Professional Documents
Culture Documents
to digital
leadership
Business impact analysis
to reinforce the cyber resilience
of your company
These guidelines are part of The path to digital leadership
series dedicated to business continuity management. This
time, we are focusing on the business impact analysis (BIA),
an essential element of an organization's business continuity
strategy. For other publications in the series, visit our website.
The path to digital leadership
Muslim Medzhlumov
Chief Product and Technology Officer
BI.ZONE
3
Introduction
06
The path to digital leadership
Essential guidance
07
4
Monitoring. Improving resilience
53
The path to digital leadership
Cyber insurance.
Getting the most out of it 66
68 How damaging a cyber 70 How to get the full picture
incident can be of your cyber risks
5
Introduction
The path to digital leadership
Imagine, you need to cross a street with no traffic lights. Before doing this,
you will look in both directions to assess whether it is safe to go.
What can possibly happen when you are crossing the street? Here are
some of the risks you may face:
1. A lamp post can collapse in front of you. There is no violent storm
in sight, so the likelihood of this situation is miniscule—this risk can be
excluded from the analysis.
2. A cyclist in a hurry may not slow down when approaching
the crosswalk. As the speed of the bicycle is usually not too high,
you may spot the cyclist just in time and stop, so your risk here is not
significant.
3. A careless driver may get distracted and hit you. The likelihood of this
scenario is quite high and its consequences are serious—from a long-
2023
6
Essential guidance
The path to digital leadership
7 7
Section 01 / 05
The path to digital leadership
Key ideas 9
2023
Conclusion 26
8
Key ideas
The path to digital leadership
We recommend relying
on the ISO/TS 22317:2021
standard that features
a step-by-step description
of the analysis.
Business impact analysis. Preparing your company for adverse events
9
Understanding business
The path to digital leadership
10
10 reasons
The path to digital leadership
to conduct a BIA
Obtain reliable data that describes
the impact of malfunctions
1 in the infrastructure and
processes.
other.
11
How a business
The path to digital leadership
impact analysis
is performed
Depending on the size of the organization
and the number of areas being investigated,
the initial analysis can take anywhere from
3 to 12 months. If you start the BIA in the first
quarter, by autumn the company will have
the results to plan and budget process
improvements for the next year.
In cases where a company has limited
resources to conduct an analysis, we
recommend them to focus their initial research
on the primary business processes and to push
2023
12
BIA stages
The path to digital leadership
1 Preparation
y Assembling a team of experts and responsible employees
y Gathering initial information
y Establishing the goals and expected results of the BIA
2 Demarcation
y Identifying key business products and services
y Defining core and supporting business processes
y Planning the terms and stages of the research
y Defining the business process owners and involved units
2023
5 Data analysis
y Analyzing the consequences of breakdowns, downtime, and other negative effects
on business processes
y Rating possible damage according to the impact matrix
y Calculating the downtime thresholds and defining continuity targets
y Ranking the products and services on the scale: maximum acceptable downtime
duration, minimum acceptable level of performance in emergency situations
y Classifying business processes by their criticality
13
Step 1. Preparation
The path to digital leadership
14
Step 2. Demarcation
The path to digital leadership
15
Step 3. Development
The path to digital leadership
of an impact matrix
Main objective: devise an impact matrix, The result is a table with a description
taking into account the company’s goals of critical events and the level
and strategy. of their impact on the business.
Types of consequences, criteria, and
It is important that the information about
thresholds are defined and agreed
possible damages from negative events is
upon with the management. In the end,
collected for each group of products and
the organization should have a developed
services. The most effective method for this
matrix of the potential damage, taking
is to conduct interviews with top managers
into account the goals and medium-term
and department heads. Each business area
plans of the organization.
must define and document the following:
y contractual obligations—customer
expectations, contract terms, penalties, SLA
y partners and suppliers—opportunities The practical usefulness of BIA depends
2023
Insignificant Critical
Minimal consequences are possible within The event has a serious impact on one or more
the limits of operating losses. business processes, resulting in substantial
damage to the company.
Acceptable
The event leads to lower productivity, but without Unacceptable
significant damage to the business. The event affects key business processes
and the company’s operations as a whole,
resulting in severe damage to business
Significant and its market positions.
Impact type
Customer outflow
Financial damage
(loss of expected
Environmental or
repercussions
Deviation from
health hazard
Reputational
regulatory
objectives
Legal and
Fines and
revenue)
liabilities
business
damage
1–5% 1–5% Complaints and appeals $10,000–$20,000 Moderate damage Warnings, warrants, 3–10%
from customers and and sanctions by
Business impact analysis. Preparing your company for adverse events
5–10% 5–10% Complaints and appeals $20,000–$50,000 Substantial damage Warnings, warrants, 10–20%
from customers and sanctions by
and counterparties, Multiple class action authorities, including
including written lawsuits fines.
complaints
to the authorities, Civil lawsuits,
damage to business court proceedings,
reputation investigative actions.
Suspension of
license
>10% >10% Complaints and appeals >$50,000 Risk of fatalities Warnings, warrants, >20%
from customers, or irreparable damage and sanctions by
counterparties, Multiple class action to the environment authorities, including
regulators, or the public. lawsuits fines.
Complications in
running the business
17
Step 4. Business
The path to digital leadership
process profiling
Main objective: collect maximum data The experts conduct in-depth interviews
to adequately assess the possible losses from with those who know the most about
adverse events and allocate a reasonable the processes—their owners and key employees.
budget for implementing business continuity The list of specialists to be interviewed should
measures. be drafted in the first stages of the research.
Information to be gathered
1. Process description. What is its function?
What does it consist of? How are 5. Business unit interactions. What
the employees involved? This information supportive and related processes do
will help you analyze all the stages core operations depend on? For example,
2023
of the process and lay out the sequence sales can be influenced by IT, marketing,
of operations within technological chains. the legal department, and logistics.
2. Results. What is the outcome 6. Acceptable downtime. What is
of the process? How do the results the maximum duration for which
correlate with certain assets? How are operations can stop without significant
Business impact analysis. Preparing your company for adverse events
18
Step 5. Data analysis
The path to digital leadership
business process separately and approve to the upper or lower limit of critical damage.
the reports on them.
y Then the team makes an overall
MAC
assessment for the company. (minimum acceptable capacity)
When analyzing individual business processes,
Business impact analysis. Preparing your company for adverse events
19
In general practice, the results of the analysis
The path to digital leadership
20
The path to digital leadership
21
Table of the disruptions impact on business processes
The path to digital leadership
Level
Downtime
Impact
Asset
(BP)
— <5 min Isolated negative reviews that do not spread to the Internet
2023
22
Once the BIA reports on specific business
The path to digital leadership
23
Summary table of the disruptions impact
The path to digital leadership
30 minutes
Business
1 quarter
1 month
process
4 hours
1 week
3 days
1 hour
Asset
1 day
BP 1 BO 1.1 Asset 1 A S S C C C U U
2023
BP 1 BO 1.1 Asset 2 S S C U U U U U
BP 1 BO 1.1 Asset 3 S S S C C U U U
BP 1 BO 1.2 Asset 1 S C C U U U U U
Business impact analysis. Preparing your company for adverse events
BP 1 BO 1.2 Asset 3 I I A A A S S S
BP 2 BO 2.1 Asset 1 A A A S S S S S
BP 2 BO 2.1 Asset 3 S S S C C C U U
BP 2 BO 2.1 Asset 4 A A A A A A A A
BP 2 BO 2.2 Asset 1 S C C C C U U U
BP 2 BO 2.2 Asset 2 I A A A S S S S
BP 2 BO 2.2 Asset 3 S S S C C U U U
24
Step 6. Conclusions
The path to digital leadership
and reporting
Main objective: provide company
management with the information to make
reasoned decisions about the budget Depending on the organization and its initial
for preventive continuity measures. goals, the recommendations can be general or
more detailed. They may contain the following:
The BIA conclusions report is the starting point
for preparing a business continuity plan. y RPO, RTO targets
Approximate content of the report: y estimated asset reserves for capacity
management
y Goals and objectives of the research
y key areas for employee training and testing
y Scope of the analysis (the list of examined
products, services, and business processes) y response and recovery procedures in case
of downtime
y Process of analysis (how the research was
conducted) y recommendations that ensure business
continuity
2023
y Results:
y impact matrix
y potential impact resulting from
a disruption of business functions
and processes
Business impact analysis. Preparing your company for adverse events
25
Conclusion
The path to digital leadership
With the BIA, you can also identify the impacts with
the most serious consequences for the company.
Business impact analysis. Preparing your company for adverse events
26
Section 02 / 05
The path to digital leadership
Conclusion 41
27
Key ideas
The path to digital leadership
28
Why prioritizing risks is important
The path to digital leadership
29
A conventional approach to cyber Our own cyber risk management methodology
The path to digital leadership
risk assessment focuses on the threats that builds on this idea. It is based on an iterative
compromise the confidentiality, integrity, or evaluation:
availability of information: from exploitation
y Start from the top, using a BIA to determine
of vulnerabilities to cybersecurity code
the negative consequences for the company
violations. Such assessments show which
as a whole.
systems are vulnerable to a particular
type of cyberattack, for instance, DDoS or y Then proceed down to the key products
ransomware, and the results are compiled and services—those that bring in the main
into a detailed report. profits. Determine the consequences of their
continuity failures.
The report comes out being very bulky:
a minimum of 3 threats are analyzed for each y Finally, move on to the business processes
asset with 2–3 exploit scenarios per threat, and assets that are directly connected
using various vulnerabilities. A small company to profit generation. This way, we focus
may have 2,000–7,000 unique cybersecurity on the risks that are critical to specific
risks that must be addressed. For a large operations or resources.
enterprise or a factory with many production Thus, we gradually narrow down the threats
lines the figure is even higher, reaching tens to the most dangerous vulnerabilities. This
of thousands. method helps to determine how particular
2023
The CEO of a company may not be too risks can unfold and provides a clear and
concerned with the technical issues. straightforward picture to further manage
Instead, they need to understand the impact the issues.
of cyberattacks on their business and estimate The BI.ZONE combined approach was finalized
the possible financial losses. and tested in 2019. In January 2020, having
Cyber risk management. Identifying the main threats to your company
1
By this term, we mean a variety of systems: quality 2
The British Standards Institution (BSI) was founded
management, information or production security management, in 1901. Today, BSI is the world leader in management
business continuity management, environmental management, systems as well as the leading authority on standardization
30 and so on. and certification.
What standards
The path to digital leadership
underpin our
approach
to cyber risk
management
As our own experience shows, no single
existing risk management standard alone
can deal with the impact of negative events
on the business. However, it is possible
to combine the methods from several
standards.
2023
31
ISO 31000:2018, Risk management— The situation changes if the BIA method is
The path to digital leadership
32
What benefits come with
The path to digital leadership
a combined approach
1. The volume of processed information is 3. There are more opportunities
reduced manifold. The analysis includes for risk management in general.
only those threats that can cause significant The approach transcends
damage to the business. cybersecurity and encompasses
the broader context of business
2. It is easier to manage process continuity.
processes.
The company can select measures
to mitigate those risks that are critical
for a particular business operation.
2023
With the conventional approach to risk management, the business gets a rather abstract
definition of risk.
Take the example of a goods vendor that distributes orders through a logistics IT system.
If the system crashes due to a malfunction or a cyberattack, the company will face
Cyber risk management. Identifying the main threats to your company
customer dissatisfaction, late delivery fines, and other negative consequences. Further
tasks will depend on the company’s strategy for building risk management.
Let us compare:
What is the main difference? In the first case, the priority is to protect the service itself,
which can be quite expensive. The combined approach helps you focus on delivering
orders to customers. This wording would suggest that the damage from IT system
downtime can be reduced by engaging a courier service, for example.
33
In our experience, the combined approach Mitigation measures should be implemented
The path to digital leadership
speeds up the cyber risk assessment three first and foremost for risks that can
times. In the case of BI.ZONE, an analysis lead to unacceptable consequences
of 5 processes and 400 assets revealed about for the company. Therefore, the CEO will
4,000 risks, which could take up to a month eventually receive from 5 to 20 business critical
and a half to analyze. Now, we only have risks to consider as priority. Below, we will
to focus on half as many assets with respect lay out a step-by-step approach to working
to these processes, and the number of relevant out a list of the most dangerous scenarios
vulnerabilities and threats has decreased for the business.
by three. The overall assessment can now be
completed in about two weeks while the actual
workload has decreased by five, to 800 risks,
without compromising the result. We exclude
scenarios that are obviously irrelevant since
they cannot cause significant damage 3x faster
to the business and therefore do not require
further processing. Only the most significant cyber risk assessment using
and unacceptable scenarios are subject the combined approach
to analysis.
2023
Number of assets
Cyber risk management. Identifying the main threats to your company
Number of threats
The combined approach allows us to employ a transversal method and common management
practices in a QMS and an ISMS. When applying a BIA, it does not matter whether the damage
occurred due to poor product quality or an IT system failure. What is important is to look
at the business consequence and assess how critical it is.
34
How to establish
The path to digital leadership
effective cyber
risk management
Step 1. Determine the range of potential
risks and opportunities given the context
of the organization’s activity.
Any standard with reference to ISO 31000
requires that risk management begins with
identifying the business context, the external
and internal factors that may affect it, and
the risks and opportunities associated with
such factors.
2023
35
Step 2. Identify all types of possible negative Let us assume that the goods vendor has
The path to digital leadership
effects and develop an impact matrix that identified three areas of activity: purchasing,
describes their criticality for the business. sales, and logistics. The last item is
a secondary business function that does not
This stage begins the impact analysis.
generate profit by itself. However, problems with
For each activity type it is necessary to:
delivery can lead to undesirable consequences,
y consider its role in the business, identify for example, financial: indemnity, lost profits,
the main stakeholders fines, legal fees and settlements.
y identify all types of consequences As a result, the company receives a high-level
y determine the possible magnitude assessment of the extent of damage: when
and threshold of criticality levels negative consequences are in the acceptable
green zone, and when they become significant
y develop an impact matrix
(yellow zone) or unacceptable (red zone).
Schematically, the matrix may look like this
(the figures are given as an example):
2023
36
Step 3. Analyze possible causes and scenarios
The path to digital leadership
37
Step 4. Plan for risk management Some risks may affect multiple areas at once,
The path to digital leadership
38
Step 5. Process the identified cybersecurity
The path to digital leadership
39
A diagram illustrating the steps
The path to digital leadership
2023
Cyber risk management. Identifying the main threats to your company
40
Conclusion
The path to digital leadership
41
Section 03 / 05
The path to digital leadership
Awareness.
Mitigating human
error in corporate
cybersecurity
Key ideas 43
2023
Conclusion 52
42
Key ideas
The path to digital leadership
factor
employees practical
• assess the possible skills to avoid hackers
implications of such risks and their tricks.
• identify groups of people
who can impact the risks
(employees of different
business units, counterparties,
contractors)
43
How low cyber
The path to digital leadership
awareness hurts
business
An accountant kept the password to his work
computer in notes on his phone. Hackers
cracked the phone and compromised
the corporate credentials, then leaked
the company’s accounts.
A bank employee was using a public cloud
to send confidential files. The cloud provider did
not take proper care of its security, and the files
ended up in the hands of criminals.
An office manager received a call on Sunday,
2023
44
The number of attacks on companies through
The path to digital leadership
300%
increase in phishing attacks
recorded globally in 2022 vs 20203
45 3
“Phishing Activity Trends Report 2nd Quarter 2022,” APWG.
How to identify the areas that would
The path to digital leadership
46
How to plan
The path to digital leadership
cybersecurity
training
When you have conceptualized the potential
damage and figured out who needs to improve
cyber awareness and how, you can devise
a training program that fits your company.
The course activities will aid employees
in understanding the following:
• damage that a business could face
in an incident caused by a staff member
• methods that attackers can use against
your employees
2023
47
The set of training activities varies depending
The path to digital leadership
on the objectives:
Content Benefits
Show the impact A series of internal briefings for target Employees get
of incidents on business groups (accountants, economists, tangible insight into
logisticians, IT specialists, etc.). the impact of an attack
on the operations and
Each group has its own set
are encouraged not to be
of instructions, depending on the work
the cause of an incident
performed and the possible incident
implications
Monitor cybersecurity Testing, practice drills and response You get reports
awareness procedures, routine phishing email on the effectiveness
Awareness. Mitigating human error in corporate cybersecurity
48
Which business units are
The path to digital leadership
Administration
52% 37% 11%
and office management
Withstood the attack Opened the email Opened the email, clicked the link,
opened the attachment
49
How to ensure
The path to digital leadership
50
The path to digital leadership
What we did
• Identified target groups by the level of access to critical assets and by information
security skills: “Finance and accounting,” “IT and cybersecurity,” “Operating specialists,”
and “Low risk employees.”
• Developed a schedule of training courses and attack drills for each group.
In doing so, we took into account the specifics of the company, the groups themselves,
2023
the working conditions, and the level of cyber hygiene in each group. The customized
courses included client-specific assets, applications, and types of sensitive
information. In addition, our experts expanded on the sections of secure working with
e-payment systems.
• Implemented a continuous awareness process based on our platform. It included
a series of routine training for employees, attack drills, and improvements
Awareness. Mitigating human error in corporate cybersecurity
Results
• In six months, the number of vulnerable individuals dropped by 30%.
• The Security Champion incentive program increased employee involvement
in cybersecurity compliance and strengthened loyalty.
• We updated the psychological profiles of employees.
51
Conclusion
The path to digital leadership
52
Section 04 / 05
The path to digital leadership
Monitoring.
Improving resilience
to cyberattacks through
rapid incident response
Key ideas 54
2023
Conclusion 65
53
Key ideas
The path to digital leadership
54
Why preventive security
The path to digital leadership
55
What is effective
The path to digital leadership
cybersecurity monitoring
Without threat monitoring, a company wouldn’t To build such processes, you need to integrate
have a clue about a looming attack until after security event monitoring with proactive threat
it happens—when it becomes impossible not analysis and incident response. An effective
to notice its effects, such as encrypted data approach would be to assign these functions
on servers and workstations. A proactive to a dedicated unit—security operations center.
approach, on the other hand, enables timely This can be done both with the company’s own
detection of illegitimate activity through resources and by engaging a third-party team.
centralized collection, systematization, and By linking technology, people, and
analysis of security events. This can be done cybersecurity, the SOC provides optimal
in different ways. protection in an environment where attacks are
Some organizations assign one specialist becoming increasingly sophisticated.
to monitor all security system alerts, like Below we will explore how a SOC operates
an antivirus being triggered by some suspicious and how to get the most out of it.
2023
56
How SOC improves
The path to digital leadership
incident monitoring
Before the implementation of monitoring, 3. Any alerts triggered by the rules are
a company must institute a set of defenses that analyzed by a team of specialists. If
help protect against typical attacks. This step the threat is confirmed, the team initiates
of the process can be referred to as prevention. some countermeasures. This may include
The deployed security tools can automatically specialized IRP/SOAR4 systems that run
block known attacks, but many threat actors (at the command of the analyst or automatically
have long since learned how to bypass them. based on the preset rules) response scenarios,
In order for a company to address “invisible” or playbooks, for the type of incident detected.
threats, it needs alternative security tools, This is known as the response stage.
such as monitoring systems. The SOC completes the cycle with two additional
In essence, the prevention phase is not directly steps: i) continuous vulnerability exposure
part of the threat monitoring process, but (prediction), which allows specialists to promptly
an important precursor to it. address security gaps and reduce the likelihood
2023
4
Incident response platform / security orchestration, automation,
and response is a class of software products for security
coordination and management. These solutions collect security
event data from multiple sources, process it, and automate
57 typical response scenarios.
The path to digital leadership
2023
Monitoring. Improving resilience to cyberattacks through rapid incident response
S e c u rit y to o l s
PREDICTION RESPONSE
Continuous detection Verification, response,
of infrastructure vulnerabilities and investigation
and weaknesses of identified threats
DETECTION
Detection of ongoing attacks
58
The path to digital leadership
What we did
• Quickly notified the client.
• Our analysts revealed a compromised account and several servers with a web shell.
At the same time, it turned out that the attacker had obtained an account with domain
administrator privileges and copied all usernames and passwords.
• We prepared recommendations to mitigate the damage. Thus, we suggested isolating
the servers and resetting the passwords to all accounts.
• Using routine SOC tools, the analysts could not figure out how the intruder had
penetrated the infrastructure. Hence, we called in our fellow colleagues from
2023
Results
Monitoring. Improving resilience to cyberattacks through rapid incident response
• The investigation revealed how the attacker had got into the infrastructure—through
an external server that hosted the HR’s employee testing service. The company had
launched the service long before reaching out to us. The vulnerability of the resource
allowed any visitor to find out the usernames and passwords of employees who
accessed the website.
• The key reason for the incident was a lack of emphasis on security in the prediction
stage.
• Following the investigation, the team prepared recommendations to eliminate
the consequences of the attack and improve cybersecurity processes.
Process cycle
Prediction. This stage was not taken into account which resulted in the incident.
Prevention. The company was running an antivirus program in conjunction with
a SIEM system hosted by an external SOC.
Detection. When a malicious script was detected, the information was
immediately sent to the SOC.
Response. The specialists began to analyze the incident, localized the source
of the threat, and initiated an investigation.
This is where it became apparent that the incident was caused by a failure
to address infrastructure vulnerabilities and weaknesses.
59
How to get
The path to digital leadership
60
How BIA helps at all stages
The path to digital leadership
company need
a SOC
The answer depends on the risk appetite that
can be understood in the course of a BIA.
It is necessary to consider the damage beyond
the scope of the corporate IT infrastructure.
Thus, a breakdown in business continuity may
arise from external service failures, which
should also be identified by the SOC.
After the analysis, compare the costs
of implementing your own SOC or outsourcing
its functions with those of a delayed response
to security events. Company management
2023
62
SOC: in-house or outsourcing?
The path to digital leadership
When a company finally decides that it does need a SOC, it has to determine whether
to use its own resources or opt for the services of an expert organization.
The following questions will help you make that decision.
1. Can you independently assess the criticality The specialists need to develop an expert
of your systems in terms of monitoring? set of rules for identifying suspicious events,
as well as keep them up to date, further align
Companies believe that the systems processing
processes, and prepare playbooks—all this
and storing large amounts of valuable data are
requires a lot of time and resources. For example,
a higher priority for monitoring. However, this
it took us more than four years to develop
approach is not always the right one.
the 1,300 rules currently in our SOC database.6
For example, if hackers penetrate these Meanwhile, you can start running an external
critical systems and publish the extracted SOC in just a few weeks.
database online, it will be too late
2023
and so on. The company’s objective is to spot to an incident. It may turn out that a one-hour
illegitimate actions as early as possible and failure will have no effect on your business,
react before the intruder has gained access two hours will cause problems, and two days
to critical assets. Therefore, monitoring of downtime will result in major financial and
should not only cover such assets, but also reputational damage. All this should be defined
all the preceding points that the intruder in your playbooks, which provide a clear
passes. These can be mail servers, user response procedure. Some incidents must be
workstations, secondary information systems, addressed within minutes and/or at night times.
the elements of infrastructure that are Consequently, the SOC should operate around
commonly not considered critical. the clock, and, if highly specialized experts
To create an effective private SOC, a company are needed, they must be engaged as soon as
needs dedicated specialists who can properly possible.
rank the systems by significance. If your
Maintaining your own 24/7 SOC is associated
organization does not have such employees,
with high costs. The greater part of the expenses
outside experts can help.
will be personnel—people need to be recruited
and trained. An external SOC already has
2. How quickly do you need to launch experienced professionals who deal with
the monitoring process? incidents in various industries on a daily basis.
It can take several years for a company to build
and get its SOC up and running. The SOC must
reach a certain level of maturity to be able
to detect incidents that standard security
measures fail to notice.
63 6
As of January 2023.
4. Are you prepared to incur 5. Do you have qualified staff?
The path to digital leadership
64 7
‘‘The (ISC)² 2022 Cybersecurity Workforce Study.’’
Conclusion
The path to digital leadership
65
Section 05 / 05
The path to digital leadership
Cyber insurance.
Getting the most
out of it
Key ideas 67
Conclusion 75
66
Key ideas
The path to digital leadership
67
How damaging
The path to digital leadership
a cyber incident
can be
A healthcare provider fell victim to hackers
who stole medical and personal records
of 850,000 patients. Many of them filed
lawsuits against the organization.
A cryptocurrency platform lost $28 million from
its hot wallet as hackers had gained access
to the company's wallet server.
A telemarketing company with a 61-year history
was unable to recover after a ransomware
attack and had to cease its operations.
2023
$4.35 million
the average total cost of a data
breach globally
68
How cyber
The path to digital leadership
insurance helps
to save money
The global cost of cybercrime is constantly
rising and is expected to skyrocket to almost
$24 trillion by 2027.8 On top of that, the average
total cost of a data breach climbed to a record
high of $4.35 million in 2022.9 For companies,
this means more stolen money and data,
damaged reputation, lost productivity, and
disruption to the normal course of business.
If such losses are covered by an insurance
policy, the victim company can better manage
the continuity of its business processes after
2023
8
Anna Fleck, “Cybercrime Expected to Skyrocket
in Coming Years,” Statista.
69 9
“Cost of a Data Breach Report 2022,” IBM Security.
How to get the full
The path to digital leadership
picture of your
cyber risks
It is important to make sure that your insurance
coverage reflects the actual consequences
of cybersecurity incidents. This will enable
you to undo the damage without overpaying
for insurance. Performing a business impact
analysis will allow you to choose the insurance
plan that covers all the relevant risks and their
possible implications.
With the BIA results in hand, you can prioritize
the events that have the most severe
consequences for your business processes.
2023
70
How to choose the right
The path to digital leadership
insurance plan
Let us use the cyber risks of a hypothetical cloud service provider as an example.
The company offers two key services with different SLAs:
for a 10% data loss. about 1 day per year. Longer downtimes are
subject to a penalty of 4% of the contract
value for each 0.25 p.p. in excess
of the maximum permissible 0.25%.
Cyber insurance. Getting the most out of it
Based on the BIA results and respective SLAs, the provider specifies two essential indicators for data
availability—recovery point objective (RPO) and recovery time objective (RTO):
Archive Access
RPO <1 day 365 days
The BIA outcomes also include a business processes assessment and a disaster recovery plan
(DRP). These inputs enable the company to establish that:
Archive Access
71
Hence, the provider can easily calculate the costs it will have to incur in the event of a disruption:
The path to digital leadership
By calculating the compensation charges for each contract and adding these figures for all customers,
Cyber insurance. Getting the most out of it
the provider will establish the total amount of potential damages payable.
The BIA also determined the severity of potential incidents for each of the two services:
Archive Access
A loss of data will significantly affect A loss of data will have a marginal
the company’s business continuity impact if any as the service uses
as customers will be less likely to trust end‑to‑end encryption to prevent third
the storage service. parties from compromising the data.
While researching the cyber insurance market, the company has come across the following
annual rates:
Coverage*
Data tampering Up to Up to —
(incl. by ransomware) $500,000 $750,000
Up to Up to —
Data leak
$500,000 $750,000
Denial of service — Up to Up to
(incl. due to DDoS attacks) $750,000 $1,250,000
* Maximum payouts
over the insurance period.
72
In Archive, the files must be backed up at least once a day. At the same time, the SLA allows
The path to digital leadership
the service to be unavailable for up to 10 days. Therefore, a denial of service does not pose a major
threat to it. Thus, the provider can disregard plan 3 as it does not cover the risk of data tampering, but
only protects against DDoS attacks.
Coverage
Up to Up to —
Data leak
$500,000 $750,000
Access can be shut down for up to 1 day. Therefore, the risk of a DDoS attack must be covered
in the insurance plan. Backups can be performed once a year as the risk of data tampering
for Access is not high. This is why plan 3 seems like the best option for this service.
Cyber insurance. Getting the most out of it
Coverage
Non-critical Up to Up to —
Data tampering
for Access: $500,000 $750,000
(incl. by ransomware)
RPO is 365 days
Up to Up to —
Data leak
$500,000 $750,000
Critical — Up to Up to
for Access: Denial of service $750,000 $1,250,000
RTO is less (incl. due to DDoS attacks)
than 1 day
Finally, thanks to the BIA, the company can make a balanced decision: either to purchase plan 1
for Archive and plan 3 for Access or opt for a combined plan 2.
Archive +
Archive Access
Access
Plan 1 Plan 2 Plan 3
Insurance premium $7,000 $14,000 $7,000
Coverage
Data tampering Up to Up to —
$500,000 $750,000
(incl. by ransomware)
Up to Up to —
Data leak
$500,000 $750,000
Denial of service — Up to Up to
$750,000 $1,250,000
(incl. due to DDoS attacks)
73
A decision in favor of a particular plan and whether to insure specific risks should
The path to digital leadership
factor in the amount of potential damage, which can be calculated in advance. Your
insurance plan should cover the damage and be less costly than the introduction
of respective security and mitigation measures.
Let us also assume that, according to the BIA, an attack on Archive will have no impact on Access as
the two services are located in different network segments. In this case, to reduce the cyber risks, we
recommend considering the following measures:
Archive Access
Data leak — —
Archive Access
Cyber insurance. Getting the most out of it
Thus, maintaining data safety and integrity is essential for Archive, while ensuring availability
is of utmost importance for Access.
Archive Access
Given the cost of data replication, If the organization opts for DDoS
this does not appear the best way protection, purchasing plan 3 will be
to mitigate the risk of data tampering. unjustified due to its relatively high
A more sensible solution is to choose premiums.
plan 1.
74
Conclusion
The path to digital leadership
75
About
The path to digital leadership
BI.ZONE
BI.ZONE is an expert in digital risks
management.
1,000+
We help organizations develop their completed projects
business safely in the digital age.
Our innovation driven products enable
clients to take the best approach to their
400+
tasks, irrespective of company size,
budget, or geography. From consulting
and outsourcing services to ready-made
solutions and customized strategies,
we are focused on delivering tangible protected clients
benefits to our clients as a trusted and
2023
reliable partner.
We can assess your current level of risk,
700+
propose measures for improvement
and optimization, train your employees
to work in the digital environment,
Cyber insurance. Getting the most out of it
15+
aviation, and many other industries.
We employ certified world‑class
experts and cooperate with a number
of international organizations, such as
the World Economic Forum, INTERPOL,
SWIFT, the CyberPeace Institute,
countries of presence
and others.
We understand what your business
700+
needs to succeed in the digital
development journey, and can help you
set the right vector.
cybersecurity experts
Find out how to maintain business
continuity with BI.ZONE solutions
76
4 Olkhovskaya St., Bld. 2
Moscow 105066, Russia
+44 20 3808 3511
info@bi.zone
www.bi.zone