The insurance industry has long been aware of the concept of risk aggregation. This refers to the bundling of potential risk, which is shared by organizations in their books, assets, and similarities to gain a better understanding of the overall risk. Aggregate risk can impact businesses, regions, and industries leading to significant financial losses, like in the case of a hurricane, where a cluster of insurance claims can be made for potential property damage.
While aggregate risk has been observed in the physical world, the concern now is about catastrophic cyber events that could have a far-reaching impact on businesses and economies worldwide. With cybercriminals getting bolder, the possibility of compounding cyber risk factors becoming a more significant concern is a reality that businesses must face. In this context, security professionals need to avoid getting caught up in clickbait headlines and instead be informed by data-driven insights to understand the risks associated with the current threat landscape.
However, cyber risk is different from other forms of risk as organizations can implement specific security controls to help prevent a catastrophe during a cyber incident. For instance, deploying applications to multicloud or regional clouds, implementing defensive measures against distributed denial-of-service attacks, or patching the latest severe vulnerability are some of the ways to reduce aggregate risk in cyber.
The rising number of vulnerabilities in the cyber landscape should not scare security professionals into thinking that all hope is lost. The dynamics of the growing risk landscape parallel mitigation, and we are getting smarter in our approaches to tackle cyber threats. In conclusion, instead of focusing on aggregate cyber risk at a broader level, organizations need to focus on the most significant risk areas specific to their industry or organization and address them first.
A Data-Driven Approach to Modeling Cyber Risk
Cybersecurity is manageable and can be properly underwritten, given the right data and technical expertise. More data exists on cyber risk than any other risk in the world, and using this massive amount of data to their advantage can help companies dramatically impact aggregate cyber risk’s impact on organizations. A simulation run by Coalition against a sample of 5,000 top-growth US companies reveals that a cyber event with a one-in-250-year likelihood could cost more than $370 million in losses. Such an event could cost $30 billion in total losses when extrapolated across the entire US economy.
Aggregation technologies and vendors – the shared technology infrastructure on which aggregate cyber risk is built – reveals that cyber risks are not as interconnected as one might think. Assets aren’t all located in the same homogeneous physical locations or virtual environments, reducing the probability of a catastrophic event. For example, if a cloud services provider were to go out, it’s highly improbable that this would happen globally and would instead affect specific companies or segments.
However, cyber risk cannot be eliminated but only managed. It is knowable and quantifiable, even if unpredictable. Therefore, companies need to be comfortable with change and use the right skills and mindset to understand cyber risk better, making informed decisions instead of getting swayed by hype.
In conclusion, cyber risk is ever-changing, and the rising number of vulnerabilities in the cyber landscape demands a data-driven approach to modeling cyber risk. Organizations need to focus on the most significant risk areas specific to their industry or company and address them first to manage cyber risk. By being proactive about security controls and having the right mindset, businesses can tackle aggregate cyber risks efficiently and prevent them from becoming catastrophic.