As companies calculate cyber risk, the right data makes a big difference

The proposed U.S. Securities and Exchange Commission’s stronger rules for reporting cyberattacks will have ramifications beyond increased disclosure of attacks to the public. By requiring not just quick reporting of incidents, but also disclosure of cyber policies and risk management, such regulation will ultimately bring more accountability for cybersecurity to the highest levels of corporate leadership.

This means that boards and executives will need to increase their understanding of cybersecurity, not only from a tech point of view, but from a risk and business exposure point of view. The CFO, CMO and the rest of the C-suite and board will want and need to know what financial exposure the business faces from a data breach, and how likely it is that breaches will happen. This is the only way they will be able to develop cyber policies and plans and react properly to the proposed regulations.

Calculating cyber risk

Companies will therefore need to be able to calculate and put a dollar value on their exposure to cyber risk. This is the starting point for the ability to make cybersecurity decisions not in a vacuum, but as part of overall business decisions. To accurately quantify cybersecurity exposure, companies need to understand what the threats are and which data and business assets are at risk, and they then need to multiply the cost of a breach by the probability that such an event will take place in order to put a dollar figure on their exposure.

While there are many automated tools, including those that use artificial intelligence (AI), that can help with this, the key to doing this well is to make sure calculations are rooted in real and relevant data – which is different for each company or organization.

Think beyond security aspects

Any calculation of the cost of a breach needs to take into account factors beyond security aspects. It needs to also consider factors including region, industry, size of the organization and more – as fines and regulations differ sharply depending on these aspects, and result in large differences in the costs of managing data breaches, even when data breaches are very similar on the surface. For example, the financial sector often faces more regulatory scrutiny and higher fines than many other sectors.

Location can also make a big difference. Especially following the implementation of the EU’s GDPR law, the consequences of fines associated with personal data being exposed in European countries are often higher than other places. 

Fine amounts also depend on what type of data is breached. The costs can also differ if a breach causes a total business shutdown or significant reputational damage — and all of these consequences are dependent on the unique aspects of each business. Unless a calculation takes into account the unique and specific characteristics of a business, the results are not helpful.

Distinguish between direct and indirect costs

Calculations for cost of breach should include both direct and indirect costs, and distinguish between them. By considering direct costs, like fines, other payments to third parties or the loss of revenue if business operations pause; and indirect costs like the churn that often follows breaches and the loss of productivity while reacting to a breach, companies can see the entire picture. These potential costs should also be personalized for each business, so they can plan properly. For example, a website being offline is probably more damaging – and a direct cost – for an online shopping site than for a law firm, where it may be only an indirect cost.

Seeing the breakdown of costs – and the timeline of when they would need to be paid out – helps companies plan for such expenditures and better understand how their cyber exposure figure was calculated.

Understanding – and reducing – real financial exposure

While knowing the potential cost of a breach is helpful, it is only part of the picture. Data should also be used to assess the attack likelihood for each business asset. After all, cyber risk exposure is made up of the cost of breach multiplied by the likelihood. Any calculator of exposure should give overall exposure to give companies a sense of the big picture, plus exposure for each business asset or department being breached.

Cyber exposure is not just one number; it is multiple different numbers for each aspect of the organization. This means it is important to map out, often with the help of AI, possible attack routes to each network destination, and produce data on the probability of each actually being attacked. 

It is only by calculating the probability of each business asset being breached – and the cost of that breach — that companies can understand where exactly their exposure lies, and where each vulnerable dollar is situated. This allows companies to prioritize and map out effective prevention and mitigation plans, rather than throwing money at what they hope will be blanket solutions. 

The good news about probability of attack is that this aspect is largely under a company’s control. Once they understand the probability of each area of the business becoming a victim of a cyberattack, organizations can reduce that likelihood – and their overall exposure – by closing specific vulnerabilities and taking other measures, like having an IR team trained and ready to intervene.

Data and AI are increasingly promising for helping companies calculate the cost and likelihood of potential data breaches, as well as quantifying cyber exposure. But the users of such tools need to make sure they are indeed taking into account relevant data that is often forgotten but can severely impact the cost of breach.

Another challenge is that breach cost, risk and exposure calculations must be personalized for each company. To be effective and lead to practical mitigation plans, data used to assess cyber risk needs to include factors like the number of employees, locations, industry and more.

As cybersecurity has more influence on investors and company stakeholders, data and AI will no doubt continue to play a growing and more central role in translating cyber risk to business risk. But it is only helpful if done right.

Inbar Ries is chief product officer at CYE.