The bottom line – cyber risk in financial terms

Date: 15-11-2018


It’s not enough for businesses to think of cyber-security in technical terms. What are your vulnerabilities and risks? How could they impact you? And how much risk are you willing to take on? These are the questions businesses need to answer, says George Ng, co-founder and CTO of Cyence, a cyber-risk analytics and modelling firm acquired by Guidewire Software, in October 2017.

About the Author

Dr. George Ng

Chief Data Officer, Guidewire

George_NgHe leads product management, data science, risk modelling and engineering teams for analytics and data products. Prior to Guidewire, George was co-founder and CTO of Cyence, which was acquired by Guidewire in 2017. Previously, he was the Chief Data Scientist at Yarcdata. George has also worked as a Research Scientist at DARPA and US-CERT and as faculty at American. He received his PhD from UC Irvine and BA from UC Berkeley, both in Economics.

“Regardless of the country or the language spoken, there is one way in which boards look at risk - and that is through money and the likelihood of something happening.

A cyber risk is one of those events which you can’t actually prevent. Therefore, you should stop thinking about it as an IT problem, and start to think about it as a business risk.

Cyber risk in the 21st century is existential to most businesses – 60% of small businesses in the US went under after a cyber event.”

The cost of cyber-security goes beyond investing in software or third party support. While this can be expensive, the loss of data, money, trust or reputation as a result of an incident can come with a much bigger price tag. To make risk assessments based on the bottom line, everyone from your suppliers to your customers need to be part of the equation.

What to look out for when assessing cyber-risk

Cyber-security is not a one-size-fits all proposition. Every business has to account for different risks. This starts by considering what makes you an attractive target in the first place – which in turn tells you who might target you.

For example, a law firm and a retailer may have equally strong defence systems. Yet one is trying to protect sensitive and private documents, while the other is focused on keeping customer data and payment details safe. That results in two very different cyber strategies.

Risks vary by sector, size, location and even visibility. If your business is in the headlines, you might be more recognisable to hackers. Risks can also be accidental, such as when someone sends a spreadsheet to the wrong person. That’s why it’s crucial to examine the whole company – from your everyday operations to your staff – for potential risk factors.

It’s also important to not just think about your own security, according to Ng. Sometimes, your company isn’t the target at all. It’s just a way in for someone looking to reach your customers, or a partner within your network.

Changing how you think about cyber-security

One common mistake that companies make is thinking of cyber risk purely in terms of prevention. That’s not realistic anymore. It should be treated like any other risk, with an eye toward what it means for your business when something goes wrong.

When you’re buying a house, for example, you’ll try to make sure it has a solid infrastructure, and that it’s prepared to take on the elements. But you’re also likely to take out some form of insurance or think of how to deal with worst case scenarios.

As it stands, a lot of cyber-security assessments are driven by compliance and regulation. This is a limited, defensive approach that tends to come down to a tick-box exercise. While that’s not a bad thing, the best defence is to consider the potential attackers’ offense. That means actively seeking out potential threats that are relevant to your business.

A cyber incident is one of those events which you may not actually be able to prevent, says Ng. Therefore, you should stop thinking about it just as an IT problem and also start thinking about it as a business risk.

The real cost of risk – and how to plan for it

Cyber-risk in the 21st century is existential to most businesses – 60% of small businesses in the US went under in six months after a cyber event. When you think about the potential consequences, the price of investing in cybersecurity measures doesn’t seem that high.

Going back to the home example, burglary is something that can happen to anyone. But there are different ways to deal with it. You could invest in a simple alarm, or spend a fortune on an advanced system. You could even decide to limit how many valuables you keep at home. Ultimately, it comes down to what you think is the best option for you, and how much you’re willing to – or able to – spend.

What experts at firms like Guidewire Cyence do is provide the right information and models to help businesses come to the right conclusions for their organisation. Not everyone can pay for top-of-the-line software, of course, but a clear understanding of all the risks lets businesses make decisions based on pounds and probabilities.

Putting cyber-security in business terms

Cyber is a C-suite concern for today’s businesses. That means it’s important to use the right words to talk about it, with less IT terms and more business realities. Ng points out that, regardless of the country or the language spoken, there is one way in which boards look at risk - and that is through money and the likelihood of something happening.

Once you can frame a risk with actual figures, you can have a clearer conversation about it. Understanding the probability of an event that can cost you half a billion, for example, lets you think of risk in real terms and take your next steps with more confidence.

Fraud prevention

Find out how you can protect your business from fraud.

Visit our Fraud Hub

Cyber risk

You can read other articles and view videos on cyber risk.

Visit our Cyber Hub
Back to top

Important legal information

Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.

Lloyds Bank plc Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone: 0207 626 1500.

Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority under Registration Number 119278.

Eligible deposits with us are protected by the Financial Services Compensation Scheme (FSCS). We are covered by the Financial Ombudsman Service (FOS). Please note that due to FSCS and FOS eligibility criteria not all business customers will be covered.

Lloyds Banking Group includes companies using brands including Lloyds Bank, Halifax and Bank of Scotland and their associated companies. More information on Lloyds Banking Group can be found at