Executive Viewpoint 2017 Prediction: Telos Corporation – Measuring and Managing Aggregate Cyber Risk
In 2017, aggregate cyber risk will become the focus of security professionals and senior management.
Much like the financial services industry uses a portfolio management concept, cyber security analysts must measure and manage cyber risk, and looking at individual risks in isolation is no longer enough. Hundreds, or perhaps thousands, of smaller risks can collectively create a nightmare. Understanding aggregate risk is essential.
Let’s look at a few specific areas:
Cyber attacks have increased over the past few years and will only get worse. Because cyber is so new, relatively speaking, there isn’t a great deal of actuarial data to help insurance carriers underwrite cyber risk. The aggregate effect of cyber risk and the financial liability it poses are critical concerns for the insurance industry. For example, as bad as the Target breach was, what if there had been multiple, similar breaches that occurred simultaneously? What impact would this have had on the insurance carriers providing cyber liability coverage to these companies?
Moving forward, not only will it be important for insurance companies to better understand the risks facing individual clients, but they will need to view this data over their entire portfolios to understand aggregate risk and ensure they are not over extended. The good news is that the insurance industry is beginning to rely on the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) to help standardize the view of cyber risk and ultimately manage aggregate, or portfolio, risk.
Many industries have enormously large supply chains. Just think about how many parts are used to build an airplane, for example. These parts and components are provided by many different vendors; the supply chain for an airplane is gigantic.
Supply chain security has become an important consideration, and both the public and private sectors are in the process of incorporating cyber security controls into their acquisition processes to ensure all members of their supply chains have sound cyber security practices. Having this data for all participants in the supply chain will help organizations better understand their aggregate supply chain risk. Again, the NIST CSF can be a helpful method for organizing, viewing and communicating aggregate supply chain cyber risk.
With heavy adoption of cloud-based services, organizations are challenged to continuously assess new cloud-based security controls in order to manage the aggregate cyber risk associated with relatively new hybrid IT environments. Cyber risk and compliance management activity has been going on for many years, with regard to legacy on-premises IT systems. However, the use of cloud-based infrastructure, platforms and software make this effort more complex.
Moving forward into 2017, it will be necessary for organizations to account for cloud-based risk in order to understand their overall, aggregate cyber risk.