The Financial Impact of Cyber Risk

Jan. 27, 2009
The Financial Impact of Cyber Risk: 50 Questions Every CFO Should Ask is a newly released action guide from the American National Standards Institute (ANSI) and the Internet Security Alliance (ISA) that takes the topic of convergence to a whole new level.

“We are experiencing a financial meltdown due to a fundamental misunderstanding and mismanagement of modern financial systems, which is generating a crisis of confidence in our core institutions,” says Larry Clinton, president of the ISA. “Today, all our critical infrastructures are reliant on cyber systems that are also misunderstood and mismanaged. These vulnerabilities place both our financial and physical security in jeopardy unless we update the method we use to control our cyber systems.”

Developed by a cross-sector task force representing more than 30 private and public sector organizations, the guide is the first known publication to approach the financial impact of cyber risks from the perspective of core business functions. It is available as a free download from the ANSI web store at this link: http://webstore.ansi.org/cybersecurity.aspx.
The document provides guidance to CFOs and their colleagues responsible for legal issues, business operations and technology, privacy and compliance, risk assessment and insurance, and corporate communications. It is organized in a question-based format, which makes it applicable to virtually any industry and any set of business circumstances.

The 40-page guide presents key questions for the following risk stakeholders:

• Chief Legal Counsel;
• Chief Compliance Officer or Chief Privacy Officer;
• Business Operations and Technology Teams (often addressed to the Chief Technology Officer (CTO), Chief Security Officer (CSO), Chief Information Security Officer (CISO) and the Disaster Planning/Business Continuity Planning (DR/BCP) groups);
• External Communications and Crisis Management Teams; and
• Risk Manager for Corporate Insurance.

Each question is accompanied by supporting information and guidance.

Appendix material provides a model for a simple method to look at current and expected probabilities of financial risk based on various levels of risk mitigation, and two additional models (frequency and severity) for looking at risk due to certain events. Also included is a list of applicable standards, frameworks and guidance documents.
If your security responsibilities do not entail dealing with risk management at this level of your organization, this document will provide an introduction to the types of cyber security risk issues that senior management is (or should be) dealing with.

New Question:
Q: Do you relate your facility-level security programs to board-level risk and concerns of senior risk managers? If so, what is your process or approach to interacting?

If you have experience that relates to this question, or have other convergence experience you want to share, e-mail your answer to me at [email protected] or call me at 949-831-6788. If you have a question you would like answered, I’d like to see it. We don’t need to reveal your name or company name in the column. I look forward to hearing from you!

Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. Mr. Bernard has also provided pivotal strategic and technical advice in the security and building automation industries for more than 18 years. He is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788.