The X-Analytics Cyber Risk Governance Report
For: Acme Financial Services, Inc.
Estimated for: January 22, 2024 to January 21, 2025
This assessment is for a particular profile. A profile can be built for an entire business, a business unit, a product line, a critical business application, and any other logical or physical business entity.
How to Use Your Assessment?
This assessment explores the next twelve months of your cyber risk condition from a financial perspective. It illustrates the major cyber themes and possibilities that may present themselves to your business, based on patterns formed between historical data, your unique business profile, and the macroeconomic cyber condition.
This is your business, and the estimates for the next twelve months is just one way to think about your cyber risk condition. Your business has experienced the realities of cyber risk in a different way. This assessment should be used in conjunction with your existing observations.
This assessment is not a prediction of a pre-determined future that precludes unknown conditions and changing human motivations. Use this assessment as a target at which to aim your actions. You are the agent of your cyber resilience strategy. Take what you need from this assessment to better manage, design, and communicate your cyber resilience strategy.
Executive Summary.
Your cyber risk condition is summarized in three metrics. Each metric provides an essential element in understanding your cyber risk condition.
Since Last Quarter.
Since last quarter, your control effectiveness has improved by 13.3% and your cyber exposure has improved by 5.5%.
Further Details.
Your cyber risk condition is based on a combination of your exposure profile, asset applicability, threat and impact refinement, cyber insurance details (if applicable), cyber maturity, and a set of macroeconomic cyber risk conditions that further calibrate cyber incident severity and probability.
Cyber Exposure
Cyber exposure is the sum of all possible impacts each multiplied by the probability of impact, which can be further expressed as a percent of annual revenue. Your cyber exposure includes the benefit of your control effectiveness.
Your current cyber exposure estimate is $65.0 million for the next twelve months, which can also be expressed as 2.60% of your annual revenue. To aid with making informed cyber risk decisions, cyber exposure if further divided into four exposure categories.
Question to ponder: Â When compared to other operational risks, does your cyber exposure indicate that your cyber risk condition requires further attention. If yes, then focus on the loss categories that represent the greatest proportions of your total cyber exposure.
Cyber Exposure with Transfer
As an alternative, you can view cyber exposure with the benefit of your risk transfer mechanism. This benefit would require actual use of your cyber insurance policy and includes insurance limits, exceptions, and retention costs.
Exposure category | Exposure w/o transfer | Exposure w/ transfer | Transfer benefit |
Data breach | $3.329 million | $3.223 million | 2.08% |
Interruption | $44.835 million | $35.758 million | 20.24% |
Misappropriation | 2.895 million | $2.762 million | 4.59% |
Ransomware | $13.944 million | $8.639 million | 38.05% |
Total | $64.967 million | $50.383 million | 22.45% |
Your revised cyber exposure with transfer is $50.4 million, which can also be expressed as 2.02% of annual revenue. Since risk transfer is part of an overall cyber risk strategy, you may want to compare this revised value with your cyber exposure target.
Cyber Exposure Targets
As one component of cyber risk governance, you can use your cyber exposure target to aim your actions. Your current cyber exposure of $65.0 million is worse than your target of $37.5 million.
Measure | Current value | Target value | Delta |
Cyber exposure | $65.0 million | $37.5 million | +$27.5 million |
as a % of revenue | 2.60% | 1.50% | +1.10% |
Cyber exposure w/ transfer | $50.4 million | $37.5 million | +$12.9 million |
as a % of revenue | 2.02% | 1.50% | 0.52% |
If you are exceeding target expectations, then you can focus on other priorities within the business. If you have not yet reached target, then you have a variety of strategic options to improve your risk mitigation and transfer mechanisms.
Cyber Exposure Opportunity - The Top 5 Risk Scenarios
As one option, you can focus on the top 5 risk scenarios which contain the most cyber exposure. Any improvement within these risk scenarios would improve cyber exposure. In aggregate, the top 5 risk scenarios make up 27.4% of your total exposure.
Risk scenario | Risk definition | Related cyber exposure | Control effectiveness |
1.Everything Else: Server/Apps | Any unknown or unclassified incident that leads to a disruption or data theft. | $5.58 million | 37.8% |
2.WebApp Attack: Server/Apps | Any incident in which a web application is the vector of attack to disrupt or steal data. | $3.71 million | 38.7% |
3.Everything Else: People | Any unknown or unclassified incident that leads to a disruption or data theft. | $2.88 million | 40.0% |
4.Crimeware: Server/Apps | Any malware incident that leads to a disruption or data theft. | $2.88 million | 37.7% |
5.Misuse: Server/Apps | Any insider and privileged misuse incident that leads to a disruption or data theft. | $2.73 million | 38.3% |
Total | $17.78 million |
Other risk reducing options are available throughout this report and other X-Analytics reports.
Control Effectiveness
Control effectiveness is the measure of how effective your overall control maturity is at reducing inherent risk. As your control effectiveness increases, your cyber exposure decreases.
Your current control effectiveness is 37.7% out of a 100% scale. When compared to inherent risk (or zero control effectiveness), your control implementation has reduced cyber exposure by $37.2 million.
Cyber Exposure at Inherent Risk Position | Mitigated Exposure via Control Effectiveness | Cyber Exposure at Residual Risk Position |
$102.2 million | $37.2 million | $65.0 million |
or 3.10% as a % of revenue | or 2.60% as a % of revenue |
To aid with making informed cyber risk decisions, control effectiveness is further divided into 10 risk categories.
Your current control effectiveness is worse than your target of 60%.
Control Effectiveness Relation to Cyber Exposure
All cyber risks are not equal in how they relate to cyber exposure. You can focus your cyber investments toward the risk categories that would best improve your cyber exposure.
Risk Category | Definition | Control Effectiveness | Related Cyber Exposure |
Web application attacks | Any incident in which a web application is the vector of attack to disrupt or steal data. | 39.0% | $6.85 million |
Point of sale intrusion | Any incident in which a PoS asset is the vector of attack to steal payment data. | 37.3% | $0.34 million |
Insider & privileged misuse | Any insider and privileged misuse incident that leads to a disruption or data theft. | 38.5% | $8.38 million |
Miscellaneous error | Any human error incident that leads to a disruption or data loss. | 39.0% | $8.30 million |
Physical theft and loss | Any physical theft/loss incident that leads to a disruption or data theft/loss. | 39.4% | $4.32 million |
Crimeware (ransomware) | Any malware incident that leads to a disruption or data theft. | 37.7% | $10.96 million |
Payment skimming | Any incident in which a device was implemented to skim payment data. | 29.8% | $0.65 million |
Cyber espionage | Any espionage incident that leads to a disruption or data theft. | 38.2% | $8.85 million |
Denial of service attacks | A targeted, high volume, attack intended to disrupt critical IT/OT services. | 38.1% | $0.36 million |
Unknown or unclassified | Any unknown or unclassified incident that leads to a disruption or data theft. | 38.0% | $14.53 million |
Question to ponder:Â Â Are you current and future cyber investments aligned with the functions that would best improve your cyber risk condition?
For more information related to your control effectiveness and cyber maturity, please see your corresponding cybersecurity framework report
Cyber Governance
Cyber governance is an understanding of your business’s responsibilities and practices exercised by executive management with a goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that cyber risks are managed appropriately, and verifying that your business's resources are used responsibly.
Your current cyber governance is 65.5% out of a 100% scale. To aid with making informed cyber risk decisions, cyber governance is further divided into the govern function, governance rigor, and risk strategy effectiveness.
Governance Metric | Current Value | Target | Delta |
The Govern Function | 59.9% | 50.0% | +9.9% |
Governane Rigor | 65.3% | 50.0% | +15.3% |
Risk Strategy Effectiveness | 72.1% | 50.0% | +22.1% |
Total | 65.5% | 50.0% | +15.5% |
The Govern Function
The govern function is an understanding of the organization's risk management strategy, risk expectations, and related policies. It includes outcomes to inform what your business may need to achieve and prioritize, such as organizational context, risk management strategy, role and responsibilities, cyber policy, oversight, and cybersecurity supply chain risk management.
Question to ponder:Â Â Have you considered all of the legal, regulatory, and contractual ramifications related to cyber governance. This includes adverse conditions resulting from non-compliance, data misuse, accidental loss or exposure of intellectual property, artificial intelligence liability, and many other incidents.
The govern function works in tandem with identify, protect, detect, respond, and recover functions. For more information on the other five functions, please see your corresponding cybersecurity framework reports.
Governance Rigor
Governance rigor is the degree at which your business has an organization-wide approach to cyber risk. This includes monitoring cyber risk with other operational risks, ensuring the cyber budget is based on current and predicted risks, implementing a executive-sponsored cyber risk vision, promoting that cyber risk management is part of the culture, and quickly accounting for changes to the business.
Question to ponder:Â Â Have you considered how your cyber risk governance practices impact or influence your cybersecurity risk management practices?
Governance rigor works in conjunction with the govern function and risk management effectiveness. Collectively, they are related to your current and future cyber exposure values.
Risk Management Effectiveness
Risk management effectiveness is the degree at which your business has reduced cyber risk based on your unique risk profile and the current threat condition. This includes your effectiveness against web application attacks, point of sale intrusion, payment skimming, insider and privileged misuse, human error, physical theft and loss, firmware (including ransomware), cyber-espionage, denial of service attacks, and unknown activity.
Question to ponder:Â Â Are you providing strategic cyber direction and ensuring that business resources are being used responsibly to best manage your cyber risk condition?
Risk management effectiveness is directly associated with your control effectiveness. If you have not yet achieved target, then prioritize control effectiveness within each threat category that requires attention.
In Summary
Your cyber risk condition is summarized in three metrics. Each metric provides an essential element in understanding your cyber risk condition, and each metric can be used as a target at which to aim your actions.
Exposure Ratio
1. Your current cyber exposure of $65.0 million (or 2.6% of revenue) is worse than your target of $37.5 million.
2. Your cyber exposure with transfer benefit is $50.4 million, which represents a 22.5% transfer benefit.
3. If you focus on the top 5 risk scenarios, you could further reduce your cyber exposure by $17.8 million.
Control Effectiveness
1. Your current control effectiveness 37.5% is below your target of 60.0%.
2. The "unknown or unclassified" risk category has a control effectiveness of 38.0% and has a related cyber exposure of $14.5 million.
3. The "crimeware (including ransomware)" risk category has a control effectiveness of 37.7% and has a related cyber exposure of $11.0 million.
Cyber Governance
1. Your current cyber governance of 65.5% is better than your target of 50%.
2. Within the govern function, "oversight" requires the most attention.
3. Within governance rigor, "monitoring cyber risks with other operational risks" requires the most attention.
4. Within risk management effectiveness, "unknown and unclassified activity" requires the most attention.
Comments