Managing Cyber Exposures from the Inside Out
Many companies are perplexed by trying to understanding their cyber exposures. They may understand the risk and the potential impact of a breach, but they simply don’t know how to measure the total exposure to the bottom line. Some of the costs associated with a cyber attack are not so bad, such as the linear calculations based on the number of records with personally identifiable information, PII. Take the current costs for credit monitoring, notifications, cyber forensics and legal fees, then add them up and you have pretty good idea of the exposure. But what if your business doesn’t have a significant PII exposure? How do you quantify the more intangible side of the risk?
You will not find that answer anywhere outside of your organization. The answer comes from looking within your organization. We call it “managing risks from the inside out.” Any cyber insurance expert will struggle to tell you what limits you should buy because there are no benchmarks to reference and no comparative studies that reflect the inner workings of your operations. The analysis of this exposure is possibly the most complex of any exposure to an enterprise, but it is precisely what needs to be done.
The enterprise wide exposure from a cyber related peril falls into two categories: business interruption and restoration, and they are interrelated.
- Business interruption is a time element loss similar to that from a property trigger. An incident occurs that cripples production causing a loss of earnings. The time element considers the time of restoration i.e. to get back to pre-loss levels. This includes the extra expenses needed to keep the operation running however possible. In addition to lost sales, there may be a loss of customers or contracts that should also be assessed.
- The restoration involves both the costs and steps needed to repair and replace damaged systems to restore operations back to pre-loss levels. How long that takes is your period of restoration. Restoring critical systems may involve various outside consultants to implement the restoration plan and should be factored in to the analysis.
Figuring out these scenarios and adding up the the costs and impact on earnings will go a long way to quantifying your exposure. Since many deductibles are based on a waiting period, this is vital procedure before looking for coverage. To get realistic Cyber BI Value you must consider the realistic, worst case, loss scenarios, known in the property policy world as Maximum Foreseeable Loss (MFL) and the more likely Probable Maximum Loss (PML). If you have security testing protocols in place and have done an impact analysis for critical systems, you have the foundation for quantifying the bottom line exposures.
Cyber claims are some of the most difficult to document, because in many cases records are lost and systems for record keeping may be unusable. The inefficiencies and manual processes not only affect operations, but will also affect claim preparation.
At RWH Myers, we have decades of experience quantifying an array of time element losses including those from cyber perils. We look at cyber as we would any other trigger because the fundamentals are the same. Our claims experiences help clients both understand all financial exposures associated with a cyber event and how to maximize claim recovery.