Understanding Financial Risk Exposure in SAFE
  • 7 Minutes to read
  • PDF

Understanding Financial Risk Exposure in SAFE

  • PDF

Introduction


Cyberattacks are a major concern for global business leaders and are acknowledged by the World Economic Forum as the number one man-made worry for businesses worldwide. According to the 10th Allianz Risk Barometer 2021 Report, business interruption, and cyber incidents, along with pandemic outbreaks, were the top three global business risks for 2021.

Despite having budget constraints due to the significant shift in work culture in 2020, cybersecurity remains one of the top investment areas. However, without a metric to understand the financial impact of data breaches on their organizations, business leaders, boards, and executive members cannot appreciate the actual cost to the business. The quantification of cyber risks in business terms is a recognized and globally accepted means to represent a cyber risk, according to Gartner's 2020 cyber risk quantification hype cycle. 

Enterprise risk is a function of the breach likelihood and business consequences.

Formula
Enterprise Risk = Breach-likelihood x Business Consequence

Risk quantification helps CISOs and CROs in the decision-making process and building a strategy by putting a dollar value to the associated risks and helping them make a strong business case to the board.

SAFE


SAFE provides the breach likelihood of Assets, Employees, Lines of Business (or Crown Jewels), Cybersecurity Policies, Cybersecurity Products, and First-Party and Third-Party with an enterprise-wide, objective, and real-time score. 

With the likelihood of a breach, SAFE provides the Overall Risk or Expected Loss, which is the financial impact associated with the likelihood of breaches occurring to the organization in the next 12 months.

In summary, the output from SAFE includes:

  1. A breach-likelihood score (SAFE Score)
  2. The expected loss in terms of dollar value - the financial impact of a data breach

Use Cases


Use CasesDetails
Simulate Financial Loss & get insights to reduce itIdentify likelihood of attack for the coverage inclusions
Based on the likelihood, assess the expected annual financial loss (with and without insurance)
Bridge the disconnect between CISO and CFO on the existing cyber insurance policy
Visibility into existing Cyber InsuranceBridge the disconnect between CISO and CFO on the existing cyber insurance policy
Give the users a dedicated page to upload, view, and edit their insurance policy
Policy Negotiation and UnderwritingPurchasing the right cyber insurance
Negotiate for a higher sub-limit based on the SAFE score at the time of renewal

Breach Cost Calculator


SAFE estimates the financial impact of a data breach for an organization using the Breach Cost Calculator. This calculator is based on cyber loss data from different sources, industry study reports, and insurance claims reports, among other resources. The customer answers a few simple questions relevant to their organization, such as their geography, industry type, and the type of data they deal with.

The calculator estimates financial impact (i.e., the severity of a loss) given an event (data breach/cyber attack) and its expected annual loss as the output. The financial impact ranges with values estimated for upper bound loss, lower bound loss, and the most likely loss amount. The expected annual loss is calculated by combining the likelihood of an event, its loss severity, and the details of cyber insurance coverage (if present).

Overview of the Breach Cost Calculator structure

 Snapshot of the Breach Cost Calculator 

An organization's Financial impact is estimated based on the answered questions and the underlying cyber loss data. This financial impact is combined with the likelihood of breach (a function of the SAFE score) using a statistical technique called Monte Carlo simulation to estimate the expected annual loss.

Monte Carlo simulation and Loss Exceedance curve


Monte Carlo Simulation

Monte Carlo simulations are used to model the probability of different outcomes in a process that cannot easily be predicted due to the intervention of random variables. It is a technique used to understand the impact of risk and uncertainty in prediction and forecasting models.

A Monte Carlo simulation can be used to tackle a range of problems across fields such as finance, engineering, supply chain, and science. A Monte Carlo simulation takes the variable that has uncertainty and assigns it a random value. The model is then run, and a result is provided. The process is performed repeatedly while assigning the variable in question with different values each time. Once the simulation is completed, the results are averaged to provide an estimate.

Loss Exceedance Curve (LEC) 

Loss Exceedance Curve (LEC) is a result of the Monte Carlo simulation. It shows the chance that a given amount would be lost in a given period of time (e.g., a year) due to a particular category of risks. A risk curve could be constructed for a particular vulnerability, system, business unit, or enterprise. The Loss Exceedance Curve (LEC) can show how a range of losses is possible (not just a point value), and that larger losses are less likely than smaller ones.

The typical low/medium/high approach lacks the specificity to say that "seven lows and two mediums are riskier than one high" or "nine lows add up to one medium," but this can be done with LECs.

"Expected loss" is the average of the Monte Carlo simulation losses due to some cause. If we applied control to reduce risks and simulated a new set of losses, the average of those losses would be less (by either reducing the chance of any loss, reducing the impact of the loss eventthat  occurred, or both).

Cyber Insurance


What is Cyber Insurance?

Cyber insurance is a contract that an entity can purchase to help reduce the financial risks associated with doing business online. In exchange for a periodic fee, the insurance policy transfers a part of the risk to the insurer.

Need for Cyber insurance

The loss, compromise, or theft of electronic data can have a negative impact on a business, including the loss of business continuity, customers, and revenue. In addition, businesses may be held liable for damages stemming from the theft of third-party data. Cyber liability coverage is important to protect businesses against the risk of cyber events, including those associated with nation-state espionage. Cyber-risk coverage can assist in the timely remediation of cyber attacks and incidents.

Businesses that create, store and manage electronic data online, such as customer contacts, customer sales, PII, and credit card numbers, or provide their services to customers online can benefit from cyber insurance.

How can SAFE help organizations with cyber insurance?

SAFE has mapped the different categories of cyber insurance coverage or losses to the internally calculated likelihood of breach due to different types of cyber risks.

Along with the inputs from the breach cost calculator, SAFE also considers the details of cyber insurance purchased by the customer. These inputs include the customer's cyber insurance cover amount, deductible amount, and the sub-limit per each loss category. These inputs are used to estimate the expected annual loss. 

Suppose a customer has a cyber insurance cover and has answered the relevant questions. In that case, the annual expected loss amount is lower because a proportion of the inherent cyber risks is automatically transferred to the insurer. Customers lacking any cyber insurance coverage will have to bear the losses by themselves, increasing the burden of the annual expected loss amount on them.

SAFE estimates the annual expected loss amount in both the scenarios - with and without insurance.

Definitions of some Insurance terms

Sublimit is a limitation in an insurance policy on the amount of coverage available to cover a specific type of loss. In other words, it places a maximum on the amount available to pay that type of loss rather than providing additional coverage for that type of loss.

In an insurance policy, the deductible is the amount paid out of pocket by the policyholder before an insurance provider will pay any expenses. In general usage, the term deductible may be used to describe one of several types of clauses that are used by insurance companies as a threshold for policy payments.

Using SAFE's mapping of coverage categories to different types of cyberattacks and the underlying cyber loss data, SAFE estimates the expected annual loss of an organization due to the following risks:

Using SAFE’s mapping of coverage categories to different types of cyberattacks and the underlying cyber loss data, SAFE estimates the expected annual loss of an organization for First-party Losses and Third-party liabilities such as Cyber Extortion, Business Interruption, Financial Fraud, and Data and Media Liability, Reputation Cost, Regulatory Expense, etc.
By estimating the expected financial loss per category, the customer can identify the type of cyberattacks they are most vulnerable to and make an informed decision about investing their resources and finances.

Customers with no cyber insurance can identify if r they require cyber insurance for their organization. They can also decide on the type of policy and the level of coverage they should go for, to minimize their losses. 

ATT&CK Kill Chain in SAFE


SAFE control repository is mapped to the ATT&CK kill chain procedures. For different varieties of attacks, different combinations of SAFE controls have been identified for which inputs are collected from the customers. Using these inputs, the likelihood of breach due to a particular cyberattack is estimated. 


Structure of ATT&CK mapping to SAFE

 The estimated likelihood of breach due to a type of cyber attack is linked to the different loss categories as described in the cyber insurance section. 

SAFE provides help in reducing the risk of different cyber-attacks by providing recommendations to the customers in terms of prioritization of remediation of critical controls. 


Example to show how SAFE helps customers reduce risk with recommendations

 


Was this article helpful?