Building a practical cybersecurity risk acceptance/risk transfer framework

Even the most prepared of organizations can suffer a cybersecurity breach or data loss - and according to surveys, the majority of large organizations already have. The impact can be substantial -- ranging from fines, lost revenue and out-of-pocket costs for credit monitoring to reputational damage, negative publicity, and operational slow-downs.

Put simply, organizations must understand their exposure to threats (see the previous sections on cybersecurity risk assessment and data classification) in order to define processes for the acceptance and/or transfer of risk. The typical process for evaluating and addressing threats is prone to human bias, which unfortunately creates an altogether new risk.

The solution is leveraging a systematic, objective framework to define, evaluate and determine the disposition of any credible threats to data and information.

A formalized, objective risk acceptance and risk transfer structure reduces the likelihood of human bias, integrates diverse perspectives from across an organization and allows for a more holistic picture of the risk environment and related impacts.

The need for an objective framework: Cybersecurity and the fear of flying

Human beings are famously bad at understanding risk. The fact that driving is far more dangerous than flying does not stop people from calmly driving to the airport only to white- knuckle their way through a flight. While psychologists have identified numerous reasons for this, a particularly influential (and relevant) cause is the fact that the excitement and drama surrounding unlikely events actually strengthens memory of them – allowing people to believe that rare events are more likely to occur than they actually are. (This is also why people believe they will win the lottery!)

In cybersecurity risk analysis, this phenomenon manifests itself as an overestimation of the risks we predict to be most significant and an underestimation of the everyday risks that may actually be more likely. Absent a systematic and objective risk framework, organizations often fall into a series of all-too-human mistakes. Specifically, the process for risk acceptance and transfer tends to be:

  • Reactive: Focusing on things that have gone wrong in the past.
  • Predictable: Uncovering risks that are already known at the start of the process, while overlooking risks that are unknown at the outset.
  • Isolated: Overestimating areas that impact the people and/or business function charged with facilitating the risk assessment.
  • Overconfident: Assuming areas that are currently running smoothly do not have any risks; effective processes reduce risks, they don’t eliminate them. Likewise, organizations sometimes assume cyber liability insurance reduces the need to address these issues. Cyber liability insurance is an important tool in risk management, but it is not a silver bullet.

A formalized, objective risk acceptance and risk transfer structure reduces the likelihood of human bias, integrates diverse perspectives from across an organization and allows for a more holistic picture of the risk environment and related impacts.

Developing the framework

The process underlying risk transfer and risk acceptance is a cyclical, objective exercise that involves engaging stakeholders from across the organization and undergoing a systematic information gathering and assessment effort that is repeated at regular intervals. The key steps in a risk acceptance and risk transfer framework include the following:

  1. Identify key  stakeholders across  the organization - It is a common mistake to assign the task of identifying, assessing and dealing with risk to one area of the organization (IT for example). However, cyber-risk is an enterprise-wide issue that can occur anywhere in the organization. Stakeholders engaged in this process should include key leaders of product lines, compliance, legal, finance, HR, marketing/communications and anyone else with exposure to sensitive information – ranging from intellectual property (IP) to personally identifiable information (PII).
  2. Gather information from stakeholders - Information collection usually occurs through a combination of approaches, including surveys, one-on-one interviews, focus groups and work sessions. The cross-organization approach and diversity of participants will typically uncover divergent views of risks and the costs associated with them. Take a consumer goods manufacturer, for example. The product team might be concerned about IP on a lost laptop, while finance is focused on breached credit card information and HR is worried about safeguarding employees’ personal information. All of this underscores the need to bring in the right players. The information gathering effort should also include an exploration of impacts associated with risks.
  3. Inventory and evaluate the risks - In broad strokes, this should include an inventory of all of the data that exists, how it is gathered, where it is stored, who has access to it and how it is accessed. This should also outline the impact if the risk manifests across four key dimensions:
    1. Financial: Costs associated with lost share value, fines, lost sales, lawsuits, etc.
    2. Compliance: Depending on the nature of the problem and the industry, the possibility that a cyber breach would be associated with strict punitive action
    3. Operational: Downtime or lost productivity associated with the risk
    4. Reputational: The connection between the risk and organizational reputation; the potential impact of a weakened reputation. Finally, this step would include an evaluation of the likelihood of the threat manifesting itself.
  4. Rate and prioritize risks - There are a variety of approaches to rating risk. Some are quite simple, such as applying a red/yellow/green rubric. Others are more involved, such as weighting methodologies that emphasize certain factors more than others. An example might be a company in a heavily regulated industry that rates compliance higher than other dimensions given a regulator’s ability to shut down its operation. The optimal approach will depend entirely on an organization’s unique needs, the nature of its business, and the locations in which it operates. At this point, all stakeholders should approve and sign off on the decisions and outcomes. This is often the single most difficult part of the process as some stakeholders (finance   and compliance, for example) will be more accustomed to taking responsibility for how  risks are going to be managed than other stakeholders might be.
  5. Address and dispose - Once all threats are categorized, a determination must be made: Are we going to accept, mitigate, or transfer the risk? It is during this stage that an organization’s controls and verification of those controls’ performance come into play. Based on what the organization decides to do about the identified risk, what controls are put in place and ensuring those controls are performing as intended will be important.
    1. Accept the risk – If the likelihood or impact is sufficiently low, accepting the risk with no further action may be the appropriate path.
    2. Mitigate the risk – If the threat is determined to be high priority and action is needed to address the risk, the next step will be to execute a risk mitigation plan, including enacting proper controls to reduce likelihood or impact.
    3. Transfer the risk – If the threat is determined to be high priority but internal mitigation is not the solution, the decision may be made to transfer the risk by insuring against loss in the event the risk becomes reality.

At this point, all stakeholders should approve and sign off on the decisions and outcomes. This is often the single most difficult part of the process as some stakeholders (finance and compliance, for example) will be more accustomed to taking responsibility for how risks are going to be managed than other stakeholders might be. Even so, the process is only effective if the organization chooses to own the risk – even those they have elected to transfer.

Next steps - Building a practical risk acceptance / risk transfer framework

Implementing a risk acceptance and risk transfer framework is easier said than done. Understandably, it is not always painless to be vocal about what could go wrong with systems that are within your control. At the same time, you may not have exposure to issues that are within someone else’s purview. It is a process that involves a lot of stakeholders and requires extensive collaboration.

For many organizations, it makes sense to bring a third party into the process to control the element of bias and provide an independent, objective sensibility to the effort. For those that choose to take matters into their own hands, the key is to define an accepted, objective and replicable process to ensure all risks are carefully understood and evaluated.

In the end, the payoff is a clear view of the risk exposure, associated costs (financial, compliance, operational, and reputational) and appropriate strategies to handle the risks. While the process itself will take some effort, it will also provide answers to many of the ‘what if’ questions that keep leaders up at night.

For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.