Quantifying Cybersecurity Risks

Cybersecurity breaches continue to ripple through the retirement plan industry, sometimes due to human error, sometimes occurring at third-party vendors.

But retirement providers are not alone. According to a recent report by cybersecurity risk modeling and management firm Kovrr, when considering S&P 500 companies, at least eight could see a 10% annual profit loss due to a cyberattack in the next year.

Yakir Golan, Kovrr’s co-founder and CEO, notes that while that may be a relatively small number of firms, those types of financial costs can have a “ripple effect” that can destabilize “investor confidence and the overall economy.”

PLANADVISER spoke to Golan about the risks and safety measures retirement services and financial firms can take.

PLANADVISER: The report shows that financial services firms are generally better protected from cybersecurity issues when compared to others. That said, as retirement plan assets house both money and client data, what are some ways these types of firms can go above and beyond?

Golan: The finance industry, largely due to its attractiveness to malicious cyberactors, is more regulated than other sectors, which is why financial institutions comparatively face some of the lowest financial damages in the wake of an event—both in the long and short term. However, compliance is merely one factor that contributes to the reduction in an organization’s financial exposure due to cyber risk.

Reaching a state of true cyber resilience also requires that all stakeholders, including board members and non-technical C-suite executives, take an active role in cyber risk management and learn how to integrate it into every high-level decisionmaking process. Given cyber risk’s potential to affect every aspect of the organization, from payment processes to supply chain logistics, it should be viewed as a broader business risk, managed with the same rigor and attention as any other.

PLANADVISER: How, specifically, can leaders incorporate a strong cybersecurity process?

Golan: While many of these stakeholders are starting to recognize [the] necessary mindset, they’ve had trouble implementing it due to cybersecurity’s notoriously complex nature. To rectify the situation and effectively elevate cyber resilience efforts to the next level, firms need to quantify cyber risk, translating the complex, technical terms into a language they’re already deeply familiar with, such as event likelihoods and resulting financial impacts.

With the quantified insights, it becomes much easier for decisionmakers to understand the type of loss scenarios their financial company is most exposed to, along with the monetary implications should such scenarios occur, allowing them to prioritize risk mitigation efforts accordingly.

Executives can likewise gain an understanding of the risk drivers that contribute the most to these financial exposure levels, such as their vulnerability to phishing scams or supply chain compromises, giving them an indication of where resources should be allocated.

PLANADVISER: The retirement space has been compromised by popular third-party vendors being hacked. How can companies best guard against that type of vendor risk?

Golan: Supply chain (“vendor”) issues are a growing concern for many organizations, as they should be, especially as cybersecurity leaders consolidate their solutions in the hopes of reducing operational inefficiencies and data-sharing challenges. While this trend undoubtedly has many benefits, the reliance on a single vendor opens up financial companies to a new level of risk that has to be taken into account long before any such consolidations occur.

Measuring this risk cannot be done simply by relying on benchmarks or basic assessments. Institutions need to understand the degree of vulnerability that this aggregated risk introduces specifically to their risk exposure profile. To obtain this information, they can leverage on-demand cyber risk quantification models, which simulate the complexity of an organization’s supply chain and pinpoint the top associated risks. 

By adopting a CRQ solution, financial institutions can gain insights into how much their usage of a specific cloud solution or relationship with a third-party service provider exposes them to financial losses. For example, an organization may discover that utilizing WordPress as a content management system exposes them, on average, to a $5 million loss. Harnessing this data, stakeholders can then make more informed decisions, such as opting for a CMS solution that introduces less financial risk. …

While ‘full defensibility’ against third-party cyber risk is unachievable, cybersecurity leaders … operationalize their findings to reduce these financial exposure levels. Instead of consolidation, for instance, diversification may be the better choice despite the challenges it brings. Cyber risk managers can likewise invest in tailored incident response plans according to the scenario that is most likely to cause substantial financial losses. If the CMS poses the most significant monetary threat, then the most strategic move would be to implement data backup mechanisms.