A cyber risk balance sheet can protect your organization. Here’s how

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Joshua Jaffe, Vice President Cyber Security, Dell Technologies & Nisha Almoula, Cybersecurity, Risk and Regulatory Senior Manager, PwC

• Cyberattacks are on the rise but many organizations are ill-equipped to deal with threats.
• A cyber risk balance sheet documents the cyber events that could have a financial impact on an organization.
• A new report outlines how organizations can more effectively manage and understand the economics of cyber risk.

Every day, we read new headlines about cybercrime or hear reports of a new data breach, and all data indicates that the number of hackers is growing. When one considers the exponential growth of data and network-connected sensors and combines this with the power of AI, automation, augmented reality, implantable medical devices, and autonomous vehicles – it becomes immediately clear that this problem must be put on a different trajectory.

Yet, even with cyberattacks increasing in frequency and the damages growing in terrifying complexity, it remains a challenge for organizations to know how to best prepare for and mitigate against these attacks. The problem is that organizations find it hard to balance cyber risks against their actions. Often, cyber risks are underestimated or misunderstood by organizations.

Investments in cyber are viewed as a tradeoff against investments in product R&D, employee welfare or shareholder returns. The truth, however, is that all these investments should be considered holistically. To that end, the World Economic Forum, and its partners, in collaboration with the NACD, ISA, and PwC, have published Principles for Board Governance of Cyber Risk to enable organizations to better manage and understand how to navigate the invisible ledger of cyber risks that continue to grow. A key principle in this guidance is that boards of directors must “understand the economic drivers and impact of cyber risk.”

As board members’ understanding of the economics of cyber risk evolves, they will be empowered to drive risk-based decisions and lead organizations to combat cyber events. According to a 2022 PwC survey, 42.5% of global organizations have stated they have made significant progress in increasing their assessment of the board’s understanding of cyber matters.

How can a cyber risk balance sheet offer protection?

Developing a cyber risk balance sheet is one “power move” that leaders can make to immediately improve their cyber risk decision making. The simple shift in risk thinking and corporate behavior aligns cyber hygiene with the existing corporate risk management machinery in a way that creates a deeper understanding, incentivizes smart investments, and rewards good behavior. The cyber risk balance sheet power move does this by making the invisible ledger of cyber risks visible.

If you are a board member, encourage your cyber leaders to task their teams with creating and quantifying a cyber risk balance sheet that documents the cyber events that could have a material impact on the organization in financial terms. The key steps in developing a cyber risk balance sheet are as follows:

• Define a cyber risk quantification framework customized to your organization’s risk profile. This can be developed leveraging Factor Analysis of Information Risk (FAIR), in conjunction with other industry guidelines such as NIST SP 800-53 and ISO 27005. FAIR leverages scenario modeling to support organizations in compiling various risk factors, identifying their correlation, and quantifying financial impact.
• Identify key cyber threats relevant to your organization and evaluate the probability of the threat, critical assets, and the effectiveness of cyber controls in place to mitigate against these threats.
• Consolidate a balance sheet that maps the probability of in scope cyber threats to cyber risks in financial terms and associated planned or existing cyber investments.

What is the World Economic Forum doing on cybersecurity?

The World Economic Forum’s Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. The centre is an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors.

Since its launch the centre has driven impact throughout the cybersecurity ecosystem:

• Training a new generation of cybersecurity experts
  Salesforce, Fortinet and the Global Cyber Alliance, in partnership with the Forum, are delivering free and globally accessible cybersecurity training through the Cybersecurity Learning Hub.
• Improving cybersecurity in the aviation industry
  Through the Cyber Resilience in the Aviation Industry initiative, the centre has been improving cyber resilience in the aviation sector in collaboration with Deloitte and more than other 50 companies and international organizations.
• Building a global response to cybersecurity risks
  The Forum, in collaboration with the University of Oxford – Oxford Martin School, Palo Alto Networks, Mastercard, KPMG, Europol, the European Network and Information Security Agency (ENISA) and the US National Institute of Standards and Technology (NIST), is identifying future global risks from next-generation technology.
• Making the global electricity ecosystem more cyber resilient
  The centre and the Platform for Energy, Materials and Infrastructure have been bringing together leaders from more than 50 businesses, governments, civil society and academia to collaborate and develop a clear and coherent cybersecurity vision for the electricity industry
• The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace, which aims to ensure global digital peace and security.

Contact us for more information on how to get involved.

Once the balance sheet is complete, have periodic discussions and reviews where the financial cost of cyber risks serves as the framework to understanding and translating the inherent consequence of the bottom line. This ledger can be used to evaluate the efficacy of current security investments and demand that chief information security officers (CISO) explain their business case for new cyber investment in terms that show a positive ROI. For example, investment in a security control will cost $2.5 million over the next three years, but it buys down $7 million of cyber risk on the cyber risk balance sheet.

Key considerations when implementing a cyber risk balance sheet

• Hold your teams accountable to outcomes and demand a return on capital in the form of real risk reduction.
• Empower security leaders to challenge themselves to really get to know the business and create allies within the business units by helping them reduce the risk of a cyber catastrophe that may impact their bottom line.
• Embrace questions challenging the calculations and recognize that this is fostering engagement from business functions to help advocate for security.
• Encourage security leaders to validate the risk values by collaborating with the CFO or ERM teams to review and vet the aggregate risk entries and increase their investment in the outcomes.

Enhance collaboration across the CISO, chief technology officer (CTO), and chief information officer (CIO) functions by involving the CTO and CIO teams in providing feedback on the likelihood and impact analysis done for each cyber scenario to further iterate on the estimates and balance sheet data.

Once the balance sheet is developed, and there is agreement across the organization’s leaders on the numbers, the security team should continue to iterate on the sheet to incorporate additional scenarios and evaluate business cases for every investment in a cyber control. This framework will support the organization to demand better leverage from existing cyber investments as well as retire antiquated cyber capabilities that may have consumed valuable talent and capital past their usefulness.

Future-proofing your organization

This power moveworks within organizations due to its simplicity and instead of promoting fear, it invites an understanding through transparency of the existing cyber risk. It creates a framework for leaders to engage in the solution using a language they all understand – the language of business. According to a 2022 PwC survey, 76.5% of global organizations have stated they have made moderate to significant progress in increasing the number of business decisions that involved input from the enterprise security management team. Regardless of the industries and verticals in which an organization operates, all corporate officers take pride in the value they create and are cognizant of the threats to that value.

The cyber risk balance sheet promotes trust through transparency and a stronger partnership between security, technology, and revenue generating functions of the business by aligning the interests of the company with the people protecting it.

There are several risks businesses must combat and the risks in cyberspace are growing every day. But what is often true in the physical world is also true in cyberspace – knowledge brings power. The more boards know and understand about the cyber risks and economic impact to their businesses, the better they can manage them.