Thursday, October 6, 2016, 14:35 | No Comments »
The Clock is ticking (see Blog Cyber Risk the Next Pensions Deficit?)
The near ubiquitous digital enablement implicit in the estimates of connected devices by 2020 and the losses they spawn create an imperative for organisations to be able to manage cyber exposure and articulate the effectiveness of that management to the capital markets. Failure to do this is likely to lead many organisations to be facing the exogenous shock of investors adding 50, 100, 200 basis points to the cost of capital. Where this cost increase is in lieu of evidence of more effective cyber defence capabilities and effective management of cyber risk in the portfolio as a means to protect the investment in the organisation: we will have to provide the cyber evidence, quantify the exposure and the shape of the response and manage the new component of the investment profile accordingly.
The near ubiquitous digital enablement implicit in the estimates of connected devices by 2020 and the losses they spawn create an imperative for organisations to be able to manage cyber exposure and articulate the effectiveness of that management to the capital markets. Failure to do this is likely to lead many organisations to be facing the exogenous shock of investors adding 50, 100, 200 basis points to the cost of capital. Where this cost increase is in lieu of evidence of more effective cyber defence capabilities and effective management of cyber risk in the portfolio as a means to protect the investment in the organisation: we will have to provide the cyber evidence, quantify the exposure and the shape of the response and manage the new component of the investment profile accordingly.
Given the lag in the system, this probably means that organisations have until the end of 2018 to establish these capabilities and then execute them in order to demonstrate a track record of effectiveness in managing cyber exposure and articulate the rigour of their systems for when the capital markets lay down the challenge.
In the real world, embarking upon this journey means addressing baby steps and answering the killer questions:
- To the CEO, How can you be sure you have done enough of the right things to satisfy shareholder, analyst and regulatory expectations should things go South? How do you decide the most sensible balance of capital deployment to meet the cyber exposure
- To the CFO, For every other risk you first quantify it and then determine capital responses to balance mitigation, retention (and funding) or transfer: how do you do that for cyber? Further, if you are at the analyst meeting and the CEO invites you to answer the question what is your residual exposure now you've spent all this cyber money, how will you persuade the analyst you know the answer?
- To the CRO, How do you manage the execution of management of cyber risk within the Enterprise Risk Framework and how do you demonstrate to the CFO and Board that the measures taken are effective in the reduction of the residual cyber exposure?
- To the Non-Executives, you own the risk, how do you establish the surety and confidence that your cyber exposure is being well managed by the Executive?
Organisations will face the cost of capital imperative to be able to manage cyber as part of their enterprise risk management framework, in establishing these capabilities, an organisation can have confidence that they will be able to answer these killer questions and differentiate themselves in a world where "Good Cyber is Good Business".
The core issue here is the ability to normalise the management of cyber risk in terms of the well established disciplines of Enterprise Risk management and that means being able to quantify cyber exposure. If you can't do it, then you need to get support quickly in order to establish the indigenous capability that will be necessary to avoid the existential threat of cost of capital tracking effectiveness of management of cyber exposure.
Thursday, October 6, 2016, 14:19 | No Comments »
Cyber Exposure - The Next Pension Deficit?
Cyber-Risk Quantification - an Enterprise Risk Imperative
Cyber-Risk Quantification - an Enterprise Risk Imperative
Introduction
We are all increasingly aware of the challenge of cyber threats even though that awareness is not necessarily shaped by knowledge. Fundamental here is that very few cyber vulnerabilities lead to discrete cyber exposures: most vulnerabilities enable, accelerate or amplify existing portfolio risks. For many organisations, the Cyber dialogue remains stubbornly laminar reflecting a reluctance to accept the risk, technical community difficulty articulating the issues and apparent panacea of cyber liability insurance. This means organisations are treating cyber defence spend as discretionary and exposes organisations to the limited nature of the insurance covers: the limited capacity and the inability for most products to meet the needs of industrial control system centric companies. This dialogue is flawed and needs to evolve and to recognise the need to quantify cyber exposure and the importance of demonstrably (through measurement) effective cyber defence as part of massaging an organisation's medium to Long-term investment profile.
An example of how cyber affects the existing portfolio. The German Blast Furnace destroyed in 2015 through cyber-attack on its environmental sensors and controls: the organisation knew that to lose one of its 3 furnaces was a critical enterprise risk, however their provision recognised its high impact but assumed low probability of occurrence. In this case cyber makes the issue much worse because the probability of occurrence is substantially greater than assumed and organisations are not getting to grips with this fundamental truth and are not quantifying the scale of increase to existing risks that cyber vulnerabilities create.
Discussion
Cyber is a multi-headed beast that can be "different strokes for different folks". It draws people to academic definition discussions that divert us from the core issue. The core issue is that increasing digital enablement and increasing connectivity underpinning wealth creation has a concomitant increase in the breadth of cyber vulnerabilities that individuals and organisations face: it's a problem that is going to get worse before it starts to get better.
This has dramatic implications for Risk Management in organisations. Equally it creates investment and rating challenges over time as the cost of cyber losses increases as a proportion of wealth creation over time. The Centre for Strategic and International Studies Report (July 2013) was the first sensible attempt to quantify cyber losses. It sought to define a perimeter of value creation against which losses could be measured and that's not easy and we need to do a better job of this. In defining this difficult perimeter, they included amongst other things the Value for IP, Value for innovation, and capital costs associated with inability to invest because IP and capital was being stolen. The estimation of annual losses was a range between $300Bn and $1 Trillion or between 0.4 and 1.4% of Global GDP. Acknowledging the challenge with these numbers, comparatively, global provision for crime is 0.8% of Global GDP. These losses are in the context of internet usage today that sees 3 billion users with 6 billion connected devices. By 2020 Cisco estimates that will be 6 billion users (some of which will be machines) and 40 Billion devices, Microsoft estimates 60 Billion devices in the same time period. Even if there is a linear growth of losses associated with the growth in connected devices, then those losses become unsustainable in the 2020 timeframe. It's becoming a runaway train and the investment capital and debt markets will need to respond.
Why is it so bad? There is no single answer. The first component is lack of education and awareness about our real vulnerability levels at an individual level which means we always have someone who "clicks the link". We also have the paradox that many recognise cyber is an issue intellectually but viscerally believe it to be somebody else's problem - that it doesn't apply to them. Boards are over- confident about their ability to manage the threat; the technical community don't explain the issues in business language and historical probability combines with lack of reported visibility of issues to give a false sense of the problem being smaller scale than reality. Verizon breach report estimates that almost 60% of organisations successfully breached don't find out themselves, put another way, this means that almost 60% of organisations that are breached, don't know it yet. This is reflected in the lack of discipline applied to organisations' Management of Cyber Risk in their broader enterprise Risk Framework. Consider any category of risk. An organisation will quantify the scale of the exposure in a rigorous manner before making informed choices about the most effective deployment of capital to address the exposure. They do this by balancing the 3 levers they have available: first Risk mitigation; second, the retention (and funding) of risk; third, the transfer of risk.
However, for cyber we don't do this. We spend a ton of money on consultants who provide vulnerability insight and prioritise risk mitigation actions and then up-sell consulting and technology services to clients to mitigate their risks. In so doing, the Board eventually runs out of patience, stops the spend and the CFO is still unable to quantify the residual cyber exposure in the portfolio. This wouldn't be tolerated for other risk categories. The challenge with this is that the scale of the unaddressed exposure is likely to be substantial, possibly existential. If the provision for the blast furnace is very high impact but low probability and set at $50 million and the actual probability of occurrence is five times larger, then the organisation has a potential additional $200 million of exposure. It can be seen that when other top 5 critical enterprise risks are viewed through this same lens, quickly an organisation can find itself looking down the barrel of more than half a billion dollars of unaddressed exposure. That can't be good: in fact this is probably the next Pension Deficit in scale and it's going to need meaningful strategies to address it and give the investment community confidence in the medium to long-term investment profile of the organisation.
Much of the challenge though is that there is no real prospect of a universal definition of what good cyber looks like and rules to demand adherence to that shape of goodness: we have sectional requirements, for payments (PCI-DSS), Personal and Financial data but not comprehensive definition of good and how to achieve it. So we are unable to draw upon the equivalent legislative imperative as say Health and Safety environment driving good practice. The equivalent is the 70's discussion about quality. At the time, there were vehement arguments about who would pay for these quality systems, when of course everybody already was. Then the existential TQM challenge emerged from Japan and there were those who were ready and those who weren't. Today no one would argue cogently that bad quality is good business and yet that, in effect is what we hear today in the context of cyber. Money and cost of investment capital is not playing its full part in driving good behaviours. With losses likely at the level of connectivity in 2020, it is not conceivable that investment capital will fail to make the link between cost of investment capital and effectiveness of cyber defence. In this legislative vacuum, the cost of capital is inevitably going to have a role to play to drive more effective cyber defence in order to protect the investment capital of the investment market place.
The Challenge and the Opportunity
If we bring these two issues of poor management of Cyber risk in the ERM environment and the cost of capital linked to effectiveness of cyber defence we are articulating an existential threat for the unprepared. The business opportunity is to ensure preparedness. This means meaningful capability to manage cyber risks as part of the Enterprise Risk Management Framework (with the same quantification discipline we see for all other risks ) and as important, a quantified and familiar framework to describe effective management of the cyber exposure to the capital markets. The first component required in establishing these new cyber disciplines is the capability to quantify the organisation's cyber exposure. This capability helps to normalise the capital deployment decisions associated with cyber risk by allowing a Board to quantify the exposure and make informed choices about addressing the exposure and striking the right balance of Risk mitigation, retained (funded e.g. in the captive) risk and transferred risk. Importantly though, this transfer conversation is not necessarily about discrete cyber insurance cover but instead identifies where the incremental peril resides allowing companies to write bigger limits in existing categories, particularly, Property and Casualty risk. It then allows the organisation to use cyber liability cover in a way that better suits the limited capacity available in the market and deploy the appropriate product for the client needs as part of a broader portfolio response. The second capability component flows from the first and allows an organisation to manage an organisation's investment profile and articulate for the capital markets the specific risk management strategy, the capital decisions and the effectiveness of this approach in reducing cyber exposure: just like you do for everything else. Moody fired the starting gun on linking cyber defence to an organisation's rating profile when in November 2015 when it started to reflect upon the importance of cyber defence as a rating criterion moving forward.
The Clock is ticking
The near ubiquitous digital enablement implicit in the estimates of connected devices by 2020 and the losses they spawn create an imperative for organisations to be able to manage cyber exposure and articulate the effectiveness of that management to the capital markets. Failure to do this is likely to lead many organisations to be facing the exogenous shock of investors adding 50, 100, 200 basis points to the cost of capital. Where this cost increase is in lieu of evidence of more effective cyber defence capabilities and effective management of cyber risk in the portfolio as a means to protect the investment in the organisation: we will have to provide the cyber evidence, quantify the exposure and the shape of the response and manage the new component of the investment profile accordingly. Given the lag in the system, this probably means that organisations have until the end of 2018 to establish these capabilities and then execute them in order to demonstrate a track record of effectiveness in managing cyber exposure and articulate the rigour of their systems for when the capital markets lay down the challenge.
Discussion
Cyber is a multi-headed beast that can be "different strokes for different folks". It draws people to academic definition discussions that divert us from the core issue. The core issue is that increasing digital enablement and increasing connectivity underpinning wealth creation has a concomitant increase in the breadth of cyber vulnerabilities that individuals and organisations face: it's a problem that is going to get worse before it starts to get better.
This has dramatic implications for Risk Management in organisations. Equally it creates investment and rating challenges over time as the cost of cyber losses increases as a proportion of wealth creation over time. The Centre for Strategic and International Studies Report (July 2013) was the first sensible attempt to quantify cyber losses. It sought to define a perimeter of value creation against which losses could be measured and that's not easy and we need to do a better job of this. In defining this difficult perimeter, they included amongst other things the Value for IP, Value for innovation, and capital costs associated with inability to invest because IP and capital was being stolen. The estimation of annual losses was a range between $300Bn and $1 Trillion or between 0.4 and 1.4% of Global GDP. Acknowledging the challenge with these numbers, comparatively, global provision for crime is 0.8% of Global GDP. These losses are in the context of internet usage today that sees 3 billion users with 6 billion connected devices. By 2020 Cisco estimates that will be 6 billion users (some of which will be machines) and 40 Billion devices, Microsoft estimates 60 Billion devices in the same time period. Even if there is a linear growth of losses associated with the growth in connected devices, then those losses become unsustainable in the 2020 timeframe. It's becoming a runaway train and the investment capital and debt markets will need to respond.
Why is it so bad? There is no single answer. The first component is lack of education and awareness about our real vulnerability levels at an individual level which means we always have someone who "clicks the link". We also have the paradox that many recognise cyber is an issue intellectually but viscerally believe it to be somebody else's problem - that it doesn't apply to them. Boards are over- confident about their ability to manage the threat; the technical community don't explain the issues in business language and historical probability combines with lack of reported visibility of issues to give a false sense of the problem being smaller scale than reality. Verizon breach report estimates that almost 60% of organisations successfully breached don't find out themselves, put another way, this means that almost 60% of organisations that are breached, don't know it yet. This is reflected in the lack of discipline applied to organisations' Management of Cyber Risk in their broader enterprise Risk Framework. Consider any category of risk. An organisation will quantify the scale of the exposure in a rigorous manner before making informed choices about the most effective deployment of capital to address the exposure. They do this by balancing the 3 levers they have available: first Risk mitigation; second, the retention (and funding) of risk; third, the transfer of risk.
However, for cyber we don't do this. We spend a ton of money on consultants who provide vulnerability insight and prioritise risk mitigation actions and then up-sell consulting and technology services to clients to mitigate their risks. In so doing, the Board eventually runs out of patience, stops the spend and the CFO is still unable to quantify the residual cyber exposure in the portfolio. This wouldn't be tolerated for other risk categories. The challenge with this is that the scale of the unaddressed exposure is likely to be substantial, possibly existential. If the provision for the blast furnace is very high impact but low probability and set at $50 million and the actual probability of occurrence is five times larger, then the organisation has a potential additional $200 million of exposure. It can be seen that when other top 5 critical enterprise risks are viewed through this same lens, quickly an organisation can find itself looking down the barrel of more than half a billion dollars of unaddressed exposure. That can't be good: in fact this is probably the next Pension Deficit in scale and it's going to need meaningful strategies to address it and give the investment community confidence in the medium to long-term investment profile of the organisation.
Much of the challenge though is that there is no real prospect of a universal definition of what good cyber looks like and rules to demand adherence to that shape of goodness: we have sectional requirements, for payments (PCI-DSS), Personal and Financial data but not comprehensive definition of good and how to achieve it. So we are unable to draw upon the equivalent legislative imperative as say Health and Safety environment driving good practice. The equivalent is the 70's discussion about quality. At the time, there were vehement arguments about who would pay for these quality systems, when of course everybody already was. Then the existential TQM challenge emerged from Japan and there were those who were ready and those who weren't. Today no one would argue cogently that bad quality is good business and yet that, in effect is what we hear today in the context of cyber. Money and cost of investment capital is not playing its full part in driving good behaviours. With losses likely at the level of connectivity in 2020, it is not conceivable that investment capital will fail to make the link between cost of investment capital and effectiveness of cyber defence. In this legislative vacuum, the cost of capital is inevitably going to have a role to play to drive more effective cyber defence in order to protect the investment capital of the investment market place.
The Challenge and the Opportunity
If we bring these two issues of poor management of Cyber risk in the ERM environment and the cost of capital linked to effectiveness of cyber defence we are articulating an existential threat for the unprepared. The business opportunity is to ensure preparedness. This means meaningful capability to manage cyber risks as part of the Enterprise Risk Management Framework (with the same quantification discipline we see for all other risks ) and as important, a quantified and familiar framework to describe effective management of the cyber exposure to the capital markets. The first component required in establishing these new cyber disciplines is the capability to quantify the organisation's cyber exposure. This capability helps to normalise the capital deployment decisions associated with cyber risk by allowing a Board to quantify the exposure and make informed choices about addressing the exposure and striking the right balance of Risk mitigation, retained (funded e.g. in the captive) risk and transferred risk. Importantly though, this transfer conversation is not necessarily about discrete cyber insurance cover but instead identifies where the incremental peril resides allowing companies to write bigger limits in existing categories, particularly, Property and Casualty risk. It then allows the organisation to use cyber liability cover in a way that better suits the limited capacity available in the market and deploy the appropriate product for the client needs as part of a broader portfolio response. The second capability component flows from the first and allows an organisation to manage an organisation's investment profile and articulate for the capital markets the specific risk management strategy, the capital decisions and the effectiveness of this approach in reducing cyber exposure: just like you do for everything else. Moody fired the starting gun on linking cyber defence to an organisation's rating profile when in November 2015 when it started to reflect upon the importance of cyber defence as a rating criterion moving forward.
The Clock is ticking
The near ubiquitous digital enablement implicit in the estimates of connected devices by 2020 and the losses they spawn create an imperative for organisations to be able to manage cyber exposure and articulate the effectiveness of that management to the capital markets. Failure to do this is likely to lead many organisations to be facing the exogenous shock of investors adding 50, 100, 200 basis points to the cost of capital. Where this cost increase is in lieu of evidence of more effective cyber defence capabilities and effective management of cyber risk in the portfolio as a means to protect the investment in the organisation: we will have to provide the cyber evidence, quantify the exposure and the shape of the response and manage the new component of the investment profile accordingly. Given the lag in the system, this probably means that organisations have until the end of 2018 to establish these capabilities and then execute them in order to demonstrate a track record of effectiveness in managing cyber exposure and articulate the rigour of their systems for when the capital markets lay down the challenge.
