Four years ago, during my time as Senior Cyber Subject Matter Expert at Munich Re, I was asked to help lead an effort to evaluate the marketplace for Cyber Risk Quantification providers. In retrospect, the timing of the effort was notable because CRQ was still a niche capability, but Munich Re very much understood the importance of the discipline and how critically important it would become to understanding and managing cyber risk.
Over a month’s long period, we canvassed the marketplace, talked to the various emerging solution providers, understood as much as we could about the various methodologies, how actionable the insights could be, and most importantly, the ease of defending the outputs. That last criterion was critically important because whether in a cyber insurance underwriting context or for enterprise Board of Director visibility, results that cannot be easily defended and explained will quickly fall down.
Of all the capabilities that we evaluated, one stood out: Axio. Axio quickly caught my attention because it was different: its values were transparent, the insights it produced were powerfully actionable, time to value was a fraction of the others, and most importantly, all of that combined to satisfy the defensible criteria that was at the top of the list.
Fast forward to now, and after some time consulting for Axio, I’m excited to be joining Axio in a full-time capacity, primarily focused on helping Axio serve the cyber insurance industry as effectively as Axio has and will continue to serve the enterprise market.
From all of my experience in cybersecurity, I simply do not believe that a capability has as much potential to positively impact the discipline as much as Cyber Risk Quantification, or really more accurately, Cyber Risk Economics. The time has passed where all effort and attention should be focused on fortifying the perimeter and defending the enterprise at all costs; rather, cybersecurity must equally focus on understanding the risk from an economic standpoint, focusing on the risks that can be most detrimental to the business, and having a plan to minimize the impact of an inevitable event. I’m excited to have an opportunity to help Axio deliver this critical capability.
Digitization of the global economy, enabled increasingly by cloud service adoption, means the risk posed by cyber vulnerabilities has moved onto the centre stage. Quite simply, cyber risk is one of the great issues of our time.
The importance of bringing management of cyber risk into the heart of corporate risk management cannot be ignored. Cyber risk enables, accelerates, and amplifies those critical enterprise risks organizations are already worried about, and there is a groundswell of legislation that means Boards, too, have specific oversight responsibilities. The ability to quantify the scale of incremental exposure to cyber risk represents and to make decisions about the scale and prioritization of risk capital spending to address cyber exposure become critical enterprise risk management disciplines and capabilities.
Axio, a second-generation cyber risk quantification platform, provides visibility of values at risk, insight into the priority shaping of cyber risk management strategy, and the ability to prioritize and manage risk capital deployment. Importantly, this prioritization is irrespective of whether that’s technical mitigation, capital response, like better use of a Captive programme, or evolving the shape and scale of risk transfer portfolios. Normalizing cyber risk management to reflect those disciplines already at work within enterprises is a critical step for Boards of Directors to make. Axio is a powerful ally in addressing this challenge.
Embedding cyber risk quantification in the heart of risk management disciplines to allow Boards of Directors to leverage positive value from cyber risk is an important frontier for enterprise capital management Axio has the potential to be a vital component in this evolution, and I’m delighted to be able to help shape that environment, harnessing the powerful insight that Axio can bring.
Peter Armstrong – Biography
Peter Armstrong is an expert in the management of cyber risk and cyber security and a self-professed cyber and risk management geek.
Prior to his engagement with Axio, Peter was The Senior Cyber Subject Matter expert at Munich Re Group and, before that, led the Willis Cyber risk consulting business, where he focused on the quantification and management of cyber exposure in the risk portfolios of large organisations. He has served on the Advisen Cyber Security Conference Advisory Board and is a leading thinker in developing responses to the cyber challenges facing large, complex organisations. He is a regular speaker on the topic of cyber risk management and cyber risk transfer, having contributed recently to OECD reflection on this topic.
Peter’s background is in the Defence, Intelligence, and Security Sector, where for many years he led sensitive cyber security activities in the UK and overseas with a particular focus on Industrial Control Systems and Operational Technology in Energy (including Nuclear), Utilities, Transportation, Primary Extraction Industries and manufacturing (notably Aviation, Automotive and High Tech). Peter ran the Thales Cyber Security Business, the Finmeccanica Global Battlespace business, and the UNISYS Commercial Industries Group.
Peter spent his early career serving as an officer in the Royal Navy deployed during The Cold War in Nuclear Submarines. Peter is a member of the Board of Directors for Cyber Rating.Org and an Advisory Board member for InfoSec Global and Senseon: he is a Nonresident Fellow of the Carnegie Endowment for International Peace, where he leads the Technical Working Group for their cloud resiliency programme. Peter holds a Master’s degree in IT and Management, his first degree is in Economics, and he is a Fellow of The Institute of Directors.