Assessing how prepared an enterprise is in combating a cyber threat is a complex problem. And every industry has a different perspective on cyber risk. This challenge is especially daunting for industry sectors such as financial services and insurance, healthcare, education and retail, that handle massive amounts of personally identifiable information (PII).
Grievous still is a successful cyberattack on critical infrastructure for utilities such as water, electricity, gas, transportation and communications that can cause large-scale economic and environmental damages and even fatalities.
Rising cyberattacks on the US energy sector has prompted ratings agency Moody’s to explore using extreme weather events, i.e. hurricanes, and the utility's ability to recover and restore operations, as a proxy for estimating how cyber risk might translate into financial impact and credit outcome.
The factors that Moody’s examines when determining a credit impact associated with a cyber incident include the nature and scope of the targeted assets or businesses, the duration of potential service disruptions and the expected time to restore operations. However, in the case of critical infrastructure assets, Moody's believes that governments will likely support recovery efforts, resulting in lower potential credit risk.
Yet, as Lesley Ritter, an associate vice president at Moody's, pointed out, cybersecurity is an enterprise-wide risk that requires thorough governance measures, and C-suite executives and the board of directors must be at the center of managing this risk.
Given its importance, Moody’s plans to factor the risk and potential impact of a security incident on a company into its creditworthiness ratings. It will further consider a stand-alone cyber risk rating separate from the credit rank later, according to a CNBC report that quoted Derek Vadala, head of Moody's Investors Services Cyber Risk Group.
Separately, in mid-2017, a group of US firms, comprising several Fortune 500 companies and a number of the country’s biggest banks, began collaborating to develop industry standards for cybersecurity ratings. Security ratings based on accurate and relevant information are useful for evaluating cyber risk and facilitating collaborative, risk-based conversations between organizations.
The group’s approach promotes quality and accuracy in the production of security ratings and fairness in reporting; includes a coordinated process for adjudicating errors or inaccuracies in reported content; and sets guidelines for appropriate use and disclosure of scores and ratings.
Reliable risk assessments are urgently needed. The potential economic loss in Singapore due to cybersecurity incidents can hit a staggering US$17.7 billion, equivalent to 6% of Singapore’s GDP, according to a 2018 Microsoft-commissioned study by Frost & Sullivan. Cyberattacks have also caused job losses in six in 10 organizations over the past year. A large organization can incur more than 70 times the average economic loss compared to an attack on a mid-sized organization.
F5 Labs analysis of breach reports sent to US state attorneys general from April to August 2018 revealed that the initial attack vector in 86% of cases where PII was compromised was phishing with the average PII breach costing organizations US$6.5 million. Clearly, preventing a breach through smart security controls based on accurate cyber risk assessments can help minimize the cost of dealing with a breach.
Given these statistics, the Institute of Singapore Chartered Accountants (ISCA) has considered cybersecurity risk, like an entity’s business risks, an essential consideration in every financial statements audit. The impact of such risk on financial statements and an entity’s assets, and where necessary, the extent of audit response required to address the risk should be assessed. Auditors should also consider involving subject matter experts, especially in determining the financial implications of undetected data breaches.
Another risk viewpoint is to gauge the probability of success of an attack by calculating the impact and likelihood of the threat. Impact could be assessed based on potential loss of customer revenue, productivity, competitive advantage and customer confidence; regulatory fines and contractual damages; repair, replacement, and remediation costs; IT and security response costs; and cost in hours of system downtime.
From an application security perspective, the bottomline for threat impact is the estimated dollars lost, which ultimately helps to determine the organization’s threshold for an acceptable loss. In terms of availability, one hour of downtime per month on a major e-commerce site may be tolerable while two hours may not be.
Therefore, risk assessment begins with a complete inventory and consideration of the critical applications in use. Counting, analyzing, and tracking your applications will tell you what you need to protect and where.
This is a QuestexAsia blog post commissioned by F5 Networks Asia Pacific.