Understanding the Cyber Loop
Following the publication of Aon’s 2021 Cyber Security Risk Report, Adam Peckman explains the importance of a circular approach to cyber resiliency
Ask 10 people from the same organization what a really bad day looks like in the world of cybersecurity, and chances are you’ll get 10 different answers.
That’s because so many businesses have yet to go through the process of assessing and quantifying the financial impact of a cyber event. Ransomware attacks or social engineering scams haven’t enjoyed the same rigorous modeling approach as more traditional enterprise risks, such as property damage, for which well-established analytical techniques have leveraged decades of claims data.
With only 7% of businesses attempting to formally put numbers on the damage cyber risk can cause, it is no wonder that the cyber insurance market is only a fraction of the size of other insurance markets, despite having losses that may well exceed $6tn.
But now, more than ever, is when companies need to dig in and understand how a cyber incident could affect their balance sheets. Claims from ransomware attacks jumped 336% from the beginning of 2019 through the end of last year, and business costs associated with ransomware are expected to reach $20bn this year, according to Aon’s 2021 Cyber Security Risk Report.
Recent media attention on attacks has elevated the need for organizations to not only put cyber defenses in place but to also better safeguard the balance sheet from potentially catastrophic financial losses.
To empower organizations to focus on the risks of today, we took a page from the military’s OODA loop — observe, orient, decide and act — to develop the Cyber Loop, a blueprint designed to help organizations make more informed decisions around cyber risk.
Like soldiers on a battlefield who don’t have perfect data but need to make decisions fast, companies can use the Cyber Loop to help guide the decisions they make with the data at hand and - most important - with a view of the risk across the entire organization and not in siloed departments.
Companies striving for digital resilience will continually cycle through the four Cyber Loop stages of assessment, quantification, insurance and incident response readiness. This circular approach acknowledges that each organization is unique and may enter the loop at any of the four points.
Ideally, businesses enter the Cyber Loop at the assessment phase, where they can establish a baseline of overall cybersecurity maturity and benchmark their potential vulnerabilities.
Then organizations move into quantification, which is about understanding the potential balance sheet exposure in the event of a cyberattack. Previously, instead of companies performing this analysis, they have often opted for other imperfect and lagging indicators of their exposure, such as peer group benchmarking or management intuition. By applying a financial lens to their cyber risks, companies can help break down internal barriers between business functions - legal, security, privacy, technology and risk, for example - which may have been employing differing approaches to evaluate cyber risk across their respective silos. This more consistent and data-driven approach can help to produce a consensus view on the top risks and thus a more integrated approach to risk management across business functions.
What’s interesting is that businesses clearly understand the need to invest in technology and security capabilities to protect against the impact of a breach or disruption. But in our experience, insurance - the third part of the loop - often isn’t viewed as a complementary risk management strategy alongside cybersecurity or resilience investments. Instead, companies with constrained budgets may forgo an insurance policy entirely.
That approach is shortsighted. Cyber insurance, when designed through a quantitative risk-based approach in partnership with a company’s chief information security officer (CISO), can augment existing cybersecurity capabilities and help improve overall resilience to cyberattack, operationally and financially.
Fundamentally, the insurance program can help protect the balance sheet against potentially catastrophic losses. If left uninsured, these material losses may otherwise jeopardize the financial resilience of the company and could significantly erode shareholder value.
In addition to indemnifying a loss, the risk financing and insurance strategy can also operate as a strategic risk management tool for the CISO. It can provide access to an array of security, technology and legal capabilities, unlocking competitive pricing through the trading power of the insurance market and operating as a potential bursary mechanism for improvements to security operations and incident response capabilities.
When organizations apply the Cyber Loop in a proactive manner, the final part of the loop - incident response readiness - looks very different from companies scrambling to contain fallout. Proactive organizations are conducting red team and stress test exercises to ensure they’ve practiced how they would respond to an attack. For companies that enter the loop after an attack occurs, they must often reactively hire incident response consultants, computer forensic specialists, public relations experts and lawyers.
Budgets may be constrained, and the cyber insurance market is hardening. But if you do nothing else, consider approaching risk using the Cyber Loop methodology to help address cyber risk on a proactive, rather than reactive, basis. It could be the difference between a minor disruption and one that has the potential to cripple your balance sheet.