Companies need to quantify cybersecurity risk for at least three reasons:
- They need to buy insurance to cover cyber risk. That means that companies need to quantify the risk both to ensure they have adequate cover, and to ensure they aren't paying too much for it. (On the flip side, insurance companies need to make sound actuarial decisions.)
- Companies need to price potential acquisition targets.
- Some regulators may require companies to quantify their cybersecurity risk (for example, banking regulators in the US are considering this for certain financial institutions).
Roadblock: Nobody seems to have enough historical data on cyberattacks to do the math.
Meanwhile, governments are amassing data on cyberattacks. The US has a voluntary program for companies to submit information on cyberattacks; the UK has a similar system; the EU is setting up its own requirements; India requires cyberattacks to be reported; and etc. etc. across the world.
Ta-da! A potential workaround for the roadblock: Inga Beale, head of Lloyd's, wants governments to share the data they collect with the market so that companies (or insurers, at least) can finally develop the mathematics to quantify cybersecurity risk.
This strikes me as a great ambition. Of course, some concerns will need to be addressed first. Companies generally have been reluctant to share data on cyberattacks. What if the data reveals the company's vulnerabilities? What if it necessarily reveals some other sensitive information, or even customer data? Even with attempted anonymization of the data, there's risk. And that's precisely why governments collecting data typically have promised to keep it secret. This is not to say that the proposal to share this data is unworkable, but it will require some careful safeguards.