (how much money to set aside for a rainy day in case there are cyber incidents). FAIR is also helpful for organizations that don’t have banking-grade regulations for simply helping executives understand what a cyber risk scenario looks like were it to materialize in their organizations.
Jack reports that there was agreement all around that such methods were helpful – but what about reputational risk? There was a thought shared by a panelist that in the face of such terrible losses, such as those resulting in reputational damage, it was futile to articulate risk.
Jack replied that reputational risk can and should be included in cyber risk quantification. This is done in order to make sure that the full weight of a cyber loss scenario is understood by an organization. This includes any customer desertion, market capitalization impact, and other lost business that comes from reputational impacts.
The last part of the conversation turned to the role of insurance. Jack made the point that insurance is a control that can be applied in response to loss expectancy, but that there is a need to pay attention to the exclusions, as not all of the economic losses covered in FAIR are reimbursable by insurance policies. Too many organizations purchase insurance without considering the cost-benefit analysis of what other investments that premium might be used for. As an example, few organizations consider the purchase of insurance alongside strategic investments in staffing and security capabilities. RiskLens users have this kind of comparative, cost-benefit analysis built in, powered by the FAIR model.
Final remarks were made about what was needed to improve cyber risk quantification and Jack pointed to the work of the FAIR Institute, including the world-wide chapters, over 7,500 members and the work being done to map and integrate FAIR into well-known international standards, such as NIST CSF and COSO ERM.
The panel ended with questions, and one CISO asked if FAIR could be used by security practitioners to make basic control comparisons as they had heard that it’s only for overall firm risk. Jack answered that FAIR practitioners do this kind of analysis all the time and that it's key to linking technology stacks to business stacks to make sure that the risk analyses are relevant to the organizations they serve.
Jack concludes that overall the conversation on risk quantification with FAIR helped attendees understand that tools and methodologies exist, and that many organizations in the Fortune 1000 are already using tools such as RiskLens to better understand their loss exposure and prioritize their responses.