How do you evaluate whether to buy more cyber insurance or increase your cybersecurity budget to mitigate and reduce risk?
Discussions around cyber insurance policy 1/1 renewals are well underway. While cyber insurance is getting adopted more widely across many sectors, you might have many questions pending on how much coverage and limit you need and whether you are covered for your industrial environments and potential cyber incidents in your OT/ICS/CPS environments.
One key starting point is to understand your cyber risks in those environments. If you run multiple facilities or sites, their cybersecurity postures might differ considerably. Comparing them using technical metrics (number of identified CVEs, number of attempted attacks) might be irrelevant because these do not always translate into risk for the business or risks with a material impact. For example, a simple click on a phishing email at one facility can turn into a multi-million-dollar ransomware attack, while a CVE discovered throughout the OT environment of another facility might never lead to any risk because robust network protection and segmentation are in place.
DeNexus will help you quantify your risk in financial terms—value at risk, expected loss, and other monetary metrics—so that you can start making comparisons, including to other enterprise risks. Then, you’ll have the tools and metrics to engage your business partners about cybersecurity investments and cyber risk management (avoid, mitigate, transfer, or accept).
Financial quantification of Cyber Risk will support better decision-making on Risk Mitigation and Transfer in the following ways:
- You will have clarity on a potential gap between your current cyber insurance limit (minus retention) and your Expected Loss from cyber risk.
- You can review how much to invest in cyber insurance to increase your coverage or in cybersecurity and risk mitigation to reduce cyber risk, your Expected Loss and close the gap.
- You can iterate on risk mitigation projects to further reduce the gap.
- Any residual gap should be covered by your financial reserves.
We encourage you to investigate this topic further. Our recent white paper, “Industrial Cyber Risk: Mitigate or Transfer,” is available for download.
A recent Gartner survey shows that 10% of security leaders quantify cyber risk. While this might be low, it’s important to note that 63% of those who do so report significant benefits in investment prioritization toward the most critical risks.
It is time to elevate cybersecurity to a business discussion, use business metrics that showcase to executive leaders and boards what it can do for the business's resilience, and finally, include cybersecurity in the general enterprise risk management discussion. By doing so, you will also be able to showcase how cybersecurity efforts are measurable and justify your budget by showing risk reduction. Start today!