The bottom line – cyber risk in financial terms
Read time : 5 mins Added: 09/02/2019
It’s not enough for businesses to think of cyber-security in technical terms. What are your vulnerabilities and risks? How could they impact you? And how much risk are you willing to take on? These are the questions businesses need to answer, says George Ng, co-founder and CTO of Cyence, a cyber-risk analytics and modelling firm acquired by Guidewire Software, in October 2017.
The cost of cyber-security goes beyond investing in software or third party support. While this can be expensive, the loss of data, money, trust or reputation as a result of an incident can come with a much bigger price tag. To make risk assessments based on the bottom line, everyone from your suppliers to your customers need to be part of the equation.
Cyber-security is not a one-size-fits all proposition. Every business has to account for different risks. This starts by considering what makes you an attractive target in the first place – which in turn tells you who might target you.
For example, a law firm and a retailer may have equally strong defence systems. Yet one is trying to protect sensitive and private documents, while the other is focused on keeping customer data and payment details safe. That results in two very different cyber strategies.
Risks vary by sector, size, location and even visibility. If your business is in the headlines, you might be more recognisable to hackers. Risks can also be accidental, such as when someone sends a spreadsheet to the wrong person. That’s why it’s crucial to examine the whole company – from your everyday operations to your staff – for potential risk factors.
It’s also important to not just think about your own security, according to Ng. Sometimes, your company isn’t the target at all. It’s just a way in for someone looking to reach your customers, or a partner within your network.
One common mistake that companies make is thinking of cyber risk purely in terms of prevention. That’s not realistic anymore. It should be treated like any other risk, with an eye toward what it means for your business when something goes wrong.
When you’re buying a house, for example, you’ll try to make sure it has a solid infrastructure, and that it’s prepared to take on the elements. But you’re also likely to take out some form of insurance or think of how to deal with worst case scenarios.
As it stands, a lot of cyber-security assessments are driven by compliance and regulation. This is a limited, defensive approach that tends to come down to a tick-box exercise. While that’s not a bad thing, the best defence is to consider the potential attackers’ offense. That means actively seeking out potential threats that are relevant to your business.
A cyber incident is one of those events which you may not actually be able to prevent, says Ng. Therefore, you should stop thinking about it just as an IT problem and also start thinking about it as a business risk.
"Regardless of the country or the language spoken, there is one way in which boards look at risk - and that is through money and the likelihood of something happening.
"A cyber risk is one of those events which you can’t actually prevent. Therefore, you should stop thinking about it as an IT problem, and start to think about it as a business risk.
"Cyber risk in the 21st century is existential to most businesses – 60% of small businesses in the US went under after a cyber event."
Cyber-risk in the 21st century is existential to most businesses – 60% of small businesses in the US went under in six months after a cyber event. When you think about the potential consequences, the price of investing in cybersecurity measures doesn’t seem that high.
Going back to the home example, burglary is something that can happen to anyone. But there are different ways to deal with it. You could invest in a simple alarm, or spend a fortune on an advanced system. You could even decide to limit how many valuables you keep at home. Ultimately, it comes down to what you think is the best option for you, and how much you’re willing to – or able to – spend.
What experts at firms like Guidewire Cyence do is provide the right information and models to help businesses come to the right conclusions for their organisation. Not everyone can pay for top-of-the-line software, of course, but a clear understanding of all the risks lets businesses make decisions based on pounds and probabilities.
Cyber is a C-suite concern for today’s businesses. That means it’s important to use the right words to talk about it, with less IT terms and more business realities. Ng points out that, regardless of the country or the language spoken, there is one way in which boards look at risk - and that is through money and the likelihood of something happening.
Once you can frame a risk with actual figures, you can have a clearer conversation about it. Understanding the probability of an event that can cost you half a billion, for example, lets you think of risk in real terms and take your next steps with more confidence.
While all reasonable care has been taken to ensure that the information provided is correct, no liability is accepted by Lloyds Bank for any loss or damage caused to any person relying on any statement or omission. This is for information only and should not be relied upon as offering advice for any set of circumstances. Specific advice should always be sought in each instance.
About the author
He leads product management, data science, risk modelling and engineering teams for analytics and data products. Prior to Guidewire, George was co-founder and CTO of Cyence, which was acquired by Guidewire in 2017. Previously, he was the Chief Data Scientist at Yarcdata. George has also worked as a Research Scientist at DARPA and US-CERT and as faculty at American. He received his PhD from UC Irvine and BA from UC Berkeley, both in Economics.
Important legal information
The products and services outlined on this site may be offered by legal entities from across Lloyds Banking Group, including Lloyds Bank plc and Lloyds Bank Corporate Markets plc. Lloyds Bank plc and Lloyds Bank Corporate Markets plc are separate legal entities within the Lloyds Banking Group.
Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service. Please note that any data sent via e-mail is not secure and may be read by others.
Lloyds Bank is a trading name of Lloyds Bank plc, Bank of Scotland plc and Lloyds Bank Corporate Markets plc. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no.2065. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Lloyds Bank Corporate Markets plc. Registered office 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 10399850. Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority under registration number 119278, 169628 and 763256 respectively.
Eligible deposits with us are protected by the Financial Services Compensation Scheme (FSCS). We are covered by the Financial Ombudsman Service (FOS). Please note that due to FSCS and FOS eligibility criteria not all business customers will be covered.
Lloyds Banking Group includes companies using brands including Lloyds Bank, Halifax and Bank of Scotland and their associated companies. More information on Lloyds Banking Group can be found at www.lloydsbankinggroup.com