At the recent FAIR Institute London Summit, Pooya Alai and Rebekka Kurland of the cybersecurity risk team at Maersk, the global shipping and logistics giant, presented a FAIR case study with a message about communicating to stakeholders that every practitioner of quantitative cyber risk analysis should hear. Yes, Factor Analysis of Information Risk (FAIR™) enables communication in the financial terms of loss exposure in dollars. But that’s not the only financial metric that business audiences may want to hear.
Watch the Video from the FAIR Institute London Summit:
Case Study: Improving Cyber Risk Visibility and Decision Making
Pooya Alai, Senior Cyber Security Risk Manager, Maersk
Rebekka Kurland, Cyber Security Risk Manager, Maersk
FAIR Institute Contributing Membership required to view.
As the Maersk risk team told the story, the due diligence team turned up some serious cybersecurity concerns in an acquisition target company. The risk team prepared a FAIR analysis and presented it to the team negotiating the acquisition bid. “The outcome was, they couldn’t care less,” Pooya said, “because even though we made a clear case for implementing the recommendations we suggested, the risk was small relative to the transaction price, and it was just a distraction.” Similar shrugs from the other teams involved in the deal.
The due diligence team, which had been championing FAIR was irked. “They turned around and said, “That’s the last time we are going to use FAIR.”
Knocked back on their heels, the risk team had to reconsider their assumptions. “Sometimes talking dollars and cents is not enough,” Pooya said, “because you need to apply those dollars and cents to what they care about.”
The team recast their analysis in M&A terms: transaction multiples for EBITDA, for price/earnings ratio, and for transaction price. They ran a FAIR risk scenario for loss of availability from ransomware, took the annualized loss exposure figure (ALE) and calculated the effect on EBITDA that in turn enabled calculation of a risk-adjusted P/E ratio and a risk premium for the transaction price. (Be sure to watch the video of the Maersk presentation to see these numbers on a spreadsheet.)
“It’s just different ways of looking at exactly the same thing,” Pooya said, “but in a language that translates. Even though the risk was small relative to the transaction price, once you start making that adjustment to the actual transaction multiples, it becomes as lot larger, then they get it.”
In the end, the deal went ahead, the recommendations were accepted and “everyone was happy.”
The lesson learned: “The best way to talk about risk is not to talk about risk but about the variance around the metrics that matter” to decision-makers.
