The framework, issued in a report RSA prepared with support from Deloitte Advisory Cyber Risk Services, gives organizations a new way not only to factor cyber risk into their overall risk appetite but to define the level of cyber risk they are willing to accept in the context of their overall business strategy.
As businesses strive to improve performance, many of the fundamental moves they undertake expose them to new cyber risks. Since organizations can’t turn the clock back on globalization, outsourcing, extending their third-party networks and moving to the cloud, they will need to realign their thinking about risk. The report, entitled “Cyber Risk Appetite: Defining and Understanding Risk in the Modern Enterprise,” concludes that organizations need a systematic process for defining and comprehensively categorizing sources of cyber risk, a new accounting of key stakeholders and risk owners, and a new way to calculate cyber risk appetite.
First, organizations need to redefine the term “cyber risk.” The term extends beyond hacks – planned attacks on information systems. While hacks are an important part of the equation, cyber risk encompasses a wider range of events that lead to potential of loss or harm related to technical infrastructure of the use of technology within an organization.
The paper provides a practical framework for inventorying and categorizing cyber risks across two dimensions of intent. Cyber risk events could be the result of deliberately malicious attacks, such as a hacker carrying out an attack with the aim of compromising sensitive information. They could also be unintentional, such as user error that makes a system temporarily unavailable. Risk events may come from sources outside the organization, such as cybercriminals or supply chain partners, or sources inside the organization such as employees or contractors.
To effectively assess their cyber risk appetite, the report recommends that organizations take a comprehensive inventory of these cyber risks, quantify their potential impact and prioritize them. Organizations need to ask the right questions, such as what losses would be catastrophic, and what information absolutely cannot fall into the wrong hands or be made public. They need to prioritize the risk according to impact, ranking mission- and business-critical systems ahead of facets like core infrastructure and extended ecosystem (supply chain management applications and partner portals) and external public facing points of interaction. Prioritization needs to be an ongoing process involving constant evaluation and re-evaluation.
The report concludes that an organization’s ability to quantify cyber risk and make informed decisions about their cyber risk appetite will put them in a position to succeed. Some costs can be easily quantified: costs that include fines, legal fees, lost productivity and mitigation remediation and incident response. Other costs can be more difficult to determine – like diminished brand equity, reduced goodwill and the loss of intellectual property. Organizations need to develop the ability to demonstrate that the investments they are making align with the risks they face.
Emily Mossburg, partner, Deloitte & Touche LLP and Deloitte Advisory Cyber Risk Services Resilient Practice Leader
“The very fundamental things that organizations undertake in order to drive performance and execute on their business strategies happen to also be the things that actually create cyber risk. Cyber risk is an issue that exists at the intersection of business risk, regulation, and technology. Executive decision-makers should understand the nature and magnitude of those risks, consider them against the benefits a strategic shift would deliver, and then make more informed decisions.”
David Walter, RSA GM, Global GRC
“Cyber risk is a critical issue in today’s organizations, touching aspects of business risk, regulation and technology. To effectively deal with these risks, executive decision-makers need to understand their organizations’ cyber risk appetites’ – balancing the nature and magnitude of those risks against the benefits a strategic shift would deliver. Then they can make more informed decisions.”