You can use X-Analytics to effectively communicate your cyber resilience strategy with corporate directors (the Board).
You will learn:
Before learning how to communicate with the corporate directors, it is important to understand duties (or responsibility) of the Board, and it is important to understand what the Board wants to hear from you.
This support page will describe how to effectively communicate your cyber resilience strategy with your corporate directors.
What are the responsibilities of the corporate directors?
To avoid a common communication mistake with the board, it is important to understand the board's responsibilities. The board weighs in on strategic planning, mergers and acquisitions, share repurchase programs, declaring dividends, nominating future board members, CEO oversight, and other governance functions.
Board requirements are set in the company's bylaws, which may include state and federal legislation, and stock enchange standards. For publicly traded companies, this would include the new SEC rules on Cybersecurity Risk Management, Strategy, Governance, Incident Disclosure by Public Companies.
The Board is not responsible for day-to-day operations or directly responsible for the company's success. Both of those responsibilities fall directly to the CEO (Chief Executive Officer). This is important to understand because you do not want to inundate the Board with cumbersome technical details, scary stories, uncertainty, or doubt.
However, the Board is concerned about protecting shareholders, paying out dividends, protecting the company's reputation, ensuring legal and regulatory requirements are being met, and measuring the success of the CEO.
What do the corporate directors want to know about their cyber risk condition?
In short, they want to know that their cyber risk condition will not:
erode shareholder value
reduce dividend payouts
violate legal or regulatory requirements
damage company reputation
To help with the above, it is important to express the company's cyber risk condition in way that could easily be understood by the corporate directors. For example:
Express the cyber risk condition in a context that allows the Board to compare with other operational risk (included within the corporate risk register).
Provide trending to indicate if the cyber risk condition is getting better or worse based on an expected target state.
Supply risk remediation options in case the cyber risk condition is undesirable.
Explain the company's ability to offset damages, post cyber incident, through the power of risk transfer.
To effectively communicate X-Analytics with your corporate directors, please follow the steps below:
Step 1. Expressing the Cyber Risk Condition
To express your cyber risk condition with the corporate directors, you need to start by going to the X-Analytics Report Center.
Focus 1: Exposure Ratio
The exposure ratio is the company's estimated annual cyber exposure divided by the company's annual revenue. This value considers all possible losses multiplied by the probability of such losses.
This value allows the Board to compare the company's cyber risk condition with other operational metrics (especially when those metrics are also normalized as a % of annual revenue) to determine if the cyber risk condition warrants special attention.
Focus 2: Cyber Exposure
The cyber exposure is the company's estimated aggregation of all possible losses multiplied by the probability of those losses. The value is further divided into key loss categories, which can be directly related to legal and regulatory requirements, risk mitigation decisions, and risk transfer decisions.
This value allows the Board to understand the estimated financial exposure due to cyber incidents, with a further understanding of how that value maps back to key loss categories. If the value is undesirable, then the Board may ask about risk mitigation or risk transfer options.
Focus 3: Cyber Exposure Trending
The cyber exposure trend represents the company's cyber exposure and the company's exposure ratio over a period of time. The trend shows monthly values in conjunction with a current value.
The trend allows the Board to understand if the company's cyber risk condition is getting better or worse, and how the current condition aligns to a target state. If the Board is concerned about the direction of the cyber risk condition, then they can ask the CEO about day-to-day operations and risk strategy in order to protect shareholder value, dividend payouts, company's reputation, and other.
Step 2. Expressing the Risk Remediation Options
If the Board is concerned about the company's cyber risk condition, then provide risk mitigation options. This can be done by showing the Top 5 Control Areas to Reduce Financial Exposure.
This table illustrates the top 5 controls domains that offer the best exposure improvement if those control domains where fully implemented. It might help if you express the combined benefit of the top 5 controls.
The table allows the Board to understand available risk mitigation options, and how those options could be leveraged to reset future target expectations. The Board could rely on future trending to see if those expectations are being met.
For those of you using NIST CSF to express your cyber maturity with the Board...
...You may want to use details from the NIST CSF dashboard to express risk mitigation options. The Cyber Control Implementation with Associated Potential Exposure Improvement table provides a means to express which NIST CSF categories offer the most improvement if fully implemented.
This table illustrates the current implementation of each NIST CSF categories and the potential exposure benefit if those categories were fully implemented. It might help if you express the combined benefit of NIST CSF functions or NIST CSF Tier achievements.
The table allows the Board to understand available risk mitigation options (via the NIST CSF framework), and how those options could be leveraged to reset future target expectations. The Board could rely on future trending to see if those expectations are being met.
Step 3. Expressing the Risk Transfer Options
If the Board is concerned about the company's cyber risk condition, then provide risk transfer options. Go to the Risk Transfer Analyzer.
Within the Risk Transfer Analyzer, go to Estimated Impact of Transfer on Cyber Exposure. This table illustrates the benefit of risk transfer (cyber insurance policy) on the company's cyber exposure. From a quick observation, you can easily determine if there are gaps in insurance coverage or if there is limited cyber insurance benefit.
This table shows cyber insurance benefit per loss categories, with a further division of interruption and misappropriation to cover finer details.
The Board can use this table to understand risk transfer and to reset future expectations for risk transfer.
Post Incident: Estimated Risk Transfer Benefit
Proactive or reactive understanding of risk transfer benefit per cyber incident is available within X-Analytics. This can be accomplished by going to the Risk Transfer Financial Simulator.
Within the Risk Transfer Financial Simulator, select the loss category and size of incident.
This table illustrates the insurable impact in relation to total impact for a specific cyber incident.
The Board can use this table to understand risk transfer benefit per incident (reactively or proactively) to determine how the incident will alter shareholder value or company reputation. Additionally, the Board could use this information with the CEO to discuss self-insurance, cash on hand, and other liabilities.
Black Swan Incident: Understanding a Worst-Case Condition
Proactive or reactive understanding of worst-case conditions is available within X-Analytics. This can be accomplished by going to the Risk Transfer Financial Simulator, selecting a loss category, selecting the largest incident, and then selecting "worst-case" within the Loss Selector.
The board can use this table to determine insurance benefit in relation to total impact per worst-case cyber incident.
To avoid common communication mistakes when communicating the Board, use the X-Analytics guide "Effective Communication with Corporate Directors". This guide helps you focus on what matters most to the corporate directors without overwhelming the them with unnecessary or irrelevant details. Notice how quickly your message resonates and how fast you get the support you need.
If this support page did not provide the answer you need, please return back to X-Analytics Support.