Risk managers at Advisen’s Executive Risk Insights Conference said they are struggling to quantify cyber risk.
Yvette Connor, managing director at advisory services firm Alvarez and Marsal said the task is “not easy” and they are “spending time thinking about how to put mathematics to it” but risk profiles can change every day—every hour.
Comments fall firmly in line with what we have been hearing consistently from risk managers, as well as cyber insurance underwriters. It is very difficult to assess and quantify vulnerabilities with a lack of historical data, and for such a fluid risk as cyber. Events tell us of new threats, new ways of attack, new motivations, and therefore new financial impact to organizations.
The term cyber value-at-risk has come up recently. Is it possible to measure the potential loss on a specific portfolio of financial exposures from a cyber event—to determine a likelihood of an event and its subsequent severity on a timeline?
Our panel would suggest this is certainly a work in progress, but an “incredible body of work is emerging,” Connor said. Still, the “gold standard” is not clear, said Jennifer Santiago, director of insurance for Novartis Corp.
In the meantime, she said, Novartis is focusing on breach response plans—running scenarios, drilling and bringing in experts to advise the company in order to mitigate losses when an event occurs.
The good news, according to Jimmy Kirtland, vice president of corporate risk management at Voya Financial (formerly ING US), is that insurance coverage is much more comprehensive and less expensive. The company’s first cyber policy in 2003 cost $3 million for $100 million of coverage, with a $25 million deductible. Today, a $50 million policy can be had for $1.3 million with a deductible of $2.5 million.
Risk managers are becoming a much more significant part of the strategic assessment surrounding cyber risk. Risk managers have an opportunity to lead the dialogue, especially with a CIO and CISO, to tell boards of possible budgetary implications, said Connor.
Interestingly, Santiago said people may decide not to serve on a board because accountability is becoming very high and, quite frankly, she said, “Sometimes you wonder if they know what they’re asking.” Information technology is its own language—one that is difficult to translate and help people understand but this is another opportunity for a risk manager to “get in front of a board of directors and there as a resource and enabler.”