RiskLens analysts helped a large financial institution first understand their loss exposure, then choose the most cost-effective control — with a payoff of an $11 million reduction in loss exposure.
All organizations have one or two high profile concerns that generate doubt and uncertainty. For one large financial organization, that concern was theft of their liquid accounts. An already established, financially based risk appetite existed within the organization, however, with their existing qualitative methods, they had no way to understand if this specific event was likely to exceed that threshold. In order to do so, the organization needed to start communicating cyber risk in financial terms. The CEO and Chairman of the Board tasked the CISO with evaluating how much risk was associated with a cyber event of that caliber occurring in the organization.
With the help of the RiskLens team, the CISO was able to identify the specific assets (investment and operating accounts) at risk as well as the most likely threat group to attempt the theft (cybercriminals). Then the CISO leveraged the RiskLens platform, which is built on the industry standard for quantifying risk, Factor Analysis of Information Risk (FAIR™), to define the scope of work, then develop workshop questions.
These structured workshop questions within RiskLens allowed the CISO and analyst team to rapidly determine what data points were necessary for the analysis, effectively reducing their workload by focusing research only on data that would ultimately support quantifying this risk. The analysts then collected the most relevant data on key risk and control factors related to how often the cyber event might occur, including historical number of malicious footholds in the organization, segmentation of the accounts at risk, the number of employees with access to those accounts, as well as the various controls in place that would reduce the probability of an attack being successful.
The second question the team needed to answer was the likely cost of an event. To do so, the organization gathered data to understand how many investment and operating accounts there were, as well as how much capital assets were held in each. Additionally, the team evaluated how much time and energy might be spent responding to the event and if any additional losses, such as reputation damage or civil or regulatory fines and judgments, were likely.
Over the course of a three-day period, the team was able to meet with the appropriate business personnel to gather the data and complete their analysis.
After running the analysis in the RiskLens platform, the CISO was able to show the CEO in financial terms, the probable effect a theft of liquid investment and operation accounts by a cyber criminal would have on the organization.
Results and Key Benefits
Using the Loss Exceedance Curve report below to explain the results of the analysis, the organization was able to clearly identify there was approximately a 5% probability of the risk associated with the event exceeding their predefined risk appetite in a given year. The Chairman and CEO instructed the CISO to evaluate what control or process improvements could be made to reduce this risk to having less than a 1% probability of exceeding the threshold in a given year. After assessing the effectiveness of the controls in place, the team quickly realized there were opportunities for control improvements to reduce both the probability of the event occurring, and the amount of loss should the event materialize.
The table below clearly illustrates the overall loss exposure for the scenario. The tabular data communicated the varying range of probable outcomes on the left and the probable loss that could materialize for the event.
Analysts then created alternate, future-state scenarios to make “what-if” adjustments to the baseline scenario to model risk in the event that the organization reduced the amount of capital assets kept in the investment and operating accounts or implemented new controls to reduce the probability of the loss event . The comparison report provided the organization with tangible data to make an informed decision on the ROI of the investment. The results ultimately showed a decrease of $11,000,000 of average Annualized Loss Exposure per year.
The RiskLens platform allowed the organization to rapidly quantify loss exposure for the theft of capital assets in the investment and operation accounts by cyber criminals. Additionally, the quantitative inputs and documented rationale for the analysis made the process transparent for any stakeholder to review and understand. More importantly, RiskLens empowered management with data to make a strategic decision on the type of control to invest in to maximize their risk reduction.