Translating cyber risk into the language of finance with CRQ

UK Finance recently brought together BitSight and Moody’s Investor Services for an engaging and productive webinar on Cyber Risk Quantification as a key to translating cyber risk exposure into financial terms.

While cybersecurity is shifting from an IT matter to a business matter, Cyber Risk Quantification (CRQ) is becoming increasingly important as a key solution to helping companies around the world drive conversations across the board. Based on well-defined, robust data sets and analysis models combined with accurate probability scenarios, CRQ represents a terminology all stakeholders can understand as it translates bits and bytes into dollars and cents.

Cyber Risk Quantification is a language that everyone can communicate and understand, including crucial non-IT people such as the board of directors.

In fact, this is the key to CRQ. It is arguably where other techniques have failed in the past, as they were not able to speak in the language of business, which is usually expressed in financial loss terms. As opposed to being supported by financial loss scenarios and methodologies that are sound and tested, in order to give confidence when sharing results and provide any scrutiny across the board.

It’s also important to note that CRQ has traditionally been a very qualitative exercise. However, with BitSight and Moody’s partnership, the scarcity of data issues can now be overcome, particularly with regard to the difficulty of getting financial values assigned to cyber risk.

First steps and challenges

In order to start with the right foot on the CRQ journey, organisations first need to understand what they are trying to accomplish. They then need to set the scope appropriately, as what they are trying to achieve will depend on the approach and process, with board-level reporting and insurance being two good examples. This takes them to the final step, which is prioritising accordingly. One quick, good piece of advice is not to try to go big and tackle too much. Starting small with a subset of scenarios is the way to success.

Last but not least, adversities will come along the way, and organisations need to be prepared to face them in the best way possible. Good Cyber Risk Quantification in financial terms has been something companies have pursued for a long time. It has nonetheless been hard, because it’s been either over-focused on math and calculations or the challenges faced in getting the empirical data. It has also been quite onerous to obtain the data internally, due to the need to make interviews and system surveys, and due to how the frequency in which they were made is far from being any close to continuous.

The CRQ approach needs to be taken from a more automated and repeatable perspective to be more successful. This will also allow for better credibility as it gets more data-driven, focusing on tracking performance over time. This would allow for better investment control and impact visibility over loss scenarios, setting the stage for those crucial conversations with the board

The challenge with cybersecurity has always been the avoided cost, as there is no ROI to quantify. We believe that showing that the investment will allow the company to reduce cyber exposure and potential loss is definitely a more sound and disciplined approach, instead of resorting to fear, uncertainty and doubt – which can often be a fruitless exercise.

These are some of the many topics covered during our webinar ‘Quantifying the financial impact of cyber risk’ that took place on 26 May. You can watch the on-demand recording here.