A Common Sense Convo on CyberRisk: How much does exposure actually cost?

February 2, 2023

Cyber threats are having a banner 2022. From rising data breach fines and settlements, to Russian hackers, to the near-daily emails to employees demanding digital gift cards – cyber threat exposure, and the visibility of attempted penetrations, has accelerated.

These threats can often carry significant substantive costs. While most major losses for a firm can incur reputation damage, data breach fines, and regulatory settlements, cybercrimes (e.g., ransomware attacks) can average companies in the $5M to $10M range, though worst-case scenarios have topped out at $575 million.

As leaders in the broader financial services ecosystem, we are the biggest targets. But most cyber risks are not, in fact, found at the biggest firms. According to the Wall Street Journal, “the midmarket [are more often the] targets, presenting a risk for private equity, venture capital and other deal makers that often invest in such businesses.” While most of these businesses are aware of cyber risk, most do not yet have the expertise to deal with an incident.

When emerging operational threats can’t be anticipated, risk factors are difficult to quantify, and hedging decisions are drenched in doubt, a business will often seek to transfer this risk via insurance.

Insurers generally don’t want to take the risk outright. Instead, they approach it no differently than when property insurance was first introduced in the 1800s: they provide “fire trucks”.  For cyber risks, this expert assistance may be provided by law firms, IT Forensic, Public Relations, IT Security, Privacy Compliance, and Business Income Adjusting to minimize claims costs.  

But, as HBR advised, these “assistance” costs have proven to be difficult to project: with the number of ransomware attacks up more than 150% over the entirety of 2020, insurers have increased cyber insurance premiums as much as three-fold. These 25-75% premium increases have made it difficult for companies to find the additional capital to insure these risks, spending more to retain the same or less coverage as the year before.

As a result, cyber risk assessment – a strategic understanding of your firm’s true risk exposure – a resulting financial quantification of this risk, and programs to hedge or mitigate exposure are now all a Board-level discussion. One that is here to stay.

C-Suite Considerations for Addressing Cyber Risk

Thoughtful strategy, effective partnership, and the right technology backbone can demystify the often-hyped challenges innate to quantifying your cyber security exposure and allow you to mitigate or hedge against true business risk.

Overall, there are three options for cyber risk: mitigate it, accept it, or transfer it. How you balance those three approaches will depend on a host of factors from your overall financial exposure, risk tolerance, company lifecycle stage, and even internal culture.  

Leadership responsible for risk mitigation are laying out a multi-pronged approach, including some traditional operational-risk tools and regular IT patches, but also organizational change management programs to meet this changing cyber threat dynamic. (Most reportable data breaches are still triggered by unintentional employee error, requiring additional education.)

For the evolving landscape, today’s cyber-exposure analysis cannot be a “set it and forget it” strategy. It needs to be an ongoing process, regularly reported out to critical stakeholders.

Because, of course, to best determine where to invest in reducing, accepting, or transferring your risk, you need to be able to quantify the dollars and cents of exposure.

You Can [and will likely soon have to] Financially Quantify Cyber Risk

Alongside the rise in cyber-attack attempts, there is a growing urgency among PE and investment firms to understand the total financial exposure of their cyber security risk.

This rise is in part due to the need to protect the business, but also rising external pressures: government regulatory bodies are moving towards mandating that every firm – asset manager, services companies and beyond – get their arms around their risk exposure. More specifically, beyond acknowledging their total exposure, to concretely report out exactly what an incident or downtime event would cost.

Signaling this evolution are new proposed SEC rules rolled out in March 2022. Focused on cybersecurity risk management, strategy, governance, and incident disclosure by public companies, these proposed rules will require “enhanced” disclosure – meaning every public and private entity will need to report their cyber risk periodically throughout the year.

If they ultimately impose those rules, this will be a sharp contrast to the annual or semi-annual disclosure programs many firms run today. (And will also require some significant adjustments in operational processes as a result.)

Telltales from the analyst community also highlight the growing focus on the dollars and cents of cyber exposure. Gartner rolled out new research at their Security & Risk Management Summit last November which indicated that 88% of boards regard cybersecurity as a business risk rather than an exclusively technical or IT problem. A further 13% of boards have responded to this by instituting cybersecurity-specific board committees overseen by a dedicated director.

If your Board of Directors and the SEC want reporting and mitigation, it’s probably time to back out a strategy to get your firm there. Luckily, getting a cohesive understanding of your full cyber exposure is less daunting than you might imagine.

Finding Risk Where It Lives (Internally, and Inside Your Vendor Stack)

Cyber exposure risk exists at multiple levels. On one hand, like many attractive targets, the internal operations in PE firms face cybersecurity risks, specifically for those looking to access all the assets and financial data you hold involving limited partners (LPs). Risk assessment today also demands meaningful guidance to an ever-growing universe of internal stakeholders including CIOs, CTOs, and CISOs.

But it doesn’t stop there. If you leverage third-party vendors such as fund administrators for any operational support, your client or internal data is also at risk if those providers are attacked.

Finally, cyber risk can also live in your affiliate or portfolio companies. For all that goes into projecting the financial performance of portfolio companies, many PE firms aren’t sufficiently accounting for the total cost of cyber-attacks. Depending on the product set, that exposure could range from somewhat controlled data or client information corruption to efficiency or operational disruptions, to more significant events directly affecting your total returns.

Even if a breach is contained to one portfolio company, a more insidious breach – such as an attack requiring your company to bear the cost of remediation or lose customer trust – can potentially derail that investment, driving an increasing interest in indemnifying that risk.

To bridge the gap between cyber awareness and action, your firm needs trusted analysis, timely delivery, and empowered guidance. Fortunately, a cohesive Cyber Risk Quantification (CRQ) program allows you to communicate cyber risk without jargon and drive action for all your critical teams, vendors, and affiliates.

Cyber Risk Quantification (CRQ): Understanding the Financial Impact of Your Risk

The path to effectively navigate this evolving uncertainty lies in a new category of Fintech called CRQ – Cyber Risk Quantification Platforms – which empower organizations to discretely understand and hedge against their downside exposure.

This new category of software solutions, such as Kovrr’s Quantum financial risk platform, can help PE leaders develop a granular understanding of their financial exposure, reduce operational risk, and ultimately make more informed investment underwriting decisions.  

These tools are uniquely created to analyze cyber risk on-demand, employing a continuous stream of global threat intelligence data to help companies understand their evolving exposure.

Here are some keys points to think about as you develop your CRQ strategy:

While risk is universal, financial exposure is variable.

Not all cyber events will have the same financial impact. Some attacks or exposures may be more costly for certain types of companies, depending on factors such as the technology and data they have in place. Quantifying the financial impact of improving cybersecurity training vs. adding new security controls will change your risk delta.

For example, this read-out on a firm’s potential risk on ransomware and extortion exposure shows an extraordinarily wide band of potential financial exposure – between five thousand to nearly ten million dollars. The key here is to have that middle number – the weighted average exposure – that you can use as a real-world guidepost to insure your firm against.  

Source: Kovrr

Financial exposure is proportional to cyber insurance and mitigation activities.

As you can imagine, taking different types of cyber risk management actions can drive different results in delivering financial value.

By gaining clarity on your financial exposure, you can prioritize which cybersecurity measures to take. For example, if you see that controlling the use of administrative privileges can reduce how much money you’d lose due to a cyber event, perhaps more so than if you implemented a cybersecurity awareness and training program, then you might put more emphasis on securing your controls across different cloud environments.

An effective CRQ product can also more clearly analyze the ROI of operational cyber investments and prioritize your risk management strategies depending on your predicted downside.

You can provide key stakeholders a more informed investment strategy.

CRQ technology can also help when evaluating investment opportunities at a portfolio company level. If deciding between two companies to acquire, for example, knowing that one company has a higher financial risk due to cybersecurity gaps could sway that deal and inform your final investment decisions.

Most business models, in fact, are entirely dependent on trust. If a company’s customer interface is not secure, the risk can become existential. Safeguarding such assets is the heart of an effective strategy to protect against cyberthreats.

Financial risk quantification should be a continuous activity.

While point-in-time assessments of financial risk are valuable for a single valuation or investment decisions, cyber risk is continuously evolving, which means your mitigation strategies and exposure mathematics need to similarly keep pace.

Cyber Risk Prevention: Quantifying Exposure

As you get more granular with the discreet dollars and cents of risk management you can help guide your firm towards a pragmatic, realistic approach to cyber risk preparedness.

While CISOs may understand the technical aspects of cyber risk amidst multi-cloud environments, other executives may not. Fortunately, new tech-enabled financial quantification platforms that communicate cyber risk in terms of dollar amounts can make it easier to get buy-in for your cybersecurity strategies.

Ultimately, a strong, thoughtful risk analysis and mitigation program can help arm your company for future growth — from potentially attracting more Limited Partnerships to assessing portfolio companies’ cyber risk in more concrete terms, all the way through to harvesting the portfolio company investment.

Interested in learning more about procurement-as-a-service for your firm?  

Learn how leading firms are partnering with Concertiv to reduce spend, minimize risk, and save time across key spend categories.