As cyber evolves as a threat, companies are facing an increasingly complex enterprise risk management process. Knowing where to allocate money is just as important as knowing how much money to allocate.
Quantifying cyber risk is critical for C-suite executives, in particular the chief information security officer (CISO) and chief risk officer (CRO), looking to build a solid business case for enhancing cyber security, determining cyber insurance coverage, justifying additional headcount, and strengthening controls.
In 2015, Milliman was approached by a Fortune 50 company, whose CISO was requesting millions of dollars from his board without articulating the magnitude of the risk and whether these investments would mitigate the risk. The perpetual requests for ever larger investments made the board balk and demand a quantification of cyber risk to release additional funding.
Milliman worked with this company and came up with a methodology to evaluate its cyber risk profile and the potential organizational impact of a breach. Working with key stakeholders, Milliman identified the various threat vectors, potential assets that could be compromised, and security positioning. Milliman identified over 200 different parameters via internal key risk indicators, third-party data, and Milliman proprietary data and built a comprehensive model for the client that allowed for scenario development in order to determine the potential costs associated with various types of plausible events.
Milliman’s expertise and cyber model allowed the client to understand some of the more challenging questions associated with the cost of cyber exposure. Milliman was also able to provide a cost-benefit analysis, allowing the CISO to present a compelling business case for additional cyber security spend.