CyberLoop CyberLoop

Click on each cyber hexagon to learn more

Managing cyber risk requires a circular strategy.

The Cyber Loop

Source: Aon Cyber Solutions

Incident Response Readiness (IR)

Assessment

Risk Quantification

Insurance

Cyber Data Ecosystem

Assessment: What’s At Risk And Where Are The Threats? During this phase, a company needs to determine: •Assets they need to protect •Most-probable threats •Current state of security and controls •Business behaviors impacting or related to critical assets or potential threats •How to balance business needs with cyber risk considerations Existing policies and procedures aren’t fail-safe. Assessments often reveal that many employees aren’t following them. As the assessment phase focuses on people, process and technology, it can give the organization a picture of its actual state of cyber resilience and position it to take steps to move toward an improved state of resilience. However, many organizations are challenged with decision-making that’s based on hypotheticals rather than assessment-derived information, says Pinson. “It is imperative to move from basing decisions on hypothetical risk to instead basing them on an understanding of the actual risk,” he says.

It’s imperative to move from basing decisions on hypothetical risk and instead, understand the actual risk."

—Adam Peckman, global practice leader at Aon Cyber Solutions

Risk Quantification: What Are The Potential Losses And How Are They Best Addressed? During this phase, a company needs to assess: •What sort of losses might we suffer in a cyber attack? •How are we making more data-driven security and insurance-investment decisions? •Can we measure and track our cyber costs? •Do we provide our executives and board actionable and intelligible insights on the importance of cyber risk? Financial quantification helps build consensus across the various teams that manage cyber risk as to the top challenges and business case for greater resources and capital. Insights derived from the assessment process will form the basis for dynamic modeling frameworks, which give organizations a better understanding of the potential impacts of various possible cyber events. This can then be fed back into the Cyber Loop. Organizations should follow a three-step approach to assessing cyber risks: •Scenario analysis. •Financial modeling of first- and third-party cyber exposures. •Stress testing assumptions of the organization’s existing cyber security road map, its cyber insurance strategy and capital expenditures for cyber security resilience.

Insights derived from the assessment process form the basis for dynamic modeling frameworks that can provide a better understanding of the potential impacts of various possible cyber events.

Insurance: Making The Risk-Transfer Decision During this phase, a company needs to: •Understand their exposures •Ensure they have an effective strategy to mitigate loss •Decide whether they should transfer a portion of their risk to the insurance market or pursue other risk-transfer strategies Often, companies that don’t handle credit card or personal data think they don’t need cyber insurance. Pinson says that’s wrong. “Two things that can impact any company have made it imperative for every company to consider cyber insurance: ransomware and business disruption.” This year’s Ponemon Intangible Assets report also found a disconnect in how organizations protect physical versus information assets. Organizations reported 60 percent of potential losses to physical assets were covered by insurance while only 16 percent of potential information-asset losses were covered.

Two things that can impact any company have made it imperative for every company to consider cyber insurance: ransomware and business disruption."

—Chad Pinson, president of Engagement Management at Aon Cyber Solutions

Incident-Response Readiness: Preparing To Deal With A Cyber Attack During this phase, a company needs to: •Create and practice an appropriate incident-response plan •Ensure the organization has the necessary people and tools in place to respond to a cyber event •Ensure those people are properly skilled and trained and that the tools are properly deployed and configured Incident-response readiness is proactive, and organizations that have engaged in the other aspects of the Cyber Loop will typically have a better experience responding to a cyber event, Pinson says. The response plans must be easy to follow and well practiced. It can be helpful to invite experienced professionals to present commonly encountered threat simulations and join in dry-run responses to those threats. Readiness assessments can also ensure that the response team is well trained, is ready to act quickly and confidently when a cyber incident occurs and has access to properly configured technology that is typically used in incident response.

Incident response readiness is proactive, and organizations that have engaged in the other aspects of the Cyber Loop will typically have a better experience responding to a cyber event."

—Chad Pinson, president of Engagement Management at Aon Cyber Solutions