PDFをダウンロード

サイバー攻撃による米国経済のコスト負担は、2016年には$570億から$1090億程度¹ と推計され、プエルトリコのGDPよりも大きくなっています。しかしこうした数値は、業界セクター、リスク管理プロトコル、侵害の種類によって大きく違う個別会社のコストを覆い隠しています。

2015年にミリマンは、フォーチュン50のある大手企業から依頼を受けました。その最高情報セキュリティー責任者（CISO）は、サイバーリスクに対する一層の備えとして、取締役会に数億ドルの予算を要望していました。しかしその希望予算額とその資金要請の頻度は、取締役会を尻込みさせました。取締役会では、その支出の根拠となる数字を求めました。追加資金の承認を受ける際には、CISOは潜在的サイバー攻撃のコストの定量化とその予算の根拠が必要となったのです。

サイバーが脅威へと進化するのに伴い、ますます複雑になる統合的リスク管理（ERM）プロセスで、サイバー攻撃関連リスクを評価するのみならず、そのリスクの潜在的コストを定量化する必要性に企業は直面しています。これは、そのリスクのエクスポージャーに対して完全に対処していること、そして効率的かつ正確に予算計上されていることを確実にするためです。計上すべき資金額を知ることと同じくらい、どこに計上すべきかを知ることが重要です。サイバーセキュリティーやサイバー保険などの統制に関わる金額を投入し、実務の支援を確保することで、会社のサイバー関連支出がどうあるべきかを定量化し、根拠の確認を求める最高経営幹部に示す事例を構築する手助けとなります。

Milliman’s work with the Fortune 50 company began with a methodology to evaluate the company’s cyber risk exposure profile and the potential organizational impact of a breach. This includes liabilities that are both a direct and indirect result of an attack. Working with key stakeholders throughout the company, we identified the various threat vectors, potential assets that could be compromised, and security positioning. Important questions included:

• What type of information is vulnerable and how much exists?
• What security protocols are in place?
• What could be the cost of remediation and potential litigation as well as reputational impact?
• What are the potential costs not covered by cyber insurance?

By identifying over 200 different parameters via internal key risk indicators (KRIs), third-party data, and Milliman proprietary data, we built an actuarially sound model for our client that allows for scenario development in order to determine the potential costs associated with various types of plausible events. What would the financial impact be if the company fell prey to a spear-phishing scam? How does that differ from the costs associated with a malicious insider or a DDoS event such as a server slowdown or crash? Running tens of thousands of iterations using a simulation technique allowed us to create a continuous distribution of loss outcomes and quantify the potential range of cyber risk costs, including expected loss, tail loss, and the volatility around these losses.

Milliman’s expertise and cyber model allowed our client to understand some of the more challenging questions associated with the cost of cyber exposure. How well would the company’s current insurance cover the expected loss associate with a cyberattack? Are there gaps that need to be considered, and what do they look like? What if a more extreme event materialized–what are the possible drivers and how well is a company prepared for a worst-case scenario?

Perhaps most importantly, this distribution of loss outcomes also allowed Milliman to offer a cost-benefit analysis to our client. With this model, we were able to answer questions for the CISO such as:

• If the company were to spend $1 million to improve certain controls or hire additional resources, and if that improved the control environment and decreased the frequency or severity of an attack, how much money is the company saving?
• What dollar amount put toward mitigation or security protocol measures moves the needle –where do you see a return on investment?

One of the key issues for executives of any company is determining how the exposure changes as cyber risk evolves, and how in what ways investing could potentially change that outcome. By providing a cost-benefit analysis and linking the model results to our client’s financial statements, Milliman was able to help quantify the impact of cyber risk from a business perspective and create an ongoing discussion about actionable results. Milliman’s work with our Fortune 50 client provided not only more confidence to justify security spending and capital allocation, it also provided a structural approach to understanding and quantifying the company’s residual cyber risk.

For more on Milliman’s work quantifying cyber risk, visit www.milliman.com/cyber/.