By Thomas Lyden, Managing Director, Strategic Initiatives, SSIC
With the European Union’s General Data Protection Regulation (GDPR) implementation date going into effect on May 25, it is generating significant press coverage. Given the focus on data privacy, the law’s financial penalties, and the sweeping implementation, the interest is understandable.
However, the real question corporations need to answer in regard to the regulation is: how much economic risk does GDPR add to their overall cyber risk? Corporations should be asking:
- Do you know your current expected loss from a relevant cyber event?
- Can you measure your cyber risk?
- Do you know the effectiveness of your control implementations?
- Is your risk transfer zone (which helps determine when to transfer cyber risk via cyber insurance) in the right place?
Cyber Risk Measurement: Moving from Compliance to Risk
Most enterprises are focused on “complying” with regulations, however, they tend to believe that complying with a specific regulation means they are “risk free” and “covered.” Unfortunately, a compliance-based approach to risk mitigation only offers a minimum level of security and doesn’t fundamentally reduce risk.
In terms of responsibility, boards of directors accept liability for strategic planning that is carried out by the executive team. As such, it’s critical that executives and boards understand operational risk, and that includes considering cyber risk a business risk.
The cyber and executive teams need to understand and communicate the difference between compliance and risk management across their ecosystem, particularly as more and more businesses push a digital transformation strategy.
Organizations should pay particular attention to the following areas:
- Financial impact of a cyber event
- Business impact of a cyber event
- Legal impact of a cyber event
- Reputational impact of a cyber event
By understanding and evaluating the financial impact of their inherent and residual cyber risk, organizations can build programs and change the conversation with leadership, arming businesses with real business risk intelligence.
Given the fog that cyber has presented to boards and leadership, I encourage cyber teams to learn how to read risk management reports and ask themselves questions. This allows cyber teams to provide meaningful data to executives that enables business decision making. Measuring cyber risk objectively is what enables organizations to move their cyber program from a compliance-based to a true risk-based approach, and finally allows them to answer this question confidently and empirically: can you measure expected loss from a cyber event.