Quantifying Cyber Risk is Hard; Knowing the Answer is Harder.

In operational technology (OT) networks, it is COST that is the driver behind nearly all cyber risk mitigation investments. Sometimes contrary to business trends, cost supplants security as a priority because security in the form of cyber risk always has a cost associated with it. In the industrial sector where legacy infrastructures are common, the cost of cyber risk can be significant. However, that 'cost' isn’t always so clear. In fact, it nearly never is, and there lies the trillion-dollar problem. Of course, the notion that cyber risk has a cost is obvious. Yet the cost of cyber risk is still neglected by the many cybersecurity solution providers and the insurance underwriters serving industrial organizations within energy, transportation, and manufacturing. No one can be blamed for this oversight because quantifying cyber risk is hard. Cyber risk has many different contributing variables. Cyber risk is dynamic, volatile, and contrary to other sources of risk, cyber risk is subject to human factors ranging, such as motive. Furthermore, sometimes digesting and managing the cost of cyber risk after quantifying it is even harder. Yet, it must be solved.

Answer The Money Question

Very few CISOs and CTOs say “I don’t care about ROI, I only care about cybersecurity." In fact, almost never do. As an executive asset owner with over 25 years’ experience of oversight or operational ownership over critical infrastructure in Europe, Canada, and the USA, I have never heard any cybersecurity stakeholder say that ROI was critically important. When it comes to ICS and OT cybersecurity, the budget is always formed by the size of the problem, and the size of the problem is always impacts the ROI. Regretfully, ROI has been nearly impossible for many OT cybersecurity solution providers serving industrial organizations to quantify. And as a result, CISOs and CTOs at industrial organizations are faced with more exposure to cyber risk than ever before even though they have spent millions of dollars on intrusion detection systems (IDS) and threat intelligence solutions. This has been a losing battle for critical services and infrastructure providers as a whole. Considering the high cost of critical infrastructure assets, the stats on cyber-attacks targeting them is alarming. Take these statistics as an example:

• Ransomware specifically targeting industrial organizations grew even faster at a rate of 500% since 2018 to late 2020.
• Malware attacks alone are estimated to cost over $6 trillion dollars by the end of 2021.
• Ransomware attacks targeting all verticals grew at an astonishing rate 485% from the prior year in 2020 and at an estimated cost of $20 billion dollars (link)

Serve the Common Interest to Solve the Common Problem of Cyber Risk

While cyberattacks on OT targets have clearly outpaced OT cybersecurity innovation, have malicious actors also outpaced insurance and underwriters of cyber risk that insure industrial organizations? Well, the answer is also obviously - yes.

It is clear that when it comes to the management of cyber risk, CISOs and CTOs must move beyond a singular focus on cybersecurity alone. The holistic goal of improved cyber resiliency must be the goal. This means financial protection from cyber incidents as well. The recent Colonial Pipeline ransomware attack epitomizes this notion, where damages beyond the initial $5 million dollar ransom call are still being calculated. Cybersecurity alone cannot solve the problem.

Regretfully, the infamous and timely Colonial Pipeline is not a Black Swan occurrence, but just recent banner example. OT cyber risk is already monumental and growing by the day. It is problem that must be addressed to better serve OT cybersecurity solution providers, their customers and the insurers who underwrite the risk for their customers. Case in point:

• There has been a 2000% increase in cyber risk exposure since 2018.
• Within the USA alone, less than 1% of the $1 trillion dollars of potential loss due to cyber risk in 2020 was transferred to insurers, compared to 25% of natural catastrophe risk.
• CEOs are likely to be held personally liable for cyber breaches. According to Gartner, this could be as soon as 2024.

Quantify Your Cyber Risk to Protect Yourself Against It

Like cyber-attacks, the financial cyber risk gap is also growing. This is undeniable. It is also undeniable that significant positive change to how we protect our critical infrastructure from cyber risk won’t happen until there is a forcing-function. This forcing-function is unified, transparent, auditable, and unbiased quantification of cyber risk. Insurers, reinsurers and industrial organizations alike must obtain a clear understanding of their exposure to cyber risk in financial terms so that they can develop cost-effective products that operate on a real and sustainable hedge to the fast-evolving risk category of cyber risk.

At DeNexus, it is our mission to help industrial organizations and (re)insures of cyber risk, quantify, mitigate, and manage their exposure to it on a continuous basis. In other words, we answer the money question for the industrial, cybersecurity and risk stakeholders of world.

Identify, Quantify and Mitigate Cyber Risk with DeNexus

DeNexus the leading provider of cyber risk modeling for industrial organizations and global insurers and reinsurers. Our cloud-based platform empowers the industrial enterprise to quantify cyber risk exposure on a continuous, automatic, and self-adaptive basis using the world’s first evidence-based data analytics software and services. Our flagship solution offering is DeRISK, which is the world’s first self-adaptive, cloud-based platform that uses evidence-based data to predict where and how breaches are likely to occur and what their business impact will be.

DeRISK explore each possible attack path that the attackers might take and compute the probability that that attack path might be successful.

DeRISK is purpose-built for the CISO and CTO in-mind. Our platform is located in a FedRAMP certified infrastructure and empowers risk stakeholders to financially quantify the cyber risk that their company is incurring in real-time by understanding threats, vulnerabilities and impact. Through the DeRISK UI, our users are armed with the main factors driving their incurred cyber risk with insights on contributing factors to their risk position and what their ultimate value at risk (VaR) is throughout time. Most importantly DeRISK offers ROI-based action items to inform and steer cyber risk mitigation actions so that industrial organizations can better build and maintain a safe and profitable operation.

Fortune 500 companies, from power generation to manufacturing to other critical infrastructure, rely on DeNexus to understand their bespoke cybersecurity economics and optimize their risk-reduction ROI. Leverage DeNexus and our DeRISK platform to make asset, vulnerable, configuration, operational anomaly, supply chain and cyber intrusion data work for you.

To learn more about our recent seed investment, read more here