How Cyber Risk Can Impact Your Investment Strategy
By Bruce Dahlgren, Chief Executive Officer, MetricStream
Nearly all aspects of business are reported in numerical terms, from financial results and cash flow forecasts to employee engagement scores and advertising performance. However, there is one exception: cyber risk. Up until the last several years, many Chief Information Security Officers and Chief Risk Officers were content with measuring cyber risks with heatmaps where qualitative indicators such as red, yellow and green would be the guide to interpreting a threat matrix.
Times are changing, as assigning numerical values to cyber risk threats (risk quantification) is reaching its prime time. According to Deloitte, “Boards, executives, and the organization at large recognize their fiduciary responsibilities to customers—and take those duties seriously. Yet, when it comes to identifying cyber risks and efficiently allocating resources towards mitigating them, the industry continues to struggle.”
Cyber risk quantification is a catalyst for making more strategic decisions, whether you’re a boardroom leader or an individual investor doing diligence. What still lies ahead, however, is industry-wide standardization in how companies measure and report cyber risk. The next several years in cyber risk policy will change the way companies and investors use risk as a strategic datapoint. Here’s how investors can evaluate cyber risk in their portfolio in the meantime – and why it’s important to self-audit now:
Buying risk is risky, but insurance is leading the way
Cyber risk is an evolving market, with more key metrics for good and bad security still being developed. Insurers, as they often do, are leading the way on standardizing cyber risk value in the market so they can properly evaluate and price risk. As this becomes more common, the price of insuring risk is escalating – investors should keep an eye on this shift over time across their portfolio.
Standard and Poor’s Corp. released a report last year that claimed that “cyber insurance premiums, which now total about $5 billion annually, will increase 20% to 30% per year on average in the near future.” Securing coverage is already getting more challenging as prices increase, and it will only get harder as practices standardize.
Investing in cyber risk quantification is an indispensable value-add if you are looking to control costs and make wise, analytics-based investment decisions. For example, finite insurance companies currently underwrite cyber risk and provide cyber insurance. As with any insurance policy, there are many caveats to consider including investing in a cyber quantification tool as a prerequisite for obtaining insurance coverage. In fact, the more a company invests in cyber security controls and tools, the more likely they will get access to the insurance products. Understanding the cost benefit of taking on risk vs. insuring against a risk makes for smarter investing.
The regulatory environment is still settling
While insurers are leading the way on standardizing how cyber risk is measured, the regulatory environment around cyber risk is still settling down. Whether as a company or as an investor, it’s key to follow changes in the regulatory environment. As long as regulations remain in flux, companies must grapple with the fact that their currently sufficient procedures for cyber threats might not pass muster under new rules. Well established regulations set guardrails for compliance and define the civil and criminal costs of noncompliance. These guardrails are still in beta for cybersecurity.
For example, GDPR, while feared at first, has created stability in the market. It required investments and changes in data protection policies, but as they have settled, the guardrails of compliance have become better defined. The regulatory risk related to cyber policies due to GDPR is now relatively straightforward. If the company meets requirements, the assigned risk value is what is being spent to meet the requirements, and if not, the risk value is all in the associated penalties and fees.
It’s harder when dealing with upcoming or future regulations, where risks and penalties are not yet defined. The U.S. is expected to take similar approached to the EU around data privacy, but until clear action is taken or laws are passed, companies are challenged to quantify the level of risk that resides with their business.
One approach is to use clearly defined regulatory action as a proxy. According to Gavin Grounds, Verizon Executive Director, Information Risk Management and Cyber Security Strategy, “for areas where it’s foggier, such as potential regulation, you can look at similar existing regulations as a baseline to assign a risk value. By looking at the costs of managing similar regulations today - operationally and financially - we can make some assumptions. For example, what we think the order of magnitude is going to can be a benchmark to begin assigning an impact – is it a five percent magnitude change or is it more transformative? We need to spend time understanding what aspects of the business a specific regulation can impact, look at previous measures and then assign a value."
As investment holdings change over time, so too does cyber risk. We can’t predict the future, but those who are prepared and can measure risk as closely as possible to a value are more prepared down the line when change happens.
What about worst-case scenarios?
Investors and corporate leaders alike know that cyber risk, in general, is fairly binary – it is either not a problem at all or it is a huge problem. A major cyber-attack is a worst-case scenario risk event that CISOs must plan for and investors must size up before signing on.
From a measurement perspective, quantifying the reputational damage of a cyber breach echoes the binary nature of this scenario. It’s also relatively simple to estimate.
According to Grounds: “You can’t lose more than what you’re worth. Not many singular events will wipe out your entire market capital. This allows you to eliminate a major scenario and gets you closer by knowing what that number isn’t. It’s measuring by process of elimination.”
While it may be a rare and unlikely scenario, taking this step and measuring risk will again help set up for a more prepared future.
Turning Risk into Investment Advantage
Investors know there are many factors that drive a decision to keep, grow or sell a position or when evaluating a new opportunity. While data-driven tools help simplify these choices, if cyber risk is still measured qualitatively, those tools can’t work. This is one reason why the push towards standardizing and quantifying cyber risk is so important – measured risk adds another datapoint to your diligence stack. Knowing how to size up cyber risk scenarios if data is not available is a handy strategy for investors to make the most informed decisions and ultimately turn risk unknowns into a strategic advantage.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.