GRC 101: What is Cyber Risk?

Cyber risk is the fastest growing enterprise risk and organizational priority today. According to the 2019 Global Risk Perception Survey, cyber risk was ranked as a top 5 priority by 79% of global organizations.

The growth of cyber risk is in large part tied to the increasing use of technology as a value driver. Strategic initiatives—such as outsourcing, use of third-party vendors, cloud migration, mobile technologies, and remote access—are used to drive growth and improve efficiency, but also increase cyber risk exposure. Cyber risk has evolved from a technology issue to an organizational problem. In short, cyber risk is everyone’s problem.

A compounding factor here is over the last two decades, cyber crime has grown exponentially. According to the IC3, the FBI’s cyber crime reporting mechanism, monetary damages from reported cyber crime totaled $3.5 billion in 2019, while Cybersecurity Ventures project that the global costs of cybercrime will double to $6 trillion in 2021, up from $3 trillion in 2015.

Definition of Cyber Risk

Cyber risk, or cybersecurity risk, is the potential exposure to loss or harm stemming from an organization’s information or communications systems. Cyber attacks, or data breaches, are two frequently reported examples of cyber risk. However, cybersecurity risk extends beyond damage and destruction of data or monetary loss and encompasses theft of intellectual property, productivity losses, and reputational harm.

Examples of Cyber Risk

Cyber risk can be faced by any organization and can come from within the organization (internal risk) or from external parties (external risk). Both internal and external risks can be malicious or unintentional.

Internal risks stem from the actions of employees inside the organization. An example of malicious, internal cyber risk would be systems sabotage or data theft by a disgruntled employee. An example of unintended, internal risk would be an employee who failed to install a security patch on out-of-date software.

External risks stem from outside the organization and its stakeholders. An external, malicious attack could be a data breach by a third party, a denial-of-service attack, or the installation of a virus. An unintentional, external attack usually stems from partners or third parties who are outside yet related to the organization -  a vendor whose systems outage results in an operational disruption to your own organization.

Impact of Cyber Risk

According to Deloitte Advisory Cyber Risk Services, “Cyber risk is an issue that exists at the intersection of business risk, regulation, and technology.” In their 2019 Future of Cyber Survey,
Deloitte found that the impact of security incidents varied from real monetary costs, including financial loss due to operational disruptions and regulatory fines, to intangible costs, including the loss of customer trust, reputational loss or a change in leadership.

Cybersecurity risks can result in both quantitative loss and qualitative impact. Realized costs may include lost revenue due to disruptions to productivity or operations, incident mitigation and remediation expenses, legal fees, or even fines. Less tangible impacts of cybersecurity incidents, which are difficult to quantify and generally take longer to rectify, include loss of goodwill, diminished brand reputation, or a weakened market position.

Managing Cyber Risk

Cyber risk has the potential to affect every aspect of an organization, including its customers, employees, partners, vendors, assets, and reputation.

As such, an effective cyber risk management program involves the entire organization. Although IT or Infosec may ultimately own cybersecurity risk management, cyber risk is dispersed throughout the organization, requiring an integrated approach and cross-divisional collaboration to effectively manage and mitigate exposure.

Below are 4 key steps your organization can take to implement a robust cyber risk management strategy.

1. Understand Your Risk Profile: Understanding your risk profile and potential exposure requires an enterprise-wide threat assessment.
   • Identify critical enterprise risks to determine the applications, systems, databases, and processes subject to cyber risk. Consider the array of external and internal threats, from unintentional user error to third-party access to malicious attacks.
   • Undertake risk assessments with all stakeholders to assess the likelihood and potential impact of cyber risk exposure, including cross-divisional and secondary effects and technology dependencies. Consider third-party exposure, as they have increasingly become vectors for cyber incidents, and the risk posed by the expanding technology perimeter due to work from home requirements.
   • Quantify risks including the potential financial, operational, reputational, and compliance impact of a cyber risk incident. A risk scoring framework can help provide a more holistic ranking of threats.
2. Set a Firmwide Strategy: Establish a firmwide strategic framework for cyber risk management
   • Prioritize risks by employing a shared risk measurement framework and reporting systems to effectively prioritize risks across the organization and enable informed resource allocation.
   • Consider industry-specific risk standards and incorporate any specific compliance requirements into your cyber risk management practice.
   • Set and communicate an enterprise-wide IT and cyber risk management strategy. Technology infrastructure and application use is critical throughout every organization. Therefore, cyber risk exposure can occur in any division, making it an organizational priority, rather than an IT one.
3. Invest in Cyber Risk Management Infrastructure
   • Assess system requirements to understand where organizational cyber threats originate and provide a guidepost to the types of systems required. A distributed, cloud-based organization will have different needs from a physical asset intensive organization. Consider how your company currently operates to ensure that a GRC platform will accommodate evolving needs.
   • Potential investment in GRC software or other cyber risk management tools should also consider risk reporting and incident management requirements, workflows, ease of use, flexibility, and future expansion capability.
4. Establish a Dynamic Cyber Risk Management Process
   • Establish robust oversight by maintaining an updated inventory of potential threats and dynamic quantification of the potential impact and mitigation costs of cyber incidents.
   • Communicate with third parties to ensure their security protocols align with organizational standards and practices.
   • Invest in Training - With rapid evolution of technology and related cybersecurity risks, cyber risk management is not a static, tick the box solution. Organizations can spend large sums on state of the art security infrastructure, but a truly effective cyber risk management program requires effective stakeholder training.

LogicGate’s IT Risk Management Solution

As the scale and scope of cyber risk explodes, how can your organization accurately assess, quantify, manage, and mitigate cybersecurity risk? Cybersecurity risk management requires a robust platform to enable enterprise-wide engagement and effective management of risks.

Establishing a culture of cyber risk awareness is easier with a customized and flexible interface. LogicGate’s  IT Security Risk Management Software provides the shared tools you need to communicate your company’s risk framework, safeguard your information assets, and comply with industry standards, so you can maintain your organization’s reputation and protect your company, employees, clients, and customers.