Quantifying Your Cyber Risk

By Amy Elizabeth Stewart

There was an excellent article in the Harvard Business Review on evaluating cyber risk. If your business is in the process of quantifying its cyber risks – and every business should be – the article “Can You Put a Dollar Amount on Your Company’s Cyber Risk?” is a must-read.

Highlights from the article are summarized below, but, first, keep in mind two major concepts when purchasing cyber insurance:

1. Be careful what you tell your insurance company you’ll do to prevent data breaches as those promises can come back to bite you if those policies aren’t followed to the letter (and since so many breaches are linked to human error, they almost never are);
2. Because cyber is such a new and evolving area of risk, and there is so little standardization among policies, there is room for negotiation when purchasing a cyber policy.

Our firm represents insurance policyholders exclusively, so we work with clients on the front end to ensure the policy doesn’t contain any surprises. 

Here are some of the highlights of the HBR article:

• Most companies struggle with quantifying their cyber risk, which makes it difficult to mitigate that risk. “As a result, companies continue to misjudge which cybersecurity capabilities they should prioritize and often obtain insufficient cybersecurity insurance protection.”
• When analyzing risk, companies should consider losses in three areas:
  1. Foregone revenue and ancillary payments
  2. Liability losses
  3. Reputational damage
• Reputational damage can often eclipse the direct revenue losses because harm to reputation can result in future revenue losses. 
• “Using both internal and external data related to the health of their business and operations, managers should be able to predict their expected and maximum cyber losses over a one- to three-year period, just as they can forecast their future revenues. They can also estimate what percentage of their future customers will leave if an outage results from a cyber breach — or how much their stock valuation and margins could suffer if a cyberattack taints their reputation.”
• Armed with the proper information, companies can decide whether to invest in more training of employees and vendors or in more technical controls to monitor potential breaches. “In some cases, managers may even discover that investing in a new product line may, or may not, be worthwhile given the cyber risks involved.”