In a previous KPMG blog, I discussed how robust Identity Access Management helps meet Digital Operational Resilience Act (DORA) requirements. Moreover, there are notable instances where quantifying cyber risks can improve adherence to various regulations, including the SEC's guidelines on cybersecurity risk management, strategy, governance, and incident disclosure, the Cyber Resilience Act, Network and Information Security Directive (NIS2), the Telecommunications (Security) Act, the Online Safety Act, and the EU Artificial Intelligence Act.

An opportunity for strategic alignment

The intricate regulatory landscape for operational, ICT, and cyber resilience is converging rapidly, and rightfully so. Historically, quantifying information, communications, and technology (ICT) risks has been challenging. With rapid technological advancements, these risks have grown considerably more complex to manage compared to traditional approaches. New considerations include the use of artificial intelligence (AI), quantum computing, and the ability to effectively manage the risks they pose. This is where cyber risk quantification (CRQ) can make a significant impact by offering a method to define materiality, measure and assess the potential financial impact of cyberattacks. This data can then be used to make informed decisions about the level of cybersecurity risk that the company is willing to accept and the steps that need to be taken to mitigate that risk.

A recap of CRQ

CRQ entails measuring the potential financial risk exposure stemming from cyber threats. This is achieved by evaluating the likelihood of an attack and estimating the potential financial impact if such threats were to materialise. Consequently, the results of CRQ initiatives can be transformative for organisations navigating intricate regulations while safeguarding themselves against cyberattacks and data breaches.

3 areas where CRQ can enhance regulatory compliance

  1. Increased confidence with regulators: helps organisations demonstrate to regulators that they are actively managing cyber risks using a robust methodology aligned with industry standards. This aids in understanding materiality and the potential impact and financial risk exposure from relevant and proportionate cyber threats.
  2. Stronger risk management: transitions organisations away from subjective red-amber-green and 1-5 scales towards data-driven decision-making through systematic scenario analysis and risk mitigation strategies.
  3. Enhanced communication with stakeholders: CRQ provides a business language (financial impact and likelihood) for effective communication with Board members, executives, and decision-makers, aligning with their strategic objectives and risk appetite.

An innovative platform to drive meaningful change

The aforementioned examples draw from our experience assisting clients in advancing their cyber risk management capabilities through our industry leading CRQ SaaS product, Cyber Risk Insights (CRI). CRI facilitates the modernisation of risk assessments by applying both qualitative and quantitative analyses to a portfolio of cyber risks.

CRI employs a scenario-driven approach to evaluate the likelihood and impact of cyberattacks more precisely. By the end of 2023, we had collaborated with several prominent global clients to assist them in quantifying cyber risks, presenting investment cases to boards, and determining optimal investment portfolios. These initiatives have contributed to compliance with a number of regulatory requirements.

Our platform establishes credibility with regulators, senior business leaders, internal stakeholders, and clients as its methodology aligns with Open FAIR™ risk analysis. Furthermore, the development approach we took in building CRI involved a KPMG team, comprising experts in Cyber Security, Data Modelling, Software Engineering, Cloud, Econometrics, Digital Design, and Actuarial Science. This multidisciplinary approach provided us with valuable insights and experiences, enabling us to offer a comprehensive perspective that encompasses business, technology, regulatory, and industry requirements.

For further information, schedule a demonstration and embark on your journey towards cost-effective, compliant, and proportionate risk management.