The Institute of Risk Management (IRM) is set to publish a cyber risk quantification framework to help risk managers better assess their organisation’s cyber exposures.
The IRM Cyber Risk Quantification Framework was thrashed out at the organisation’s Cyber & Information Management Special Interest Group meeting last week. It should be ready by early summer, Phillip Hodgins of KPMG and chair of the special interest group told CRE. The quantification framework follows the publication of the IRM’s cyber best practices guidance issued in February 2014.
The forthcoming IRM framework will build on recent work by the World Economic Forum (WEF) on cyber resilience, explained Mr Hodgins. WEF published the Towards the Quantification of Cyber Threats report at its recent annual gathering in Davos. It was the culmination of work by WEF members to begin developing a common approach to cyber risk quantification.
The report, which does not envisage a one-size-fits-all approach to quantifying risk, proposes the adoption of a cyber value-at-risk concept and identifies key components for modelling cyber risk and quantifying known vulnerabilities.
According to the report, there are three key components risk managers should consider when calculating cyber value-at-risk; existing vulnerabilities and defence maturity of an organisation, value of the assets and the profile of an attacker.
At last week’s special interest group meeting, IRM members began to look at how key risk quantification components set out in the WEF report can be applied to corporate enterprise risk management (ERM) frameworks.
According to the WEF report, cyber risk is increasingly viewed as a key component of ERM frameworks. However, there are currently no recognised cyber risk management frameworks available, said Mr Hodgins.
“Therefore we are currently working to develop a risk management framework that should help risk managers ensure that organisations do not miss any of the key components for cyber risk quantification. By using a common framework, we hope to pave the way for the greater exchange of [anonymised] operational risk data between organisations, which should lead to further fine tuning and even more accurate modelling of the risk in the future,” he said.
The IRM framework could be used by risk managers to inform their ERM methodology and highlight their cyber exposures, according to Mr Hodgins.
“Most companies do not have specific components to quantify cyber risk, but the framework will help risk managers build out and apply cyber risk components to their own ERM framework. It should also enable them to put a value on the exposure, such as benchmarking against a maturity scale, or in terms of financial or reputational impact,” he explained.
Cyber risk management is in its relative infancy and quantification of the risk has become a priority as board interest in the threat rises, said Mr Hodgins. “Corporations are coming under increasing pressure to tackle cyber risk and some more mature organisations are beginning to quantify the risk,” he said.
Many believe proposed new EU-wide information security and data privacy laws, which could be passed as early as next year, will continue to raise boardroom interest in cyber risk among European companies. The high profile departure of US retailer Target’s CEO Gregg Steinhafel following a major data breach has helped to focus minds at a board level.
According to Mr Hodgins it is important to understand the characteristics of cyber risk.
“There are many moving parts with cyber risk that make it challenging to quantify, such as the fast pace of technological change, the enthusiasm of businesses to adopt new technologies to drive growth and the speed and agility of malicious parties to find new vulnerabilities in those technologies,” he said.
“At the point of quantification, you could say that the risk has already moved on and therefore a dynamic risk management approach is necessary,” he added.
According to the WEF report, organisations must first quantify cyber risk before investing in risk mitigation or risk transfer solutions. The organisation also believes that uncertainty around cyber risk and the spectre of potential threats is restricting economic development and hindering the development of commercial and public initiatives.
The WEF report also concludes that effective cyber resilience requires a concerted effort to develop a shared, standardised cyber threat quantification framework. Such a move is also seen as a pre-requisite to risk transfer solutions.
“A shared approach to modelling would increase confidence regarding organisational decisions to invest (for risk reduction), distribute, offload and/or retain cyber threat risks. Implicit is the notion that standardising and quantifying such measures is a prerequisite for the desirable development and smooth operation of cyber risk transfer markets,” WEF said in its report.
Mr Hodgins commented: “We want to help illustrate that understanding cyber risk is not beyond the abilities of risk professionals. Effective cyber risk management should allow organisations to feel free to maximise business opportunities and build trust and market confidence by limiting the financial and reputational impact of malicious technology incidents.”