This article was originally published by Risk.net on July 4, 2016
How can you put a figure on cyber risk? Too many businesses struggle to translate what, on the face of it, is an IT problem into a measure of financial risk that can be understood by non-technical executives.
Some 15 years ago, the co-founder of RiskLens, Jack Jones, was asked by his then-employer, US-based Nationwide Insurance, to quantify the cyber risk the company faced, and how much this risk would be reduced as a result of the multi-million dollar investment in cyber security technology that he was advocating.
He realised that his answers – "lots" and "some" – were woefully inadequate. "He thought, these are reasonable questions; we should be able to quantify cyber risk exposure," says Nick Sanna, chief executive of RiskLens, the US software company that grew out of that awkward board meeting.
"It seems obvious that people should be using the same measuring stick... but previously, people weren't speaking the same language" -Nick Sanna, RiskLens
The first step was to develop a model that could be applied consistently to cyber risk. "It seems obvious that people should be using the same measuring stick... but previously, people weren't speaking the same language," Sanna says.
The solution was found in factor analysis of information risk (Fair), an international standard value-at-risk model for cyber security and operational risk, which allows for the understanding, analysis and quantification of information risk in financial terms.
The second step was to encourage business heads to put dollar numbers on the estimated impacts of cyber security breaches – for example, the cost of business interruption, reputational damage, or the legal costs associated with theft of customer information.
"The number one objection was ‘I don't have enough data to give you'," says Sanna. The simple answer was to ask for ranges, which are then used to provide single or aggregate loss exposure reports.
To arrive at an enterprise-wide loss exposure, the RiskLens platform combines information on a company's current state of cyber security with these figures for the estimated impact of a cyber security breach. "What the system allows is for business people to get involved in the cyber security process," says Sanna.
Software as a service
While Jones initially built a consulting business applying the FAIR VAR model, RiskLens subsequently developed a software-as-a-service offering, launched at the end of 2014. Clients use the system for regular reporting and decision-making regarding cyber security spend. It can also be used to calculate the amount of cyber insurance cover it might be necessary to purchase – and even by insurers, in calculating how to price that cover.
One insurance client says the product "has been key for moving from subjective assessments of risk to a data-driven approach to the underwriting of cyber insurance".
RiskLens is now looking beyond cyber risk. "We've been getting a lot of enquiries to expand our solution into operational risk," says Sanna, such as risks around physical security, weather impacts – and even opening a new subsidiary. "There's no standard model to quantify operational risk – the FAIR model is agnostic and is very well applicable to operational risk exposures."