The problem of quantifying cyber risk

Identifying and assessing cyber risk is no easy feat. Insurance companies have been providing cyber insurance policies for more than ten years, but according to BitSight Technologies, non-security experts struggle to accurately measure the likelihood of a major cyber event, or to translate how prepared the organization is to face such a threat. Standard assessments often fail to measure how effective an organization is at implementing the right security measures. This leaves a window for misrepresenting the real cost of a data breach.

The rising costs of a breach

The costs of a major cyber event have been covered widely in the press. For large companies like Target, the results have been disastrous. The 2014 Ponemon Global Cost of Data Breaches report indicates that cyber attacks on average cost companies between USD$3.5 million and $5.5 million per annum last year. These costs can be broken down into detection costs, notification costs, post-breach costs, and lost business costs.

Detection costs include forensic and investigative activities, assessment and audit services, crisis team management, and communications. Notification costs are those IT activities associated with the creation of contact databases, assessing regulatory requirements, engaging with experts, and sending out communications. Post-breach costs include special investigative activities, remediation, legal expenditures, product discounts, identity protection services, and regulatory interventions.

International mandatory notification regulations coming soon

Mandatory data breach notification regulations are one of the key drivers for cyber insurance, as the costs of notifying affected users can be extremely high. According to the Ponemon study, these costs are highest in the United States, where 46 of the 50 states have mandatory requirements for data breach notification.

In the UK and Europe, the impending EU General Data Protection Regulation includes the mandatory notification of data breaches, expected to come into force once the regulation has been adopted.

The changing threat environment

Information security experts will agree that an organisation’s security posture can change overnight owing to the constantly changing threat landscape. Cyber insurance can protect an organisation to a certain extent, but the smarter solution is to make the right investments in technology, staffing and resources that are necessary to properly protect the business.

The most effective way of helping companies improve their defenses against constantly evolving cyber risks is to implement an effective information security strategy supported by an information security management system (ISMS) capable of evolving along with the threat environment. ISO 27001 is a standard that has been designed to do just that.  Heavily focused on the continual improvement of information security, the Standard aims to help organizations continually evolve and grow. This ensures that the company’s information stays secure, no matter how much it changes, or as new security threats emerge.

IT Governance’s ISO 27001 ‘Get a Lot of Help’ package is a fixed-price consultancy service available anywhere in the world to help companies get started with ISO 27001 at a much lower cost than having to resort to on-site consultants. Combining live, online expert guidance with key implementation tools, this package significantly reduces the time and effort required to implement a robust information security management system.

Contact IT Governance today for further information on how to get started or to discuss flexible payment options, on 1-877-317-3454 or email


One Response

  1. fustbariclation December 5, 2014