Predictions abound regarding the future of cyber risk. Instead of focusing on ‘what’s next?’, this report has so far focused on ‘what’s now?’— in terms of what organizations should do to focus on risks today. To answer this, we relied on practical insight and hard data to explore the questions: What are the most pertinent cyber risks today, and how prepared are organizations across industries and regions, to manage these risks? Now, we present the opportunities. Armed with knowledge, organizations have the ability to methodically ask the right questions to address cyber risk as an enterprise risk—to conduct a thorough assessment of cyber maturity and close the gaps that exist today. Organizations also have an opportunity to become ready for tomorrow—to look to the future, and the changing cyber risk landscape. New risks are emerging daily and vigilance is essential.
Keeping the focus on today: making better decisions
The Cyber Quotient Evaluation (CyQu) data told us that organizations are performing under baseline when it comes to managing cyber risk. So, how do organizations become more prepared and protected?
> Below is a blueprint to help organizations make better decisions by asking the right questions.
- What is the state of our security and controls, in particular as they apply to digital evolution, third-party risk, ransomware, and regulatory risk?
- What are the most important assets we need to protect?
- What are the most likely threats?
- How do we balance business needs with cyber risks?
- Do we know the type and materiality of our potential losses? For ransomware, do we know this beyond risk of data encryption?
- Do we understand key regulatory requirements and costs associated with non-compliance?
- How are we making security investment decisions?
- Can we measure the effectiveness of our current risk management and insurance, in terms of total cost of risk (TCOR)?
- Do we understand our exposures?
- Do we have an effective strategy to mitigate loss?
- Should we transfer a portion of our risk to the insurance market, or consider alternative risk transfer strategies?
Incident Response Readiness
- Do we have an appropriate, usable incident response plan? If yes, is the response team trained and ready to act?
- Do we have the right security and forensic tools, processes and procedures?
- Have we properly configured our cyber security technology?
- Can we quickly and effectively respond to an incident?