Putting cyber risk into business perspective
I am in the process of writing a new book. It is intended as guidance for senior management and board members on decision-making when it comes to cyber risk.
I see a gap in their understanding of the level of business risk, and that creates problems when it comes to deciding how much of their organization’s scarce resources (people and money) should be invested in preventing or minimizing the effects of a data breach.
I believe they tend to respond to risk assessments by the CISO or others in the management team that label the level of risk as “high”, but do not describe the potential effects on the business and its success, nor the likelihoods of such major impacts.
They also respond to media headlines and the advice of consultants who may not fully understand the business and are not really objective.
Money, as we know, does not grow on trees.
Every penny spent on cyber risk is a penny that is not spent addressing other sources of business risk and opportunity, such as supply chain risk, competitor risk, new or upgraded technologies, marketing programs, customer service, and so on.
As I was doing my research, I reviewed a 2021 study by PCH Technologies, Cost of Cyber Attacks vs. Cost of Cyber Security in 2021. They reported that these four breaches were among the most severe in 2020 and 2021.
I added a note to the PCH language for each of the four that puts the scale of the breach into business perspective.
- Solarwinds, a company that makes business software, was compromised at some point in 2020. This was an advanced persistent threat (APT) that proved very hard to detect. In total, the company reported losses of $25 million to its investors.
Note: Solarwinds revenue in 2020 was $1.1 billion, so the losses were 2.27% of revenue.
- Amazon was targeted with a DDOS attack earlier… and it succeeded. They were only down for a little over an hour, but the total losses were somewhere in the neighborhood of $75 million.
Note: Amazon’s revenue in 202o was $386 billion, so the loss was trivial by comparison.
- In May of 2021, Brazilian meatpacking company JBS was the victim of a ransomware attack. The ransom alone was $4.4 million, and the loss of revenue might have been even greater.
Note: JBS’s 2020 revenue was $71 billion.
- On May 6, 2021, the Colonial Pipeline was hacked, and the ransom paid by the company was reported as $5 million.
Note: this was 1% of Colonial Pipeline’s 2021 revenue of $500 million.
IBM has sponsored independent studies by the independent research organization Ponemon Institute of the cost of a data breach for 17 years. Their latest, Cost of a Data Breach 2022, “studied 550 organizations impacted by data breaches that occurred between March 2021 and March 2022. The breaches occurred across 17 countries and regions and in 17 different industries.”
Their insights included:
- The average total cost of a data breach was $4.35 million ($9.44 million in the US); the average cost of a ransomware attack was slightly more, at $4.54 million.
- 83% of organizations that had a breach had more than one incident
- The average time to identify and contain a breach was 277 days. This is a reduction from the 287 days in 2021.
In general, costs are increasing – but that is not universal. Six countries (Germany, Japan, France, South Korea, Scandinavia, and Turkey) saw a year-on-year decrease.
When you look at the cost of a breach by industry, Healthcare suffered the highest average cost, at $10.10 million, with Financial Services next at $5.97 million.
My questions to all of you:
- How significant is cyber risk at your organization. Is it really a top ten source of risk to the business and its objectives?
- Are management and the board of your organization able to compare the level of risk to other sources of business risk and opportunity, so they can make informed and intelligent decisions about how much to invest?
- How confident are you that your organization is obtaining an acceptable return on its investment in addressing cyber risk, given the alternative returns on other investments?
- How confident are you that management understands the dynamic nature of cyber risk (and most other sources of risk to the business)? It is changing constantly.
I welcome your answers and comments.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Norman, glad that you are doing it but few directors will actually read it. Once the CAE or CRO or CIO says a risk is ‘High’, if the directors were doing their job they would ask questions and dig into the situation to really understand the issue. When I reported major cyber risks to the board, the response was a yawn from the board members. Just saying.
I tend to agree with most of the observations, certainly believe that cyber risk is overstated and a lack of insight or understanding of impacts makes it difficult for boards to make informed investment decisions. I note that the focus here is on financial loss – do you consider regulatory and reputational impacts here as well? For example, protecting customers’ data is really important (and failures can lead to huge regulatory fines in the UK with GDPR). Interesting post as always. My answers:
1) Considered top ten but I don’t know how significant it really is (see answer 2)
2) No
3) Not confident due to the amount of investment
4) Not confident – agree that CISO directs this
Shaun, as I understand it, reputation and compliance impacts are included in the cost estimates – all of which will eventually affect the bottom line through loss of revenue, increased costs, etc.
The initial costs of a cyber attack may seems small but the longer term aggregate cost of attacks can be very high, even terminal, for companies that depend on consumer trust in their systems. The cyber attacks on Medibank (health insurer) and Optus (Telco) in Australia may have extreme impact on trust and long term revenue.
David, I believe the reported cost reflects the longer term impact. It is not limited to short term costs.
The lesson for me is that every organization needs to assess cyber risk in terms of the likelihood of a breach (or series of breaches) that would have a significant effect on the business. Saying it is “high” doesn’t cut it.
Of course (just) “Saying it is “high” doesn’t cut it.” Any risk rating has to be supported by explanations as to what is causing the risky situation and what the mitigants currently in place and planned are, and what the possible effects may be in terms of likelihood and magnitude. Q.E.D.
I recognise the value of assessing likelihood and likely impact of cyber attack and a case by case approach is essential. Organisations with large databases containing confidential information seem to be particularly vulnerable and may need to go to another level in assessing likelihood and long term impact of cyber attacks
1. Top risk to the Organization
2. No
3. Somewhat confident
4. Somewhat confident that Technology leadership understands the risk
My prior organizations were fairly matured in their understanding of cyber risk and their impacts to the firm and their key stakeholders. Current is very much in infancy stage of Risk Management beyond SOX Compliance.
Good post Norman. Just one example of the tendency to accept high ratings without asking a ‘so what’ question. Agree with your sentiments absolutely.
1. Yes, one of the top risk.
2. Yes.
3. Yes
4. Yes
To explain my answers. I work in a hospital (security staff). A succcesfull ransomware attack would result in unavailability of the hospital IS and all patient data. There are procedures to continue care manually, but many processes would come to a halt. Less income. Bad for the reputation. Potential loss to pay criminals. According to other cases in the Netherlands this fee would be 1-2 pct of annual revenue. Not sure if the insurance will pay. This would be all be far more then the investment in cyber security countermeassures regarding that every organisation should have a basic level of security (and hospitals more because of higher risk; see various reports).
When your opinion is that all money should go to providing care to patients, the answer to 3 would be No, but that is not realistic. Money is also spoiled in other fields (like medicin, inefficiency in processes, etc.)
The answer to 4 is yes, because the chairman of the board has a background in auditing (PWC) and also other managers and Supervisory Board have a sound knowledge of risk management to take care of checks and balances.
Impressive and thanks for the detailed explanation. I’m curious that you think the chairman understands the topic well enough to know how much to invest vs nursing salary, compliance, etc. it’s not my experience with the firms
The chairman has left PWC some years ago and has a career in healthcare since. Also in the Netherlands there is no ‘freedom’ in nursing salary. We have so called ‘collective labour agreements (CAO)’ per branch that also have salary tables. There is support form audit and compliance specialists. There are also checks and balances with respect to medical issues (staff of specialists).