Understanding Cyber Risk Management

Cybersecurity risk management, which is part of information security risk management, is a shared responsibility across all business levels, emphasising collective vigilance to protect against digital threats.

Business and IT leadership are pivotal in this. Their role is to make risk management decisions. In doing so, they allocate resources and budgets to higher-risk areas and so prioritise strategic cyber security spend. Through their responsibility to the board and external stakeholders, they ensure investments align with risk tolerance and enhance investor confidence.

Technical IT staff, including cyber security staff, also play a core role in cyber security risk management. They are responsible for identifying vulnerabilities, assessing cyber risks and implementing remediation measures to mitigate them. Being on the front line, skilled and well-organised technical staff can distinguish between a highly effective risk management strategy and one that fails to adequately protect the business against cyber threats.

Other staff within the business are also key to effective cyber security risk management. Personnel are often the first line of defence against many forms of cyber attacks. For instance, a large proportion of ransomware attacks will begin with phishing attacks or targeted email malware attacks. Vigilant and well-trained staff can not only identify and thwart such attacks by not opening emails or clicking links but, crucially, through informing cyber security, can alert the rest of the organisation that they are under attack.

A cyber risk refers to the potential harm a business may face due to a cyber security incident or breach. This can encompass various scenarios, including data breaches, malware infections, ransomware attacks, or system disruptions.

A cyber incident's harm or business impact can be substantial, leading to financial losses, reputational damage, legal liabilities, and operational disruptions. However, not all cyber incidents are large, and some can have a relatively small impact.

The potential for a security incident to occur, or its likelihood, can range from being extremely likely to very unlikely. For instance, a business with a good security posture may be less likely to suffer an incident than one with no security controls in place at all.

A cyber risk is, therefore, an understanding of the combination of business impact and likelihood. Measuring the level of risk enables cybersecurity risk management decisions to be made.

Measuring risk is pivotal for businesses on two key fronts. Firstly, it provides a real-time snapshot of the organisation's current cyber security position. It presents a simplified view of how ‘at risk’ a business is from a cyber security attack.

Secondly, it informs cybersecurity risk management decisions, enabling the prioritisation of resources and budgets, facilitating risk comparisons, and aiding in informed risk acceptance.

Ultimately, this risk-driven approach enables businesses to make strategic cyber security decisions, fortifying their digital resilience and protecting their data and operations.

Effective risk measurement enables each risk to be given a cyber risk rating.

Qualitative and quantitative risk analysis are two distinct approaches for measuring risk.

Qualitative risk analysis involves subjective assessments based on factors such as expertise and experience. It identifies risks qualitatively, categorises them as high, medium, or low, and provides a broad understanding of risk exposure. Strengths include simplicity, cost-effectiveness, and flexibility in early-stage risk identification. However, its subjectivity can lead to imprecise risk prioritisation and decision-making.

Quantitative risk analysis, on the other hand, uses data-driven analysis to assign numeric values to risks. It quantifies each risk's likelihood and potential impact, offering a precise assessment of risk exposure. Its strengths lie in accuracy and the ability to prioritise risks effectively. However, it can be resource-intensive and relies heavily on accurate data, which may not always be available.

Choosing between these approaches depends on the organisation's resources, risk complexity, and goals. Often, a combination of both methods strikes the right balance, leveraging the strengths of each to make well-informed cyber security risk management decisions.

At Nicolson Bray, we use a blended method, defining particular business impacts numerically. For instance, we focus on direct financial or future revenue loss and the impact certain losses would have on the business's ability to deliver on its strategic goals.

We build this picture through our engagements with senior business leaders and use it to inform our qualitative risk judgements later in the risk management process.

The measurement of cyber risk involves two critical variables: business impact and likelihood.

Business Impact is a measure of the harm a cyber incident could inflict on the organisation's operations, assets, reputation, or financials. It involves understanding both tangible consequences, such as financial loss and legal liabilities, and intangible consequences, such as reputational damage and customer trust erosion.

Likelihood is a measure of the probability of a specific cyber incident occurring. This considers factors like historical data, threat intelligence, and security controls in place. It gauges the chances of an event occurring, from highly unlikely to almost certain. Understanding likelihood allows for targeted risk mitigation efforts, focusing on scenarios with higher probabilities of occurrence.

Once an understanding of business impact and incident likelihood has been built, a risk assessment matrix is commonly used to factor these two variables together, such that overall risk measurement is a consideration of both variables.

For more details on cyber risk measurement, please see our article on cyber security risk assessment.

Effectively utilising business impact and likelihood in conjunction with a risk assessment matrix forms a robust methodology for organisations to measure, prioritise and address cybersecurity risks strategically and effectively. This facilitates informed decision-making, directing resources towards the most critical vulnerabilities and threats.

Cybersecurity risk assessments can be scoped at either a business level or technical level, each with its own focus and boundaries:

A business-level assessment can be carried out at the company, business unit, or regional level. The output tends to be strategic in nature, revealing high-level risks that often require company-wide solutions. For instance, identifying the need to implement MFA across a business or defining a cyber security incident response plan.

A technical-level assessment narrows its focus to specific technical components or assets within the organisation. This could be at the application or infrastructure level, for instance, related to a particular SaaS platform, key product, cloud infrastructure or network.

The output tends to be tactical in nature, involving configuration, architectural, or procedural changes. However, strategic issues can also be detected and remediated in some cases.

The frequency of assessments is tightly linked to change. If the world stayed still and nothing changed, there would be no need to revisit and reevaluate risks. However, businesses do change both in their business activities, such as entering new markets, and technical activities, such as commissioning new systems. At the same time, the threat landscape also changes, such as the aforementioned ransomware threat.

These are all essential triggers for assessment. For this reason, at Nicolson Bray, we recommend conducting business-level cyber security health checks on at least a bi-annual basis. On the technical level, we recommend carrying out assessment activities as part of any major technical change activity, such as redesigning a SaaS product or moving to a cloud infrastructure.

Well-defined risk ownership is critical for effective cybersecurity risk management. It establishes accountability within organisations, ensuring that specific individuals or teams take responsibility for managing cyber risks.

This clear ownership fosters proactive risk management, timely responses, and a robust security culture, safeguarding digital assets and reputation.

Risk ownership should rest at a senior level where decision-making authority and budget control reside. If risk owners do not also own a budget, they cannot realistically be expected to resolve risk issues.

In addition, while many vulnerabilities are technical, cyber risks fundamentally impact the business. For this reason, business domain leaders should own and manage these risks effectively, aligning security efforts with broader strategic objectives and ensuring resources are allocated efficiently.

Where risk ownership is delegated to technology leadership, conflicts of interest can arise that realistically are business decisions, not technology decisions. As a simplified example, if a business wants both to implement a new technical product enhancement and also to resolve a serious cybersecurity risk within the same product but only has a budget for one, this is a business decision, not a technical one.

The risk ownership should lie with the business product owner, and not the technical product owner, as ultimately, they own the P&L for that product. In this example, the budget is then assigned to the technical product owner to resolve the risk.

Cyber risk mitigation is a core management strategy aimed at reducing the likelihood and impact of security risks. Mitigation involves implementing a combination of technical and procedural controls to enhance an organisation's security posture.

Technical controls provide technical defences against threats, while procedural controls establish policies and practices to ensure that employees correctly configure, maintain, and use these defences correctly.

Examples of technical controls:

Examples of procedural controls:

Effective risk mitigation often combines technical and procedural controls to comprehensively address risks. For example, implementing a firewall (technical control) is enhanced when complemented by a security policy (procedural control) that defines how the firewall rules should be configured and updated.

Cyber risk mitigation is an ongoing process that adapts to evolving threats and vulnerabilities. By combining technical and procedural controls, organisations can significantly reduce their exposure to cyber risks and enhance their overall cyber security posture.

Risk avoidance is a proactive risk management strategy that involves steering clear of activities, technologies, or practices that present a high level of risk. The goal is to prevent potential harm and protect sensitive assets by eliminating exposure to specific threats or vulnerabilities.

Avoiding high-risk third-party vendors or service providers that do not meet adequate cyber security standards. This reduces the risk of data breaches or supply chain attacks associated with unreliable partners.

In the context of business operations, a company may decide to avoid entering new markets where there is a high level of cyber security risk. For instance, not entering into Chinese or Russian markets. By doing so, they reduce exposure to potential cyberattacks or financial risks associated with such ventures.

Risk avoidance is a valuable strategy when the potential impact of a high-risk activity outweighs the benefits and when alternative approaches or solutions are available to achieve the organisation's objectives while minimising cyber security exposure.

Risk transfer is a cyber security risk management strategy involving the transference of risk to a third party via insurance or outsourcing.

Organisations often transfer cyber risks through the use of cyber insurance policies. These policies are designed to provide financial protection in the event of a cyber incident, covering costs associated with data breaches, legal liabilities, business interruption, and recovery expenses.

By purchasing cyber insurance, businesses shift a portion of their financial risk to the insurance provider, helping to mitigate the potential financial impact of cyberattacks.

Another form of risk transference occurs when organisations outsource certain functions or services to third-party providers. For example, companies may utilise payment processors that are Payment Card Industry Data Security Standard (PCI DSS) compliant to handle credit card transactions.

By doing so, they transfer the regulatory responsibility and associated risks of securing cardholder data to the payment processor, reducing their own compliance and security burdens.

a. Contractual Agreements: When transferring cyber risks to external parties, it's crucial to establish clear and comprehensive contractual agreements that define the responsibilities and liabilities of both parties. These agreements should outline cyber security requirements, incident response procedures, and the scope of risk transfer.

b. Vendor Due Diligence: Organisations should conduct thorough due diligence when selecting third-party vendors or service providers. Assess the vendor's cyber security practices, compliance with relevant regulations, and incident response capabilities. Ensuring that vendors meet established security standards is vital for effective risk transference.

c. Continuous Monitoring: Even after transferring cyber risks, organisations should maintain vigilance by monitoring the performance and security practices of third-party vendors. Regular assessments and audits help verify ongoing compliance and the effectiveness of risk transfer mechanisms.

d. Coverage Limits: When using cyber insurance, it's important to carefully review policy terms, conditions, and coverage limits. Organisations should ensure that the insurance adequately covers the types of cyber risks they face and the potential financial impact of a cyber incident.

e. Cyber Risk is Never Fully Transferred: Whilst contractually risk can be transferred, this often only covers tangible consequences. Intangible consequences such as reputational impacts and erosion of client trust are significantly harder to transfer and always remain with the business.

Risk transference is a valuable strategy for managing cyber risks, but it requires careful planning, due diligence, and continuous oversight to ensure that risks are effectively transferred and managed by external parties in a way that aligns with the organisation's security objectives and financial protection needs.

Risk acceptance is a cyber security risk treatment strategy where an organisation consciously acknowledges and chooses not to take additional measures to mitigate or transfer specific cyber risks. Instead, the organisation accepts these risks as they are, understanding that the potential consequences, while recognised, do not justify the cost or effort of further risk reduction.

Organisations often weigh the cost of implementing additional security measures against the potential consequences of a cyber incident. If the cost of further risk reduction measures exceeds the expected losses from a cyber event, they may opt to accept the risk.

Low impact, low likelihood risks: Organisations may accept cyber risks when the potential impact of an incident is low, and the likelihood of it occurring is also minimal. The cost of implementing extensive security measures may outweigh the potential loss in such cases.

Risk mitigation not feasible: Some risks may be inherent to the organisation's operations or industry. For example, a small business with limited resources may accept certain risks because implementing advanced security controls may not be financially feasible.

Strategic decision: In certain cases, organisations may accept risks as part of a strategic decision. For instance, a company might prioritise rapid innovation and decide to accept the risks associated with fast development cycles rather than slowing down for more comprehensive security enhancement and testing.

Below risk profile: A key part of cyber security risk management is agreeing upon a risk profile for the business. For instance, a business might decide that they are comfortable running with a medium level of risk.

As such, risks of medium and low severity can be accepted as they are on par or below the risk profile. Different risk profiles may be associated with different levels of seniority or decision-making authority within the organisation.

So, a low risk might be acceptable at the Manager level, whereas medium risks might require board sign-off.

Temporary acceptance: In some instances, organisations may temporarily accept risks due to budget constraints or resource limitations. They will then revisit risk treatment options when circumstances change.

A risk register is a structured document or database that serves as a central repository for recording and managing information about cyber security risks within an organisation. It plays a crucial role in the overall cybersecurity risk management process. It can range from being stored in an Excel spreadsheet to being logged in a GRC – Governance, Risk & Compliance – system.

It should be kept up to date to reflect the current risk posture of the business. So, when risks are either fully or partially mitigated, the risk register should be updated, and when new risks are discovered, the risk register should also be updated.

When risk reports are requested by senior management or the board, a ‘cut’ of the risk register should be taken to give them the insight they require.

In effect, the risk register should be the golden source of cyber risk information within the business.

Risk description: The register provides a detailed description of each identified cyber risk. This description includes outlining the business impact of the risk and the type of cyber security event that would lead to it occurring. It should also include a description of any deficient technical or procedural controls.

Risk ownership: A critical aspect of the risk register is assigning ownership of each risk. This identifies the individual or team responsible for risk management decisions. Clear ownership ensures accountability and effective risk management.

Risk management decision: The risk register should record the risk management decision made by the risk owner.

Implementation date: This is the date by which the risk management decision should be implemented. This is key for ensuring risk owners meet their obligations.

Risk status: The register tracks each risk's current status, indicating whether or not the risk management decision has been executed. This status is regularly updated as risk management decisions are implemented.

Original risk rating: The original risk rating is recorded in order to understand the effectiveness of risk management within the business.

Current risk rating: As risk management decisions are implemented, the current risk rating is updated to provide a live understanding of risk within the business.

Risk review date: This is the date that the risk should be reviewed by to ensure it is still up-to-date and relevant.

“No man is an island”, and nor should be cyber risk management. Where businesses have risk management frameworks and processes in place for other types of risk, such as operational risk, cyber risk should be integrated as much as possible.

For instance, where there is already an established process for measuring risk within a business, cyber risk should be measured in a similar way. Most importantly, the final risk ratings should have the same significance and meaning.

In addition, where possible, cyber risks should be logged in the same risk register and be reported in the same way.

Care should, however, be taken to ensure this does not hamper cyber risk management. If the risk register is not flexible enough to incorporate cyber risk requirements, a separate register can be maintained until such flexibility is provided.