Appropriate attention to bothunderstanding and mitigating cyber risk is valuable at theenterprise level because it increases the entire organization'sreadiness to deal with the risk at all levels. (NationalUnderwriter P&C magazine)

It's impossible to escape the barrage of news about cyber attacks. At the enterprise level, we alsoobserve varying degrees of insight into how to understand andmanage it.

Boards of directors are turning attention from understanding the risk to understandingmanagement's readiness to deal with the risk. That translates intoquestions such as, "Do we understand the risk well enough toprevent, mitigate and recover from a large-scale cyberevent?"

Common sense risk analysis

Risk analysis starts with awareness of therisks an organization faces. The better an organization understandsthe risks it's dealing with, the more robust its risk analysis andrisk-based decision making will be.

Some common suggestions for improving risk awareness include thefollowing:

1. Harvest the risk information you already have.Whether it's through formal risk assessment activities alreadyunderway, through your enterprise risk management program, orthrough review of insightful information within businessunits.
2. Address gaps in risk information and insight.Find ways to engage in risk conversations with colleagues who "see"and understand the risk; follow up with stakeholders who eitherinfluence or pay for the results of a risk event.
3. Get help from external advisors. This isespecially true  for a dynamic risk like cyber, where both the profileof the risk and the range of potential risk mitigation optionscontinues to evolve.

Qualitative, quantitative assessment

Risk analysis should incorporate both qualitative and quantitative assessment of riskby applying appropriate tools in each situation. In the cyber riskspace, analysis should incorporate technical assessment of theorganization's existing cyber security posture, thereby identifyingmajor gaps and areas for improvement.

By applying risk science to the age-old questions of "howlikely" and "how big" enterprise risk managers gain further insightinto the organization's areas of vulnerability. And while riskquantification is often seen as the "Holy Grail" of riskassessment, it's important to consider qualitative aspects:

• Do we tend to discuss risk well? What are the embedded risksthat we don't like to talk about or we feel we're "stuck with" andneed to accept?
• Do we understand the business impacts of the risk —including operational disruptions, implications for control andcompliance, cross-functional risk, financial and reputationalimpacts? How could a cyber event affect our credibility withcustomers, suppliers and other stakeholders? Is cyber risk aD&O risk?
• How do the strategic decisions we make today affect ourvulnerability to future cyber risk? What level of risk are weliving with today or accepting for tomorrow by virtue of thedecisions we make regarding our operations, acquisitions andpartnerships?

The outcome of risk analysis should include a keenerunderstanding of the organization's risk resilience — how ready arewe to prevent, uncover, mitigate and recover from a cyber riskevent?

Enterprise-level understanding

Although insurance plays a critical role in protecting anorganization's balance sheet from a cyber event, appropriateattention to both understanding and mitigating cyber risk isvaluable at the enterprise level because it increases the entireorganization's readiness to deal with the risk at all levels. Aswith any other risk, the time and effort spent to analyzevulnerabilities and prioritize resources helps organizationsmaximize the value of their risk management investment. And as anadded benefit, this work will help the insurance buyer determineappropriate limits, retentions and coverage options, and it willenhance the insurance broker's ability to get the job done in themarket.

Common sense risk mitigation

The process of understanding areas of cyber-relatedvulnerability across the enterprise, determining the best riskmitigation options, and executing the risk mitigation plan is thesame for cyber risk as for any other risk. Benchmarking "bestpractices" in cyber mitigation, getting external advice and cleansheet exercises can help. The following are some areas foradditional consideration:

• Contractual reviews. What duties andobligations have we accepted through commercial arrangements withcustomers, suppliers and other third parties?
• Business process reviews. What risks do weassume every day based on the way we conduct our business, and arethere areas in which process change could provide a win/win for thebusiness as well as for our cyber-risk exposure?
• Where should we spend time, money, and effort to improve?
• Risk transfer. What is the best insurancestrategy that results in comprehensive, current coverages at areasonable cost? How do we differentiate ourselves in themarket?
• Continuous improvement. How do we stay aheadof the risk while enabling our business to thrive?
• Organizational barriers to success. How do wedeal with aspects of the plan that cross organizational silos? Howdo we address different levels of understanding of the risk, theneed for resources to address the risk, and the need forcollaboration between technical and non-technical colleagues? Howdo we break down company-specific barriers to collaboration,including reliance on embedded processes and practices?

By building capability in cyber risk analysis, mitigationplanning and execution, and risk monitoring you will help improveresiliency for today while enabling your organization for futuresuccess.

Laurie Champion is managing director and strategic accountmanager for Aon Risk Solutions. She can be reached at [email protected].

The opinions expressed here are the writer's own.

See also:

15 states most at risk from cybercrime in2018

Cut through the confusion: 5 steps to the rightcyber insurance coverage

6 ways cybersecurity changed in2017