Quantifying Risk for Cyber Investment

Michel Feijen, Managing Director, APAC, MetricStream

More than half (57%) of corporate executives polled in Asia Pacific are unclear whether their defences can resist new approaches used by cyber threat actors as a result of business digitalization activities, which have drastically escalated cyber dangers.

Additionally, it is anticipated that the cost of ransomware instances would reach up to US$265 billion annually by 2031, emphasizing the need for cyber resilience to go beyond the deployment of new cyber defence systems to a more proactive strategy that involves anticipating and managing risks.

The necessity to measure cyber threats has been prompted by this. Enterprise executives must recognize the online hazards that might harm their company.

CIO World Asia spoke with Michel Feijen, Managing Director, APAC, MetricStream.

The state of It and Cyber Risk management adoption for companies in Asia Pacific

Risk management adoption in Asia has been growing steadily especially with the pandemic spurring rapid digital transformation.” Said Michel Feijen, Managing Director, APAC, MetricStream.

In terms of the adoption of IT and cyber risk management in Asia, the banking industry has so far taken the lead. Consumer engagement with financial services providers has undergone a permanent transition, according to the EY Future Consumer Index.

In order to satisfy their customers’ expectations and increase interaction across all of their digital channels, institutions have been compelled to do a U-turn and use new technology. Many consumers now choose to use digital channels for their financial requirements.

For organizations to combat threats to their security, privacy, and safety, it is essential that they take comprehensive risk management techniques into account.

In this contemporary period of extreme uncertainty, the more encouraging strategy of thriving on risk will add greater value to the organization. Employing the proper digital technologies allows organizations to manage governance and compliance tasks while quantifying and highlighting any dangers to the organization’s security and agility.

The roles of security leaders and cyber risk quantification

By putting the danger in monetary terms, cyber risk quantification streamlines the procedure. Until recently, CISOs and CROs used heatmaps with colours like red, yellow, and green to denote different levels of the danger matrix when assessing cyber hazards. The risk is not well illustrated by this. It also prevents the formulation of strategic judgments.

By giving cyber risks a monetary value, executive management is better able to prioritize risks and foster closer alignment between business goals and cyber investments, which in turn empowers leaders to make wise risk-aware decisions.

To accomplish this, security and risk professionals must have a quantifiable understanding of the company’s cybersecurity standing, be able to demonstrate how much money has been spent and what resources have been made available to address specific threats, and understand the financial impact of the company falling victim to a ransomware attack.

For organizations to succeed and provide value, risk optimization is more important than risk mitigation. Deloitte claims that businesses understand and take seriously their fiduciary obligations to their clients. However, it has been difficult to effectively identify cyber hazards and provide resources to mitigating them.

“Organisations need a thorough assessment of the enterprise risk landscape, as it allows them to be in a better position to capture and assess emerging and evolving risks.” Said Michel Feijen, Managing Director, APAC, MetricStream.

Preparing employees to manage cyber risk

“Leaders must instil a strong risk-aware culture within their organisations.” said Michel Feijen, Managing Director, APAC, MetricStream.

Due to their interactions, practically every employee now functions as a frontline worker in the hybrid workplace, making them invaluable resources for their organizations when it comes to risk intelligence. They might not be aware they possess crucial information while they go about their regular tasks unless there is a risk culture that is thoroughly ingrained. The front line’s involvement in risk responsibility becomes crucial in creating an integrated and flexible approach to risk management.

To enable them to recognize and report any possible malicious attack, they need to continually be updated with the appropriate training and reporting mechanisms. For front-line personnel to develop positive habits and proactive behaviour, it is critical to use the appropriate tools and technology. The process of enhancing a company’s risk culture is ongoing and ever evolving.

The emerging trends for risk management in Asia Pacific

Numerous difficulties that have emerged after the pandemic will influence new tendencies in Asia. Every year, cybercrime is growing more sophisticated, and it is predicted that ransomware instances will cost exponentially more money. Additionally, businesses will now have to deal with managing third party risks.

Over half of companies (51%) had experienced one or more third-party risk events since COVID-19 was formally declared a worldwide pandemic, according to Deloitte’s 2021 Third-party Risk Management (TPRM) Survey, which surveyed more than 30 countries. Organizations must do a more detailed analysis of their risk environment in order to identify and evaluate emerging and changing risks, particularly those coming from unimportant third parties like partners and vendors.

In addition to the risk of cyber-security breaches, organizations’ top priorities in 2022 will be the fusion of ESG and GRC. Sustainability disclosures are becoming important for the financial sector in Asia and beyond.

The role of CIOs and CISOs evolving in 2022 and beyond

Risk and security experts find it challenging to stay on top of developments like the introduction of ESG metrics and the requirement for operational resilience, as well as the rapidly expanding cybercrime, serious vulnerabilities, and threats.

Risk and security specialists often have expertise in finance, such as banking, where quantitative risks like market and credit risks frequently rank highly in most organizations. The scope is now being expanded to encompass qualitative risks related to workers, third parties, geopolitics, supply chains, and cyberattacks.

In addition to the ongoing threat of cyber-security breaches, businesses now place a high importance on the convergence of ESG and GRC, with sustainability disclosures becoming a requirement for the financial industry in Asia and globally.

Compliance management will become increasingly difficult as organizations must cope with an increasing number of legislation and related modifications. Heavy fines and penalties might be levied for failing to assure compliance. Organizations may automate and streamline their compliance management process while increasing their agility, operational efficiency, and resilience by utilizing advanced data analytics and cutting-edge technology like artificial intelligence (AI).

Many of the problems that have emerged since the pandemic will influence new trends in Asia as we move forward. Businesses today must deal with managing risks from third parties, such as partners, suppliers, contractors, and the like.

The relationship between chief risk officers and CIOs has been strengthened by the realization that databases and the knowledge they contain from both internal and external systems have become the source for risk analysis. In the modern world, it is essential for CIOs and CISOs to move beyond merely analysing and reporting data to actively using it for risk-driven decision making for their organizations.