FREQUENTLY ASKED QUESTIONS

Answers to our most frequently asked questions on cybersecurity.

01

Axio Cyber Risk Quantification

  • Cyber Risk Quantification is a service Axio provides that helps you understand the types and scale of impacts that could arise from various significant but plausible cyber events that could affect your business. The impacts are quantified in terms of estimated potential cost, that is, the total potential loss your business could be exposed to in an event.

  • Axio leads a structured discussion in a workshop with cybersecurity and other subject matter experts to brainstorm plausible high-impact cyber loss scenarios. Scenario identification is structured to cover the spectrum of potential cyber event types and the range of your business assets and operations. Participants then develop impact estimates for a selected subset of the scenarios. Workshop outcome includes a gross impact estimate for each of the four quadrants for each of the prioritized loss scenarios.

    Brainstorm Scenarios
    Prioritize Scenarios
    Quantify Impact
  • An event that could plausibly occur based on the use of technology within the firm or the failure of the firm’s cybersecurity defenses. Effectively, something that goes wrong based on that criteria, and that causes losses to the firm and/or its clients, business partners, or other third parties.

  • Impact types are based on Axio’s four-quadrant impact model:

    First-Party Financial

    Expenses or financial damages suffered by the firm (such as response costs, lost income from outages, and cost of restoring data)

    Third-Party Financial

    Expenses or financial damages suffered by clients, business partners or other third parties (such as settlements, penalties, and shareholder losses)

    First-Party Tangible

    Tangible damages suffered by the firm (such as mechanical breakdown, property damage, and bodily injury to employees)

    Third-Party Tangible

    Tangible damages suffered by clients, business partners or other third parties (such as damage to others’ property, bodily injury to others, and product liability)

  • A scenario-based approach that is largely informed by internal insight is an effective way to paint a reasonable and comprehensive picture of a firm’s cyber exposure. External data is sometimes used in the process, but the vast majority of “known” cyber loss data relates to breaches of personally identifiable information. Also, a comprehensive analysis of cyber exposure needs to reflect the reality that cyber can impact many facets of a firm’s operations and assets.

  • The number of scenarios scales based on the size of the organization. Axio typically finds that in order to create a reasonable and representative analysis, midsized organizations should study 3 to 6 scenarios and large organizations should generate 5 to 10 scenarios. More important than quantity is diversity, and potential impact—the scenarios should be designed to exceed the firm’s internal risk tolerance.

  • Firms should use Axio’s impact taxonomy in the scenario development process to help ensure that scenario diversity is achieved. These are some simple scenarios that are commonly used:

    • Breach of personally identifiable information (customer and employee information)
    • Network business interruption event (non-physical damages business interruption)
    • BIOS-level attack on the firm’s technology infrastructure
    • Attack on, or failure of, the firm’s industrial control/SCADA systems and resulting tangible damage
    • Product liability (for example, failure of a programmable logic controller or manipulation with wireless connectivity)
    • Fraudulent authorization of a wire transfer
    • Product recall
    • Theft of key intellectual property and/or trade secrets
  • The scenario development part of the exercise needs to involve those individuals who understand the extent of technology use in the firm, and therefore, the types of technology failures or cyber events that could occur. The quantification part of the exercise involves a wider set of individuals, each of whom are intended to bring meaningful insight from their domain of expertise. A typical list of participants is as follows:

    • Cybersecurity: Understand the use of information and operational technology deployed in the firm. Help generate cyber loss scenarios, validate the possibility for a scenario to occur, and help inform anticipated IT-related costs and expenses for the scenarios.
    • Operations/Business: Understand the potential impact on the firm, business partners, and customers if scenarios occur. Also, should understand the use of technology in the business and therefore can help with scenario development. For example, could the firm suffer business interruption losses, or could defective products cause tangible harm to end users?
    • Legal: Help project legal costs and projected liabilities if scenarios occur.
    • Finance/Treasury: Understand asset values. For example, what is the value and/or replacement cost of firm equipment if such equipment is rendered inoperable?
    • Risk Management/ERM/Audit: Can provide insight from other company and industry losses and risk simulations that could relate to the cyber scenarios.
  • Axio has consistently found that key stakeholders from within the firm can use their institutional knowledge to effectively estimate the impact of a cyber events. In many instances, the exercise simply confirms that the type of losses that have been caused by traditional perils (such as fire, equipment breakdown, theft, etc.) can also be caused by cyber means. In those instances, the data from historical losses serves as a proxy for the cyber loss event.

  • Cyber Risk Quantification is accomplished in a one-day workshop, which can be scheduled as one full day or in several meetings. Timing can vary by organization and whether the exercise needs to include various distinct operating units. For a midsized organization, the scenario generation process typically takes two to three hours and the scenario quantification process typically takes one hour per scenario.

02

Insurance Stress Testing

  • To quantify the organization’s ability to recover financially from a complex and costly cyber event, we must understand how the insurance portfolio will respond. Insurance is an increasingly important control for security leaders to consider. Security leaders should be involved in aligning the organization’s insurance portfolio with respect to cyber risk. The Insurance Stress Testing looks at the potential for the insurance portfolio to reduce the gross impact of a cyber event.

  • First, Axio analyzes relevant policies in the portfolio to discover how they are worded with respect to a cyber peril. The logic in the diagram below is used to evaluate the coverages, whether there is explicit cyber coverage, whether cyber is explicitly excluded, or whether the policy is silent regarding cyber.

    Next, Axio uses the quantified loss scenarios from the Cyber Risk Quantification process to determine the potential for the insurance portfolio to reduce the impacts quantified in the scenarios. Insurance recoveries are estimated for each of the impacts from each scenario. This provides the necessary data to determine how each of the quantified scenarios could impact the organization’s balance sheet, as summarized by quadrant in the example below.

  • Insurance coverages are mapped to the Axio four-quadrant impact model. The quadrants are used to graphically summarize the analysis results, as shown in the example below (although with policy information added). Comments about cyber coverages and exclusions are provided for each policy analyzed. For each scenario, specific impacts are shown by quadrant, along with any available and applicable insurance coverage, as shown in the example below. Recommendations are given for improvements or additions to policies and controls. The results are briefed virtually or onsite.

03

Axio Cyber Program Optimization

  • Axio facilitates on-site workshops that evaluate the maturity of cybersecurity programs based on either the Cybersecurity Capability Maturity Model (C2M2) or the NIST Cybersecurity Framework (NIST-CSF). Using a reference maturity model for cyber program evaluation provides a common language, consistent scoring, a roadmap for investment and improvement, and the potential for peer and internal benchmarking. These models are widely adopted and cover both traditional IT security and the security of operational technology (OT or industrial control systems). Most organizations have at least some OT systems for building or power controls.

  • The evaluations are conducted using the Axio360 platform, a web-based evaluation and planning system. An Axio facilitator leads participants in evaluating their cybersecurity practices against each model practice, and participants decide on an implementation level. The facilitator assists workshop participants in the interpretation of model content as needed.

    If desired, participants can produce both a current profile (where the organization is today) and a draft target profile (where the organization aspires to be within some pre-agreed planning horizon).

    A detailed results report is produced upon completion of the workshop, and the Axio facilitator helps the organization understand and interpret the results.

  • The evaluation is accomplished in a one-day workshop, which can be scheduled as one full day or over the course of several meetings.

  • Participants from the organization’s cybersecurity program are needed, both cybersecurity leaders and personnel directly responsible for the performance of the model practices. Participating can vary depending on the scope of the evaluation; if multiple units of the business are included in the scope, multiple cybersecurity teams might have to participate.

  • Using an open-discussion format, workshop participants are asked to come to consensus on the organization’s level of implementation of each model practice based on a four-point answer scale:

    • Fully Implemented (FI) – Complete
    • Largely Implemented (LI) – Complete, but with a recognized opportunity for improvement
    • Partially Implemented (PI) – Incomplete, with multiple opportunities for improvement
    • Not Implemented (NI) – Absent; the practice is not performed in the organization
  • Following the completion of the evaluation, Axio360 generates the workshop results and presents them as a graphical summary of practice implementation levels, overall score, and other metrics. Axio360 also generates a detailed report that presents summary scores in various graphical formats, scores for each practice, and any notes or assessment evidence entered during the workshop.

04

Cyber Resilience Platform

  • Currently, the Axio360 platform provides an easy-to-use, efficient, repeatable way for an organization to conduct one or more NIST CSF or C2M2 evaluations, set improvement targets, track progress relative to historical posture, and report on improvement progress.

    The intended evolution of the platform includes:

    • Cyber Risk Quantification: Helps an organization construct and maintain a catalog of firm specific cyber loss scenarios and scenario-specific impact estimates
    • Insurance Stress Testing: Integrates the organization’s insurance portfolio and cyber coverages and integrates with the Quantification results to show a real-time estimate of anticipated insurance recovery in an event
    • Benchmarking: Comparison to peers for all three components
  • Axio360 gives you full visibility into your overall cyber risk posture—where you are today, where you need to go, and how to improve over time—so you can prioritize actions and investments based on the impact to your business. Axio360 enables you to

    • Achieve and sustain full visibility into your overall cyber program maturity through model-driven, on-demand assessments.
    • Establish baselines for program performance to identify, analyze, and prioritize gaps and ensure cyber readiness.
    • Develop a clear action plan and roadmap to improve, while staying aligned with the evolving risk climate.
    • Prioritize actions and investments based on the impact to your business.

    Monitor and report on your cyber program maturity as it changes over time.

05

Axio Key Benefits

  • Axio’s cyber resilience platform and services provide all stakeholders with a common framework to proactively manage cyber risk in terms that the entire organization can understand. CISOs can continuously monitor the company’s cyber posture and confidently invest in the right capabilities to reduce risk. Risk officers can optimize their insurance portfolio and structure the right coverage to protect their business. Board members and executive leadership can now be confident that their cyber strategy will achieve and sustain resilience.

    Employing Axio’s cyber risk management services and cyber resilience platform will yield the following primary benefits:

    • Understanding of how a meaningful cyber event could impact your operations, finances, and assets.
    • Awareness of current cybersecurity program maturity and potential improvements.
    • Improved ability to manage cyber risk and protect the returns on key assets.
    • Actionable insight to help optimize cyber risk investment. As shown in the diagram, for some loss scenarios, the best investment will be in cybersecurity capabilities; for others, it will be in fine-tuning the risk transfer capacity (i.e., insurance). Optimizing the mix of controls will provide the best route to achieving your desired position on the risk curve, or best protecting your balance sheet and reputation.

Axio

Company

Support

Copyright 2018 Axio Global, Inc.

Axio360 NIST CSF

The time has come for you to take control of your cyber risk.