The American National Standards Institute (ANSI) and the Internet Security Alliance (ISA) released a new action guide to assist business executives in the analysis, management and transfer of financial risk related to a cyber attack.
In 2004, the Congressional Research Service estimated the annual economic impact of cyber attacks on businesses -- which can come from internal networks, the Internet or other private or public systems -- to be more than $226 billion. In 2008, U.S. Department of Homeland Security Secretary Michael Chertoff named cyber risks one of the nation's top four priority security issues.
"We are experiencing a financial meltdown due to a fundamental misunderstanding and mismanagement of modern financial systems, which is generating a crisis of confidence in our core institutions. Today, all our critical infrastructures are reliant on cyber systems that are also misunderstood and mismanaged. These vulnerabilities place both our financial and physical security in jeopardy unless we update the method we use to control our cyber systems," said Larry Clinton, president of the ISA.
"The guide is revolutionary in its approach and extremely practical in its application. It will assist organizations in taking the necessary multi-dimensional approach to managing their cyber infrastructure by shifting the locus of control to the Chief Financial Officer," Clinton explained.
Developed by a cross-sector task force representing more than 30 private and public sector organizations, The Financial Impact of Cyber Risk: 50 Questions Every CFO Should Ask is the first known publication to approach the financial impact of cyber risks from the perspective of core business functions.
The document provides guidance to CFOs and their colleagues responsible for legal issues, business operations and technology, privacy and compliance, risk assessment and insurance, and corporate communications. It is organized in a question-based format, which makes it applicable to virtually any industry and any set of business circumstances.
The Financial Impact of Cyber Risk was unveiled during a press conference at the National Press Club in Washington, DC. Two thousand copies of the publication are now en route to executives at leading companies across the nation. Electronic copies are available for free download.
"We urge all the owners and operators of our nation's cyber systems to join with us in our joint effort to upgrade our nation's security," Clinton said.
In addition to the 50 strategic questions provided in the document, the action guide offers sample charts to aid in calculating the probability and severity of financial loss from both risk events and the actions taken to mitigate them. The guide also includes a list of standards and reference documents to help businesses develop comprehensive risk management frameworks.
"By bringing together a diverse group of cyber security experts, ANSI and the ISA have identified the potential gaps in the process of analyzing cyber risk," said Fran Schrotter, senior vice president and chief operating officer at ANSI. "We have given C-Suite executives a tool that will assist them in developing and implementing a cyber risk management plan for their organization."