top of page

A Guide to Understanding Your Cyber Risk Condition

Updated: Oct 23, 2023

For: Acme Financial Services, Inc.

Estimated for: October 17, 2023 to October 16, 2024


This assessment is for a particular profile. A profile can be built for an entire business, a business unit, a product line, a critical business application, and any other logical or physical business entity.

Insert a graphic that provides context for the entire method.



How to Use Your Assessment?

This assessment explores the next twelve months of your cyber condition from a financial perspective. It illustrates the major cyber themes and possibilities that may present themselves to your business, based on patterns formed between historical data, your unique business profile, and the macro cyber economic condition.

This is your business, and the estimates for the next twelve months is just one way to think about your cyber risk condition. Your business has experienced the realities of cyber risk in a different way. This assessment should be used in conjunction with your existing observations.

This assessment is not a prediction of a pre-determined future that precludes unknown conditions and changing human motivations. Use this assessment as a target at which to aim your actions. You are the agent of your cyber resilience strategy. Take what you need from this assessment to better manage, design, and communicate your cyber resilience strategy.



The Next 12 Months at a Glance.

As the threat landscape and macro cyber economic condition evolves, your cyber risk condition also evolves. In this moment, your cyber risk condition is equivalent to 2.02% of revenue. In comparison with other operational risks, you may determine that your cyber risk condition requires further attention.

The 2.02% value is know as your exposure ratio. The exposure ratio is determined by dividing your current cyber exposure value by annual revenue. Exposure Ratio = $404.9M / $20B = 2.02%

Cyber exposure is the sum of all possible impacts, each multiplied by the probability of impact. The graph below displays your current cyber exposure, further displaying the proportions amongst each loss category.


Cyber exposure by loss category is the sum of all possible impacts, each multiplied by the probability of impact per loss category. The graph below displays your current cyber exposure by loss category to help you understand which loss category is most risky to your business.

Since cyber exposure is the sum of all possible impacts, each multiplied the probability of impact, it is important for you to understand how probability relates to your cyber exposure. Considering all loss categories, there is a 155% probability that your business will have one or more cyber incidents over the next 12 months. A probability greater than 100% indicates an occurrence of more than one incident over the next 12 months. The list below displays the probability per each loss category.

1. Data Breach: There is a 37% probability that your business will have one or more data breach incidents, that are 1,000 records or greater in size, over the next 12 months.

2. Interruption: There is an 87% probability that your business will have one or more interruption incidents, that are 30 minutes of greater in duration, over the next 12 months.

3. Misappropriation: There is a 21% probability that your business will have one or more misappropriation incidents, that are equivalent to or greater than 0.25% of revenue, over the next 12 months.

4. Ransomware: There is a 10% probability that your business will have one more ransomware incidents, the are 30 minutes or greater in duration, over the next 12 months.

From a design concept, the above would be better as a table, not a list.

The cyber exposure trend is a macro observation of changes that directly affect cyber exposure over time. Use the graph below to determine if your cyber risk condition is getting better or worse and if you are aligned with target.

Over the last 90 days, your cyber risk condition has decreased by 9.8%.

Development Note: The user needs the ability to refine the trend line in two ways. 1. they can change duration (quarterly, monthly, etc.), and 2. they can toggle from total exposure to data breach, ransomware, interruption, and misappropriation.

If your current cyber risk condition is undesirable, then you may want to focus on the control domains that will best reduce your cyber exposure. The prioritized risk mitigation table provides a list of the top 5 controls to improve your cyber risk condition. Each control domain illustrates a maximum reduction in cyber exposure when fully implemented within your business.

In order to customize your prioritized risk mitigation plan, please see the Optimized Cyber Risk Strategy.



Your Themes for the Next 12 Months.

Through October 16, 2024, your themes for the year ahead are based on your current risk condition.

1. Most Concerning Threats: Web application attacks, denial-of-service attacks, and everything else are the most concerning threat patterns.

a. Web application attacks: In this category, web application is the vector of attack to disrupt operations or compromise data. This pattern is related to data breach, interruption, and misappropriation. Guidance: To reduce incident probability, you can focus resources on application security, access control management, and vulnerability management.

b. Denial of service attacks: In this category, a hacker uses a denial-of-service technique to disrupt operations. This pattern is only related to interruption. Guidance: To reduce incident probability, you can focus resources on a distributed denial of service (DDoS) mitigation service.

c. Everything else: In this category, malware, hacking, and social are the action that does not fit into a more specific pattern. This pattern is related to data breach, interruption, misappropriation, and ransomware. Guidance: To reduce incident probability, you can focus resources on incident response (including audit log management), inventory and control of enterprise and software assets, and network monitoring and defense.

2. Most Concerning Loss Categories: Interruption and ransomware are the most concerning loss categories.

a. Interruption: In this category, there is an intentional or unintentional disruption of one or more information technology (IT) or operational technology (OT) systems. This pattern includes denial of service attacks, human error, misuse, and other malware and hacking techniques aimed to disrupt operations. Guidance: To reduce incident probability, you can focus resources on security awareness and skills training, service provider management, and vulnerability management.

b. Ransomware: In this category, there is an intentional deployment of malware intended to encrypt data within one or more system to extort money from the victim organization. This pattern may also include data breach. Guidance: To reduce incident probability, you can focus resources on security awareness and skills training, service provider management, and network monitoring and defense

3. Quick Win Opportunities: Service provider management, network monitoring and defense, and security awareness and skills training represent the most beneficial controls for improving your overall cyber risk condition. These controls illustrate a potential benefit that is beyond the most concerning threat categories and loss categories.

a. Service provider management: This control focuses on the development of a process to evaluate service providers who hold sensitive data, or are responsible for your critical IT platforms or processes. Details: This includes an inventory of all third parties, third party classifications, cyber security contractual requirements, third party assessment, and a complete onboarding and off boarding process for third parties.

b. Network monitoring and defense: This control focuses on the implementation of processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across your business's network infrastructure and user base. Details: This includes centralized security event alerting, collection of traffic flow logs, host- and network-based intrusion detection and prevention solutions, traffic filtering, port-level access control, application layer filtering, and tuning of security alerts.

c. Security awareness and skills training: The control focuses on the establishment and maintenance of a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise. Details: This includes training workforce members to recognize social engineering attacks (includes phishing), authentication best practices, data handling best practices, unintentional data exposure and misconfiguration and training workforce members to recognize and report security incidents, outdated software, and malicious and unusual behavior.

Since this assessment is based on your current cyber risk condition, it is recommended that you revisit this section regularly to account for emerging threat conditions and technologies, changes to your business profile, and volatility of the macro cyber economic condition.



Recent Cyber Incidents.

This is where you will find recent cyber incidents to help you better understand the financial impact of cyber risk. This section may include incidents related to malice and error, data breach, interruption, misappropriation, and ransomware losses, and material and immaterial outcomes.

1. MGM: In September 2023, MGM experienced a 10 day ransomware incident with an estimated impact of $100 million Adjusted Property EBITDAR for the Las Vegas Strip Resorts and Regional Operations and a one-time less than $10 million expense.

Context: Despite the hype related to this story, this $100 million ransomware incident was determined to be immaterial by MGM. MGM did not pay the extortion, which statistically improves their probability of a repeated ransomware attack. MGM believes that cyber insurance will offset impacts related to operational disruption, the one-time expense, and future expenses.

2. Clorox: In August 2023, Clorox experienced a significant ransomware attack that impacted their business. Clorox expects to incur approximately $25 per share of costs related to the ransomware attacks, expects to incur $3 per share of restructuring and related costs (net related to implementation of the streamlined operating model), and expects to incur $32 per share of operating expenses related to its digital capabilities and productivity enhancements investment.

Context: This incident clearly caused a wide-scale disruption to Clorox that led to a loss of sales and erosion of stock price. Clorox did not pay the extortion, which statistically improves their probability of a repeated ransomware attack. Clorox will provide an updated outlook in November 2023.

This section of the report will change monthly to ensure you have recent and relevant information to compare and contrast your cyber risk condition. This section of the report helps you draw a connection to real world incidents that may influence how you address your cyber risk condition.

Comments


bottom of page