Time to move towards risk-based data driven cyber management

April 2020

US$6 trillion – that’s the damage that Cybersecurity Ventures predict that companies worldwide will lose to cyber attacks by 2021.1 In another study by CGI-Oxford Economics, a typical ‘severe’ cyber security breach represents a permanent cost of 1.8% of a company’s value. And when the total impact on shareholder value is taken into account, the 65 ‘severe’ breaches sample that was conducted in the study cost investors upwards of US$50 billion.2

While companies are more prudent in managing cyber risks, the traditional compliance-based approach is no longer sufficient. More often than not, vulnerability reporting is couched in technicalities that aren’t relevant to management. Neither does it inform them about the risks faced nor how their investments are reducing those risks.

Moving away from compliance to risk-based driven by data

In an environment that is growing increasingly digital, businesses’ approach to risk management must also evolve from subjective, checklist and compliance-driven methods to risk models that are driven by data.

CISOs are realising that a risk-based approach is necessary to successfully mitigate cybersecurity risks and freeing limited resources to focus on the company’s important assets. It also ensures effective communication at the higher level in terms that the business can understand.

Additional benefits of a data-driven cyber risk management:

Reporting – gives a holistic view of the risk landscape and priorities, in a language that is easily understandable.

Defensibility – evaluates and prioritises risks based on a sound methodology. Aligns project selection with corporate strategy in a quantitative way.

Transparency – meaningful comparison of risk reduction benefits of projects aligned with strategy.

Automation – transforms information into high level insights, priorities, actions and effective decisions.

Adaptability – quantifies risk exposure holistically, modifies stress tests in a risk landscape, shuffles priorities based on corporate strategy.

Effectiveness – maximises risk reduction benefits with available resources, efficient allocation of non-financial assets, reduces risk by focusing on overall risk landscape.

Building cyber risk analytics capabilities

To achieve consistent reporting, cyber risk management needs to be driven by data. Historically, there has been limited integration particularly with business impact modelling. Today, we are able to benefit from tested methodologies and a variety of data sources. The methods are designed in such a way that assumptions can fill gaps where data sources aren’t available. What we have learnt from our experience with our clients:

  • Be clear on use cases and engage with business on key assumptions.
  • Bring in vendors when automation and technology is the goal.
  • There’s no one size fits all. Organisations need choice on depth and breadth when implementing cyber risk tools.
Turning losses into ROIs

By adopting a risk-based data-driven approach to cyber reporting, companies will move from looking at potential losses from cyber attacks to reaping returns on sound cybersecurity investments.

[1] https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/

[2] https://www.cgi.com/sites/default/files/2018-08/cybervalueconnection_full_report_final_lr.pd

Contact us

Kenneth Wong

Partner, PwC Hong Kong

Tel: +[852] 2289 2719

Kok Tin Gan

Partner, PwC Hong Kong

Tel: +[852] 2289 1935

Felix Kan

Partner, PwC Hong Kong

Tel: +[852] 2289 1970

Follow us