The near ubiquitous digital enablement implicit in the estimates of connected devices by 2020 and the losses they spawn create an imperative for organisations to be able to manage cyber exposure and articulate the effectiveness of that management to the capital markets. Failure to do this is likely to lead many organisations to be facing the exogenous shock of investors adding 50, 100, 200 basis points to the cost of capital. Where this cost increase is in lieu of evidence of more effective cyber defence capabilities and effective management of cyber risk in the portfolio as a means to protect the investment in the organisation: we will have to provide the cyber evidence, quantify the exposure and the shape of the response and manage the new component of the investment profile accordingly.
Given the lag in the system, this probably means that organisations have until the end of 2018 to establish these capabilities and then execute them in order to demonstrate a track record of effectiveness in managing cyber exposure and articulate the rigour of their systems for when the capital markets lay down the challenge.
In the real world, embarking upon this journey means addressing baby steps and answering the killer questions:
- To the CEO, How can you be sure you have done enough of the right things to satisfy shareholder, analyst and regulatory expectations should things go South? How do you decide the most sensible balance of capital deployment to meet the cyber exposure
- To the CFO, For every other risk you first quantify it and then determine capital responses to balance mitigation, retention (and funding) or transfer: how do you do that for cyber? Further, if you are at the analyst meeting and the CEO invites you to answer the question what is your residual exposure now you've spent all this cyber money, how will you persuade the analyst you know the answer?
- To the CRO, How do you manage the execution of management of cyber risk within the Enterprise Risk Framework and how do you demonstrate to the CFO and Board that the measures taken are effective in the reduction of the residual cyber exposure?
- To the Non-Executives, you own the risk, how do you establish the surety and confidence that your cyber exposure is being well managed by the Executive?
Organisations will face the cost of capital imperative to be able to manage cyber as part of their enterprise risk management framework, in establishing these capabilities, an organisation can have confidence that they will be able to answer these killer questions and differentiate themselves in a world where "Good Cyber is Good Business".
The core issue here is the ability to normalise the management of cyber risk in terms of the well established disciplines of Enterprise Risk management and that means being able to quantify cyber exposure. If you can't do it, then you need to get support quickly in order to establish the indigenous capability that will be necessary to avoid the existential threat of cost of capital tracking effectiveness of management of cyber exposure.
