In the modern financial landscape, cyber risk is no longer only an IT-specific risk. The impact of cyber attacks can have profound effects throughout the entire organisation and should therefore be treated as a board-level imperative, which is intrinsically linked to operational resilience. High-profile incidents in recent news range from sophisticated ransomware attacks on critical infrastructure to the exploitation of systemic vulnerabilities within third-party software.
Understanding Cyber Risk Quantification and Why it is Important
Cyber Risk Quantification (CRQ) is the process of evaluating cyber risks and expressing their potential impact in monetary terms. It moves the conversation about cyber threats away from subjective, qualitative descriptions of high, medium and low risk, and toward a data-driven, comprehensive financial assessment. This enhanced dialogue is critical for effective governance and strategic decision-making and can be used to inform operational resilience plans and resourcing requirements. Quantifying risk achieves several key objectives for firms:
- Optimise Security Investment: CRQ allows an organisation to prioritise its security spending on the controls that most effectively reduce the greatest financial exposure
- Inform Risk Mitigation and Transfer: When a risk is expressed in financial terms, the board can make a clear, cost-based decision on whether to accept, mitigate or insure
- Create a Common Language: CRQ provides a common language for discussing risk that is transparent and can be easily understood by all stakeholders
What are the Main CRQ Approaches?
- CRQ is an analytical, data-driven process that attaches numerical values to cyber risks. The main methodologies are:
- Scenario Analysis
- Historical Data Analysis
- Top-Down vs Bottom-Up Analysis
Scenario Analysis
This approach involves modelling specific and plausible threat events to calculate their impact in financial terms. It could also consider reputational damage or logistical requirements due to operating systems being offline for extended periods. For example, a firm might model the impact of their primary platform being offline for 48 hours due to a DDoS attack by considering lost revenue, remediation costs, wider market impact and potential regulatory fines.
Historical Data Analysis
Firms can leverage historical data, such as internal incident and external breach data to inform the possibility of similar future events. By collecting and analysing thousands of real-world incidents and their impacts, firms can build models and use these to forecast their risk exposure.
Top-Down vs Bottom-Up Analysis
With top-down analysis, exposure is first calculated at enterprise level and considers the overall financial risk. This is known as the Value at Risk (VaR) and is an important metric for risk quantification. Bottom-up analysis starts by identifying and valuing critical assets such as data and systems, and assessing the threats against those. Once the individual threats have been assessed, these are then used to aggregate for the overall risk exposure for an enterprise-wide view.
CRQ Regulatory Considerations
Regulators are increasingly concerned with cyber risks and are focused on the link between cyber risk and operational readiness. Firms are now subject to enhanced expectations and are expected to demonstrate how they measure and manage risk, as well as how they plan to withstand the impact of varying severities of cyber events. As part of this enhanced regulatory focus, the Digital Operational Resilience Act (DORA) mandates financial services firms implement a comprehensive ICT risk management framework. The FCA continues to emphasise operational resilience and, through Critical National Infrastructure Banking Supervision and Evaluation Testing (CBEST), encourages firms to simulate threats posed by sophisticated attacks. CRQ is imperative for these regulatory processes, allowing firms to identify which scenarios pose the greatest threat based on rigorous assessments.
Key CRQ Actions for Firms
Understanding the principles and regulatory drivers for CRQ is the first step, but implementing it requires a deliberate and structured approach. Firms should focus on several key, practical actions to develop robust CRQ capabilities:
- Prioritise Data Gathering and Management
- Strategically Allocate Capital and Resources
- Engage Early with Regulators
Prioritise Data Gathering and Management
The accuracy of the CRQ process depends almost entirely on the quality of the data. Firms must establish comprehensive processes to consistently collect data aligned to key metrics, including asset values and the performance of existing security controls.
Strategically Allocate Capital and Resources
CRQs should be the primary tool for identifying the capital and resourcing requirements as the basis for any cybersecurity investment. This level of information allows the board to make informed, evidence-based decisions by directing capital towards the initiatives that offer the greatest quantifiable risk reduction.
Engage Early with Regulators
Firms should utilise the language of the CRQ to engage with regulators early to build proactive dialogue and transparency. The goal is to demonstrate controls that are grounded in verifiable data to ensure alignment with complex frameworks like DORA. Cyber Risk Quantification (CRQ) is the essential bridge between technical cybersecurity and strategic operational management. Firms can use the CRQ to translate complex cyber threats into a common language which is associated with tangible and measurable financial risk. This information empowers firms to make smarter investment decisions, build more resilient infrastructure and demonstrate regulatory compliance more effectively. If your firm is struggling to evaluate cyber risks or needs assistance with CRQ-related challenges, one of Novatus Global's experts will be happy to assist.
