Cyber Risk Quantification (CRQ) for Boards
Boards have the fiduciary duty to protect the business assets. Today, over 85% of a business is a digital asset. RiskQ is the only company that uses a digital asset approach to quantify cyber risk. Boards are liable for Director and Officer (D&O) derivative actions from shareholders after a cyber breach.
Cyber risk is an issue that all organizations must take seriously. Following a cyber breach, boards are liable for Director and Officer (D&O) derivative actions from shareholders. As cybersecurity evolves government and industry are becoming more involved regarding the role of the board.
New Regulations Proposed
On February 25, 2022, the Director of the Cybersecurity, and Infrastructure Security Agency (CISA). Jen Easterly released a two-page notification to directors. This explained how Corporate Directors must prepare for cyber risks during the Ukraine crisis. This was an unusual step for a government agency (CISA) to reach out to corporate board members directly, highlighting the seriousness of the risk.
Additionally, the SEC issued a cyber regulation proposal days later, on March 9, 2022, consisting of 129 pages. New requirements would affect Corporate Directors and registrants potentially on the scale of the Sarbanes-Oxley Act. This was introduced almost 20 years ago and had huge costs and unforeseen challenges for corporations.
The Securities and Exchange Commission (“Commission”) is proposing rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. Specifically, they are proposing amendments to require periodic disclosures about a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise.
The new regulations pose specific questions to the board:
● Is there a cyber expert?
● What credentials do they have?
● How was their expertise determined?
The problem here is that there is a serious lack of cybersecurity experts, making this an enormous challenge for corporate boards to comply with.
Other questions being posed include:
● How do boards oversee cyber risks?
● Are cyber risks considered in business strategy and financial planning?
Meeting these requirements will be a challenge. RiskQ provides an automated solution to address these issues without hiring a “cyber expert”. Data is provided to boards in business language that allows them to understand cyber risks and incorporate them into their business and financial planning.
How CRQ Is Used by Boards and Executives
At RiskQ, we quantify cyber risks and provide three levels of evaluation for cyber risks: Inherent, Mitigating, and Residual. There are several key use cases to consider, and these are the most important:
- Ransomware strategy – We carry out a detailed analysis of whether it’s best to pay or whether it is best to restore, depending on your organization’s risk profile.
- Cyber control gap analysis – We identify weak controls and prioritize the strengthening of controls based on their financial exposures across your infrastructure.
- Vulnerability remediation priorities – We analyze your vulnerability management program and its prioritization based on the financial exposure.
- Cyber tool ROI – We analyze the ROI of your cyber security tools and how they relate to your risk reduction.
- Cyber tool roadmaps – We look at the valuation of your existing tools related to risk reduction and recommend a cyber tool roadmap.
- Regulatory compliance – We carry out a scoping exercise of your compliance requirements regarding cyber security regulations, and our automated program ensures you can comply with the regulation.
- Redundant tools – Provides a report to find where you spend too much on redundant tools.
- Malware exposure reduction – Cut down your financial exposure of malware.
- Cyber insurance – We will carry out a limits adequacy study based on how insurance claims are paid in relation to privacy, business interruption, healthcare, and ransomware.
- M&A – We will analyze the financial exposure of assets related to mergers and acquisitions based on our risk models and provide due diligence of the target asset’s controls.