Though they aren’t yet saying which sectors will get scrutiny first, several stand out as especially exposed to risk from a cybersecurity crisis: The defense-industrial industry, financial sector, health care and critical infrastructure operators like energy, water, waste management and first responders all are considered high-risk categories.
Risks related to cyberattacks today aren’t as linear as simple costs associated with cleaning up a breach, paying for credit monitoring or replacing fried computers. Companies that don’t fall into these categories — for instance, Equifax — can see their core businesses heavily damaged, which is why the Cyber Risk Group also will focus assessments on reputational hazards.
“We’re looking into different types of scenarios, to get into the details of what might affect certain companies,” he said.
“If you look at the history of data breach and data disclosure issues, they’re not quite as impactful as the business disruption events,” Vadala said. “There are very specific scenarios that could apply to different companies in different sectors. An organization, for instance, that is involved in manufacturing has a much higher exposure to ransomware than another sector.”
Quantifying cyber risk is a crowded marketplace, but it lacks a clear leader.
One of the better-known players is Fair Isaac, which launched its Cyber Risk Score in 2017. They have marketed the product, which resembles the familiar consumer credit rating scale, toward businesses facing regulatory oversight for cybersecurity that want a quick way to rate the security risk of their third-party providers.
Standard & Poor’s and Fitch have also released guidance on how companies can view cyber risk. Most of the biggest insurance companies (with the notable exception of those managed by Warren Buffet) have cyber policies, alongside a variety of risk assessment and risk management services.
The demand for quantifying risk will increase as attacks move from fairly benign to to those that could break down a business entirely, Vadala said.
“When you think back to the early days of this cyber era, dating back to the Target and Home Depot breaches, this is where [cyber risk] became much more top-of-mind for pros outside the cybersecurity industry. But these weren’t business-ending incidents,” he said.
“When you flash forward a few years, to the ransomware events that occurred, the financial impact of that is much more significant. It’s still not business-ending at that point, but certainly as that financial impact continues to rise, the probability of one of these events creating a deep financial impact also rises.”