QUANTIFYING CYBER DISRUPTION

2021 has been a record year for ransomware attacks and it’s not even over yet. Earlier in the year, a spate of attacks on critical infrastructure, including government institutions, caused the Biden administration to elevate the ransomware threat to a national security priority.

Facing a ransomware epidemic, boards are demanding that senior executives articulate the potential impact of ransomware to their organisations, as well as the steps taken to mitigate this risk. Chief information security officers have escalated calls for renewed investment in cybersecurity capabilities and new security technologies, requests that need to be balanced against the overall business objectives of their organisations.

A compelling case for increased investment in cybersecurity and prioritisation of cyber resilience at the board level cannot be made without a solid understanding of an organisation’s vulnerabilities and its level of tolerance for cyber disruptions. In today’s environment, a reactionary, tick-the-box approach no longer serves the interest of organisations — in fact, it may very well be catastrophic.

The objective of this paper is to demonstrate how organisations can quantify risks such as ransomware fully and accurately, and acquire the critical insights they need to build cyber resilience. Using a fictional entity, Mammoth Bank, as a case study, the paper demonstrates how a tried-and-tested method of risk quantification can be deployed to analyse ransomware risk.

Through this detailed analysis, we estimate this fictional $80 billion bank’s average annual exposure to ransomware to be $10.2 million and its per-event loss to be $48 million at minimum and $266.3 million in the worst-case scenario (90th percentile).

Ultimately, these insights will allow this fictional bank to determine its potential maximum disruption from a ransomware attack, assess whether or not current operations can withstand such an impact and make critical decisions to drive meaningful change. 

To make a compelling case for increased investment in cybersecurity and priori-tisation of cyber threats at the board level, the guardians of information security need to understand their organisations’ vulnerabilities and levels of tolerance for various cyber risks. A reactionary, tick-the-box approach no longer serves their interest - in fact, it may very well be catastrophic.