Quantifying Cyber Risk: Pipedream or Possible?

For financial services organizations, cybersecurity is about more than meeting regulatory mandates. Ultimately, it’s about trust, including trust that boards, executives, and organizations recognize their fiduciary responsibilities to customers—and take those duties seriously.

Yet, when it comes to identifying cyber risks and efficiently allocating resources toward mitigating them, the industry continues to struggle. Certainly, many financial services organizations have taken steps to identify the risk scenarios most likely to affect them and have modeled the financial impacts of those scenarios coming to pass.

But are the numbers accurate? Can they be relied upon when making significant cybersecurity investment decisions? And what about the scenarios they can’t predict? Threat actors are ingeniously creative, sometimes breaching systems using one method while simultaneously introducing another novel attack vector.

Although there is no silver bullet, advancements are being made to plan for this type of variability. Cyber Risk Quantification (CRQ) is an evolving approach designed to help organizations proactively assess hidden risks. Leveraging advanced modeling techniques, the approach uses quantification models to estimate the range of probabilities of potential security events and their impacts so leaders can calculate key financial risk metrics, such as value at risk or expected loss. The concept is to apply a well-designed but dynamic model to specific scenarios so that cyber risk teams can estimate impacts and loss probabilities, determine a loss distribution, and calculate dollar loss metrics.

Cyber risk quantification is nascent but needed in today’s rapidly evolving cyber environment. However, the approach is not quite ready to stand on its own.

A New Model for Cyber Risk

Taking a quantitative financial approach to cybersecurity risk management is a compelling idea. Applying hard numbers to risk scoring could help chief information security officers (CISOs) and chief risk officers (CROs) strengthen their business cases and bolster risk management, both on a day-to-day basis and in preparation for a potential future breach. It’s also a capability that may ultimately play a central role in the world of cyber measurement.

Diving deeper, cyber risk quantification has similarities to sports analytics, which involve using data and statistical models to augment intuition and experience when developing a game strategy.

Yet, in the interim, financial services organizations still need a consistent framework to determine emerging risks and prioritize investments accordingly. Static governance and budgeting that rely on annual or semiannual program assessments are becoming antiquated because these processes do not adequately acknowledge the dynamic nature of cyberthreats and the introduction of novel risks from rapid transformation in business IT environments.

One of the main challenges is that the cyber landscape changes often and quickly. Just as soon as companies identify their critical assets, risks, and mitigating controls, the targets shift—the risk envelope widens, the regulatory environment evolves, and new maturity gaps appear.

Just as challenging is the fact that cyber events often unfold in unpredictable ways. For every above-the-surface cost organizations can identify in advance, there are myriad “below the surface” impacts that are hidden from view. It’s this identification of constantly shifting and often invisible variables that current quantification approaches can help highlight.

Diving deeper, CRQ has similarities to sports analytics, which involve using data and statistical models to augment intuition and experience when developing a game strategy. Sports have specific, well-known measures, and when combined with quantitative analysis, there is an opportunity to bring another perspective.

CRQ works in much the same way. An additional practice might include reviewing the controls already in place, assessing which are—and are not—effective, and identifying control gaps. Indeed, when augmented with CRQ, a new dimension can emerge to guide cyber investment decisions.

From there, CISOs, CROs, and their teams can start to layer in additional context. For instance, while organizations may not be able to financially quantify the likelihood of black swan events, CRQ can provide unprecedented visibility into their potential impacts. This can help organizations pinpoint which risks may be relatively more likely than others, and which might generate high impacts even if they are less likely to occur.

Such insight often empowers leaders to choose how to respond. By integrating this data into risk assessment models, the CISOs and CROs can create a common vernacular across their organizations’ three lines of defense. With a consistent language and framework, senior executives and the board will be better able to devise risk-intelligent responses—whether that means bolstering controls, allocating additional resources, or mitigating through a cyber insurance policy.

The result is deceptively simple: By ensuring everyone agrees on the organization’s highest relative risks, it becomes easier to gain consensus on which controls are most relevant, which gaps must be closed, and which investments are critical. By shining a light into previously shadowed corners, CRQ gives financial services organizations a decision-making rubric— empowering them to steer investment decisions and inform budget spend more effectively.

—by Nick Seaver, partner and global Cyber Financial Services industry leader, Deloitte UK; Mark Nicholson, principal and U.S. Cyber Financial Services industry leader, John Gelinne, managing director, Cyber Risk Service, and Daniel Soo, principal, Cyber Risk Services, all with Deloitte Risk & Financial Advisory, Deloitte & Touche LLP.

Disclaimer and Copyright

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication. About Deloitte: Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms. Copyright © 2021 Deloitte Development LLC. All rights reserved.