Surprisingly, we still sometimes hear that some cyber risk professionals are challenged by their General Counsel and legal department not to quantify their cyber risk, as that might - in their opinion - introduce a liability, driven by the fact of possibly knowing about a problem and not having done enough to address it.
To quote SEC Cyber Enforcement Chief Kristina Littman, speaking at the 2020 FAIR Conference, “Willful blindness is never a good strategy from a legal perspective.”
Nicola (Nick) Sanna is President of the FAIR Institute
More from Nick:
This Is the Year of Operationalizing Cyber Risk Quantification
Here are three compelling reasons why ignorance is not bliss, when it comes to cyber risk management and the principle of “duty of care” that corporate officers and directors must meet.
- Putting your head in the sand increases the probability for those risks to materialize as they are not properly measured and managed. After all, you cannot manage what you don’t measure…
- It is a fiduciary responsibility for corporate executives to identify and report risks that can be material to the business, so that the leadership and the board can be made aware of them and can help address them
- Increasingly, regulators are demanding disclosure of top cyber risks and evidence that cybersecurity initiatives are adequate to reduce risk to an acceptable level. The SEC requires public companies to measure cyber risk in financial terms and communicate material risks to shareholders.
Learn to analyze cyber risk in quantitative terms - take the FAIR Analysis Fundamentals training course.
What can be done by cyber risk executives to help organizations answer the “better not to know” challenge? Here are three tips that will turn those challenges into win-win situations.
1. Always present remediation plans along with top risk reports
The cybersecurity or risk team should present options for addressing cyber risks so that the business can make informed decisions on the most adequate cybersecurity responses, and create defensible rationales for justifying those decisions, in the event of legal or regulatory challenges.
2. Present the numbers as projections in ranges, not precise predictions
Business planning, including cyber risk management, should always account for uncertainty in probable outcomes, depending on the range of assumptions and the dynamic threat landscape. Express cyber risk in ranges, just as public companies make revenue projections. Be transparent about the assumptions behind the inputs for your risk scenarios. But, above all, stand by the range versus indefensible precision.
3. Consider translating dollar figures into qualitative scores
If the organization is less data-driven and there is a strong sensitivity by the legal team to presenting top risk assessments in financial terms, results can be translated to less controversial, qualitative terms, without sacrificing the rigor of the underlying quantitative analysis. Qualitative representations of risk could be in High/Medium/Low terms or ordinal scales such as 1-5.
In sum, blissful ignorance on cyber risk is not a defensible stance for organizations, but this doesn’t mean that you shouldn’t be mindful of the concerns of your legal team. Put yourself in a win-win situation for all parties involved.