I sat down for breakfast in early December with Kevin Richards, the President of Cyber Risk Solutions at X-Analytics. Kevin shared some fantastic insights and I wanted to pass them along.
Kevin started off with two big discussion topics he advises CISOs should be having with their C-Suite and Board:
- How do “we” determine materiality?
- What is our appetite and/or tolerance for cyber risk?
Determining materiality
Materiality has a particularly vague definition – to paraphrase Thurgood Marshall, “…materiality is any information a reasonable investor would need to make an informed voting [or investment] decision…” Equally vague is Justice Marshall’s discussion is the word “reasonable”. That said, the latest SEC rules require public companies to disclose material cyber events in forms 8K, 10K, and 10Q. With that expectation, CISOs and cyber leaders need to engage their leadership and board members to develop their internal standard for judging materiality. This will most likely include a range of technical, reputational, financial, and operational considerations.
Cyber Risk Tolerance
Cyber risk tolerance or appetite are also key areas for discussion. All businesses have risk – that is a constant; and business leaders have strategies and metrics to apply to a range of risk treatment approaches. The nuance is how to apply traditional ERM methods to cyber. Using financial analytics methods – where an organization can translate technical capabilities into financial values – business leaders can bring a financial perspective to the conversation. One critical question is “how much cyber risk are we willing to accept?” Again, every business accepts risk in very tangible ways. A simple example is accepting a deductible in an insurance policy. If that policy has a $5M retention or deductible, that’s the business’ way of saying, “we’ll ‘self-insure’ for the first $5M before the purchased insurance policy kicks in.” So, one approach would be to look at the organization’s largest insurance policy – oftentimes a business property & casualty policy – and identify the retention (deductible) on that policy. With that value, the CISO can discuss with leadership and the Board, “would we apply the same financial value to cyber?” Note this is the STARTING POINT of the discussion, not the end – as mentioned earlier relating to materiality, in addition to financial exposures, technical, reputational, and other operational considerations may need to be included in the discussion.
Ultimately, the Board of Directors should instruct executive management of the company’s overall on risk tolerance and then the management team would create the appropriate strategies to manage.
Risk assessment
Kevin also shared that organization must perform some sort of cybersecurity risk assessment. The most most popular are NIST Cybersecurity Framework and CIS Critical Security Controls. These assessments are then used as inputs into a risk model and show the overall risk exposure.
Risk Response
There are four main responses to risk (see COSO article)
- reduce (or mitigate)
- accept
- transfer
- avoid
Page last updated on January 21, 2024