top of page

A Board-Level Guide to Understanding Your Cyber Risk Condition

Updated: Apr 19

The X-Analytics Cyber Risk Governance Report

For: Acme Financial Services, Inc.

Estimated for: January 22, 2024 to January 21, 2025


This assessment is for a particular profile. A profile can be built for an entire business, a business unit, a product line, a critical business application, and any other logical or physical business entity.



How to Use Your Assessment?

This assessment explores the next twelve months of your cyber risk condition from a financial perspective. It illustrates the major cyber themes and possibilities that may present themselves to your business, based on patterns formed between historical data, your unique business profile, and the macroeconomic cyber condition.

This is your business, and the estimates for the next twelve months is just one way to think about your cyber risk condition. Your business has experienced the realities of cyber risk in a different way. This assessment should be used in conjunction with your existing observations.

This assessment is not a prediction of a pre-determined future that precludes unknown conditions and changing human motivations. Use this assessment as a target at which to aim your actions. You are the agent of your cyber resilience strategy. Take what you need from this assessment to better manage, design, and communicate your cyber resilience strategy.



Executive Summary.

Your cyber risk condition is summarized in three metrics. Each metric provides an essential element in understanding your cyber risk condition.


Since Last Quarter.

Since last quarter, your control effectiveness has improved by 13.3% and your cyber exposure has improved by 5.5%.




Further Details.

Your cyber risk condition is based on a combination of your exposure profile, asset applicability, threat and impact refinement, cyber insurance details (if applicable), cyber maturity, and a set of macroeconomic cyber risk conditions that further calibrate cyber incident severity and probability.


Cyber Exposure

Cyber exposure is the sum of all possible impacts each multiplied by the probability of impact, which can be further expressed as a percent of annual revenue. Your cyber exposure includes the benefit of your control effectiveness.

Your current cyber exposure estimate is $65.0 million for the next twelve months, which can also be expressed as 2.60% of your annual revenue. To aid with making informed cyber risk decisions, cyber exposure if further divided into four exposure categories.


Question to ponder:  When compared to other operational risks, does your cyber exposure indicate that your cyber risk condition requires further attention. If yes, then focus on the loss categories that represent the greatest proportions of your total cyber exposure.


Cyber Exposure with Transfer

As an alternative, you can view cyber exposure with the benefit of your risk transfer mechanism. This benefit would require actual use of your cyber insurance policy and includes insurance limits, exceptions, and retention costs.

Exposure category

Exposure w/o transfer

Exposure w/ transfer

Transfer benefit

Data breach

$3.329 million

$3.223 million

2.08%

Interruption

$44.835 million

$35.758 million

20.24%

Misappropriation

2.895 million

$2.762 million

4.59%

Ransomware

$13.944 million

$8.639 million

38.05%

Total

$64.967 million

$50.383 million

22.45%

Your revised cyber exposure with transfer is $50.4 million, which can also be expressed as 2.02% of annual revenue. Since risk transfer is part of an overall cyber risk strategy, you may want to compare this revised value with your cyber exposure target.


Cyber Exposure Targets

As one component of cyber risk governance, you can use your cyber exposure target to aim your actions. Your current cyber exposure of $65.0 million is worse than your target of $37.5 million.

Measure

Current value

Target value

Delta

Cyber exposure

$65.0 million

$37.5 million

+$27.5 million

as a % of revenue

2.60%

1.50%

+1.10%

Cyber exposure w/ transfer

$50.4 million

$37.5 million

+$12.9 million

as a % of revenue

2.02%

1.50%

0.52%

If you are exceeding target expectations, then you can focus on other priorities within the business. If you have not yet reached target, then you have a variety of strategic options to improve your risk mitigation and transfer mechanisms.


Cyber Exposure Opportunity - The Top 5 Risk Scenarios

As one option, you can focus on the top 5 risk scenarios which contain the most cyber exposure. Any improvement within these risk scenarios would improve cyber exposure. In aggregate, the top 5 risk scenarios make up 27.4% of your total exposure.

Risk scenario

Risk definition

Related cyber exposure

Control effectiveness

1.Everything Else: Server/Apps

Any unknown or unclassified incident that leads to a disruption or data theft.

$5.58 million

37.8%

2.WebApp Attack: Server/Apps

Any incident in which a web application is the vector of attack to disrupt or steal data.

$3.71 million

38.7%

3.Everything Else: People

Any unknown or unclassified incident that leads to a disruption or data theft.

$2.88 million

40.0%

4.Crimeware: Server/Apps

Any malware incident that leads to a disruption or data theft.

$2.88 million

37.7%

5.Misuse: Server/Apps

Any insider and privileged misuse incident that leads to a disruption or data theft.

$2.73 million

38.3%

Total


$17.78 million


Other risk reducing options are available throughout this report and other X-Analytics reports.


Control Effectiveness

Control effectiveness is the measure of how effective your overall control maturity is at reducing inherent risk.  As your control effectiveness increases, your cyber exposure decreases.

Your current control effectiveness is 37.7% out of a 100% scale. When compared to inherent risk (or zero control effectiveness), your control implementation has reduced cyber exposure by $37.2 million.

Cyber Exposure at Inherent Risk Position

Mitigated Exposure via Control Effectiveness

Cyber Exposure at Residual Risk Position

$102.2 million

$37.2 million

$65.0 million

or 3.10% as a % of revenue


or 2.60% as a % of revenue



To aid with making informed cyber risk decisions, control effectiveness is further divided into 10 risk categories.


Your current control effectiveness is worse than your target of 60%.


Control Effectiveness Relation to Cyber Exposure

All cyber risks are not equal in how they relate to cyber exposure. You can focus your cyber investments toward the risk categories that would best improve your cyber exposure.

Risk Category

Definition

Control Effectiveness

Related Cyber Exposure

Web application attacks

Any incident in which a web application is the vector of attack to disrupt or steal data.

39.0%

$6.85 million

Point of sale intrusion

Any incident in which a PoS asset is the vector of attack to steal payment data.

37.3%

$0.34 million

Insider & privileged misuse

Any insider and privileged misuse incident that leads to a disruption or data theft.

38.5%

$8.38 million

Miscellaneous error

Any human error incident that leads to a disruption or data loss.

39.0%

$8.30 million

Physical theft and loss

Any physical theft/loss incident that leads to a disruption or data theft/loss.

39.4%

$4.32 million

Crimeware (ransomware)

Any malware incident that leads to a disruption or data theft.

37.7%

$10.96 million

Payment skimming

Any incident in which a device was implemented to skim payment data.

29.8%

$0.65 million

Cyber espionage

Any espionage incident that leads to a disruption or data theft.

38.2%

$8.85 million

Denial of service attacks

A targeted, high volume, attack intended to disrupt critical IT/OT services.

38.1%

$0.36 million

Unknown or unclassified

Any unknown or unclassified incident that leads to a disruption or data theft.

38.0%

$14.53 million

Question to ponder:  Are you current and future cyber investments aligned with the functions that would best improve your cyber risk condition?

For more information related to your control effectiveness and cyber maturity, please see your corresponding cybersecurity framework report



Cyber Governance

Cyber governance is an understanding of your business’s responsibilities and practices exercised by executive management with a goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that cyber risks are managed appropriately, and verifying that your business's resources are used responsibly.

Your current cyber governance is 65.5% out of a 100% scale. To aid with making informed cyber risk decisions, cyber governance is further divided into the govern function, governance rigor, and risk strategy effectiveness.

Governance Metric

Current Value

Target

Delta

The Govern Function

59.9%

50.0%

+9.9%

Governane Rigor

65.3%

50.0%

+15.3%

Risk Strategy Effectiveness

72.1%

50.0%

+22.1%

Total

65.5%

50.0%

+15.5%


The Govern Function

The govern function is an understanding of the organization's risk management strategy, risk expectations, and related policies. It includes outcomes to inform what your business may need to achieve and prioritize, such as organizational context, risk management strategy, role and responsibilities, cyber policy, oversight, and cybersecurity supply chain risk management.


Question to ponder:  Have you considered all of the legal, regulatory, and contractual ramifications related to cyber governance. This includes adverse conditions resulting from non-compliance, data misuse, accidental loss or exposure of intellectual property, artificial intelligence liability, and many other incidents.

The govern function works in tandem with identify, protect, detect, respond, and recover functions. For more information on the other five functions, please see your corresponding cybersecurity framework reports.


Governance Rigor

Governance rigor is the degree at which your business has an organization-wide approach to cyber risk. This includes monitoring cyber risk with other operational risks, ensuring the cyber budget is based on current and predicted risks, implementing a executive-sponsored cyber risk vision, promoting that cyber risk management is part of the culture, and quickly accounting for changes to the business.

Question to ponder:  Have you considered how your cyber risk governance practices impact or influence your cybersecurity risk management practices?

Governance rigor works in conjunction with the govern function and risk management effectiveness. Collectively, they are related to your current and future cyber exposure values.


Risk Management Effectiveness

Risk management effectiveness is the degree at which your business has reduced cyber risk based on your unique risk profile and the current threat condition. This includes your effectiveness against web application attacks, point of sale intrusion, payment skimming, insider and privileged misuse, human error, physical theft and loss, firmware (including ransomware), cyber-espionage, denial of service attacks, and unknown activity.


Question to ponder:  Are you providing strategic cyber direction and ensuring that business resources are being used responsibly to best manage your cyber risk condition?

Risk management effectiveness is directly associated with your control effectiveness. If you have not yet achieved target, then prioritize control effectiveness within each threat category that requires attention.



In Summary

Your cyber risk condition is summarized in three metrics. Each metric provides an essential element in understanding your cyber risk condition, and each metric can be used as a target at which to aim your actions.

Exposure Ratio

1. Your current cyber exposure of $65.0 million (or 2.6% of revenue) is worse than your target of $37.5 million.

2. Your cyber exposure with transfer benefit is $50.4 million, which represents a 22.5% transfer benefit.

3. If you focus on the top 5 risk scenarios, you could further reduce your cyber exposure by $17.8 million.

Control Effectiveness

1. Your current control effectiveness 37.5% is below your target of 60.0%.

2. The "unknown or unclassified" risk category has a control effectiveness of 38.0% and has a related cyber exposure of $14.5 million.

3. The "crimeware (including ransomware)" risk category has a control effectiveness of 37.7% and has a related cyber exposure of $11.0 million.

Cyber Governance

1. Your current cyber governance of 65.5% is better than your target of 50%.

2. Within the govern function, "oversight" requires the most attention.

3. Within governance rigor, "monitoring cyber risks with other operational risks" requires the most attention.

4. Within risk management effectiveness, "unknown and unclassified activity" requires the most attention.

89 views

Comments


Commenting has been turned off.
bottom of page