Cyber is one of the top risks facing the financial services industry, but organisations are still working out the best way to quantify it, according to a report by ORX, the world’s largest association of operational risk professionals.

30 major global banks and insurers took part in the latest ORX Cyber study: ‘Cyber risk management: The journey to cyber risk quantification’, which provides insights into current practice, challenges and the future direction of cyber risk quantification.

The research was carried out as part of the ORX Cyber service and is based on data collected from a survey of ORX member firms and subsequent discussion groups.

The top three challenges to risk quantification highlighted by respondents were:

1)    Data issues 

Traditional data-driven models often require specific data sets that are challenging to obtain or may not even exist. This can result in a more subjective approach based on subject matter expert input.  

2)    Scarcity of skills 

67% of firms are relying on on-the-job training, with the support of external online training courses. Additional technical skills that could be gained externally are often too scarce and/or expensive.  13% of participant firms have no specific training at all in place. 

Of the 83% of organisations that have made a notable investment in cyber risk quantification, there is a clear consensus (67%) that the most significant benefits are realised when investment is made in specialised skills or in upskilling existing staff members.

3)    High cost/cost inefficiency 

Enhancing quantification approaches and outcomes requires investment in skills, data and tools. This in turn requires buy-in and support from senior management. Amidst a lack of consenus on best practice and questions over whether traditional risk quantification techniques are adequate, a lack of commitment to investment can be a real barrier to effective cyber risk quantification.  

The approaches taken by organisations to cyber risk quantification are driven by their objectives, that are influenced by these challenges, 17% of firms do not have true risk quantification in place, focusing rather on more qualitative approaches to assist with risk management. 

A further 37% typically use the same approach for modelling cyber risk as the one that is used for other operational risks within their organisation, typically with a focus on capital requirement calculations. 

Only just over a quarter (27%) of firms use factor/exposure-based models (for example the FAIR/FAIR-CAM framework, or the XOI approach). These models focus on underlying objective risk drivers in preference to historic or subjective data sets. These are considered not only more readily available but also more reliable. 

Despite there currently being no one best way to approach cyber risk quantification, there is widespread acknowledgement of its crucial role in understanding cyber risk exposure to support many strategic and operational objectives across organisations.  

Steve Bishop, director of research & Information at ORX and co-author of the report said: “Cyber quantification is a real challenge. Risk experts are struggling to gain sufficient investment to develop their methods, particularly given the lack of industry consensus on best practice and a shortage of data and skills.

“We know that cyber continues to be a significant risk. Whilst it is clear there is no “one size fits all” solution, industry peers are keen to work together through ORX Cyber to develop their practice, including the use of internal and external data.”

The report recommends 10 ways to enhance cyber risk quantification in your organisation.

·         Clearly state your objectives before you start

·         Know what resources you have available to you and their skill sets

·         Be realistic regarding your available input data and know your data sources

·         Know what value tools and technology can add and use them

·         Leverage knowledge or tools that are already available in your organisation

·         Structure your teams to ensure collaboration and that the right people are assigned to the right roles

·         Invest in skills through upskilling and hiring

·         Know how your stakeholders define success and value to ensure investment can be secured

·         Think to the future; know your long-term objectives, ensure your approach is scalable and stay up to date with industry trends

·         Ensure you select an approach that is both