Security Risk Management

Cyber Risk Emerges as an Independent Category of Enterprise Risk Reporting

Michael Duffy | October 22, 2013

Mike-DuffyThis post is contributed by guest blogger Michael Duffy, a member of BitSight's Board of Directors.  

With the growth in the number and sophistication of cyber threats and the daily reports of security breaches, cyber risk is high on the list of the most significant risks that organizations face. In fact, according to Lloyds Risk Index 2013, cyber risk is now the third biggest concern of CEOs and their senior executives, following high taxation and loss of customers. These threats and the potential risks call for a rethinking of the right way to approach managing cyber risk in the context of enterprise risk management (ERM). 

Organizations have traditionally included cyber risk in the context of the IT risk management pillar under the domain of the CIO.  IT risk management has always focused on security risk but also is responsible for the risks associated with the key areas of internal operations such as IT controls, availability, disaster recovery and performance. 

But due to the dramatic increase in sophisticated corporate cyber attacks, including the emergence of state sponsored cyber terrorism, companies need to step back and think about cyber risks in terms of not just IT risk but also the broader context of ERM.  Cyber risks, which are based on threats and attacks outside of the enterprise, now need to be measured, monitored and reported on separately as they can have serious implications for the business across ERM categories like strategic risk or reputational risk. By elevating the reporting of cyber risk in the context of ERM, senior business leaders will have better visibility into the true risks faced by the business.  

Further, with many businesses adopting cloud-based services, managing cyber risk has become even more important as organizations extend their networks to connect with business partners, such as suppliers and service providers, and these organizations are looking for new ways to manage this risk.   What’s missing is reliable data on their cyber risk posture across their ecosystem.

Credit risk managers have historically enjoyed the benefit of relying on ratings from third-party firms that provide a reliable assessment of credit based on market and product analysis.   IT risk managers need a similar system for cyber risk.  These independent  ratings empower IT risk management to understand the state of cyber risk arising from both the corporate and extended partner network.  Qualified cyber risk rating firms have emerged providing risk managers a valuable tool in understanding the state of cyber risk to extended corporate networks. 

Cyber risk still should be included in the IT “uber” category for ERM to identify IT risk’s potential impact on the business. But moving forward, given the level of threat and pervasiveness of the risk, cyber risk should be measured, monitored and reported on separately in the context of ratings from qualified cyber risk rating firms.

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they...


Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers...


Subscribe to get security news and updates in your inbox.