Risk Management matters.
But why? First, because entire segments of our society simply wouldn't run without it. Our transportation systems only work because of sophisticated Risk Management - monitoring, traffic controls, and insurance - it all helps greatly to reduce risk. The US Federal Reserve manages and reduces the risks of all financial institutions. Hospitals review their data constantly to eliminate risk of procedural errors, infections and other issues. And airlines are examined, monitored, and required to report tons of data to manage risk. Every accident is scrutinized thoroughly to isolate the specific causal factors of any loss. But what about Risk Management for what many call "the biggest risk facing business today" - Cybersecurity Risk?
This is the risk that wipes out billions in enterprise value overnight. It attacks often without warning, leaving organizations unable to anything but simply react, assess the damage (most of whom had not assessed the risk), and prepare for the inevitable lawsuits. It's the one risk that can be perpetrated by threats against whom you will have no recourse because conventional law enforcement cannot reach them. It's the risk that has produced direct monetary losses up to $1.4 bn for single companies - and global annual losses of $700 bn. And it's growing faster than the defenses against it. Might we want to manage this particular type of risk?
Establishing real Risk Management means starting with measuring risk. In the past, actuarial science was used across society to measure all manner of risks - fires, floods, accidents - even rare but catastrophic circumstances. So why has it been so hard to measure - and therefore manage - cyber risk?
The answer lies in the data. Until recently, the data needed to apply known mathematical models to cyber risk was simply not available. The field was too new, the data collection methods were not uniform, and a host of other limitations.
So, if you were going to determine your own cyber risks, what would you do? Where would you start?
For starters, collecting and aggregating a sufficient volume of data. This would of course have to include historical data, since actual observed losses are very informative as to all types of risk, not just cyber risk. So we need a lot of cyber risk data - especially loss data.
Then we would need data on the specific enterprise - financial indicators like revenue, asset value, and organization headcount. But we'd also need to know most, if not all, of the top indicators of cyber risk. How about the company's industry? Maybe their own specific controls and vulnerabilities? And also data that show how attractive a target they may be? Possibly validated against actual attacks? Lots of data needed here - probably from dozens of sources.
But now, we would have a pile of data - so don't we also need a way to organize that data? And then a way to analyze it and draw meaning from it? Ok - so we would need a powerful set of algorithms to really get meaning from this data. But not just any algorithms - not just something anyone could craft in a spreadsheet, for example. And not only that, would these algorithms and formulas need to be statistically valid? Mathematically correct? Would they need to be in alignment with accepted standards and frameworks? Would they need to abide by regulatory requirements? They might have to be reviewed by regulators, actuaries, economists, and auditors. It seems like a lot, and of course too many requirements to build all this in a short time, even with the brightest minds on a full-time team.
Clearly the data, the processes, the technology and the algorithms are all needed - if one one intends to properly quantify risk, and then further to provide the functionality to manage those same risks toward the reduction path that all organizations are ultimately seeking. It's a lot.
Fast forward to 2021, and with the sum total of meaningful data now available, Arx Nimbus and its team of computer scientists, engineers, statisticians, actuaries, economists and accountants have spent years developing just these processes, methodologies and technologies. Working with the best customer minds in the DoD, Finance, Insurance and Computing, the Thrivaca(c) technology is now the recognized leader in quantitative and financial analysis of cyber risk. With a 72-hour SLA for initial implementation, Arx Nimbus' Thrivaca platform relies on scanned data and a portfolio of data sources, organized by insurance-grade algorithms, to provide the first financially-relevant digital risk management platform.
Establish your regulator-approved and audit-ready Digital Risk Management program today. Get compliance with current requirements, and bring your organization the vital insights needed to get safely past risk and gain competitive advantage.