Frontiers of
cyber risk

‘Cyber risk’ is commonly used to describe a critical business challenge – and yet no single definition of the term has been agreed on by the cyber security industry, professional bodies or end-user organisations.

Scoping the manifestations and frontiers of cyber risk, its causes and impacts, varies accordingly. What is generally accepted is that the range of cyber risk has enlarged in recent years to encompass a much broader meaning than online threats like hack attacks, malware and viruses, cyber-crime, and offensive action by nation state-sponsored agents.

Cyber risk now pertains to multiple categories of operational risk associated with ICT system impairment. These include data theft, operational disruption, information system failures, physical harm to humans, financial jeopardy, regulator fine, reputational damage and loss of business.

Instances of cyber risk to the business include:

Proactive and persistent threats

  • cyber-criminals, hackers, insider threats

  • state-sponsored attacks, cyber-terrorism, hacktivism

  • security vulnerabilities

  • cloud misconfiguration

  • system faults and failures

  • insecure legacy systems

Volatile external threats

  • accidental data loss

  • civil commotion

  • environmental change

  • planned/unplanned service suspension

  • public health crises

  • third-party liability


At this stage of the cyber risk maturity timeframe, cyber risk officers can assemble a composite definition that best matches their understanding and experience of the issues involved. To help, here’s a distillation of definitions proffered from industry bodies and vendors…

  • ‘Cyber risk is the potential exposure to loss or harm stemming from an organisation’s information or communications systems. Cyber-attacks, or data breaches, are two frequently reported examples of cyber risk. However, cyber risk extends beyond damage and destruction of data or monetary loss and encompasses theft of intellectual property, productivity losses, and reputational harm… ‘Cyber risk is [now] the fastest growing enterprise risk and organisational priority. According to the Global Risk Perception Survey 2019 [from risk management firm Marsh], cyber risk was ranked as a top 5 priority by 79% of global organisations... The growth of cyber risk is [largely] tied to the increasing use of technology as a value driver. Strategic initiatives – such as outsourcing, use of third-party vendors, cloud migration, mobile technologies, and remote access – are used to drive growth and improve efficiency, but [they] also increase cyber risk exposure. [Therefore,] cyber risk has evolved from a technological issue to an organisational problem.’
    Source: LogicGate

  • ‘[Cyber risk] risk is the probability of exposure or loss resulting from a cyber attack or data breach on your organisation. A better, more encompassing definition is the potential loss or harm related to technical infrastructure, use of technology or reputation of an organisation.’
    Source: UpGuard

  • ‘Cyber risk is commonly defined as exposure to harm or loss resulting from breaches of, or attacks on, information systems… A better, more encompassing definition is “the potential of loss or harm related to technical infrastructure or the use of technology within an organisation”.’
    Source: RSA

  • ‘Cyber Risk means any risk of financial loss, disruption- or damage to the reputation of an organisation from some sort of failure of its IT systems... Cyber risk, however, is never a matter purely for the IT team. An organisation’s risk management function needs a thorough understanding of the constantly evolving risks, as well as the [means and measures] available to address them.’
    Source: Institute of Risk Management

  • ‘Cyber risk is the probable frequency and probable magnitude of future loss that relates to an organisation‘s information systems and associated assets, both physical and informational.’
    Source: PwC


Image credit: Moon / Unsplash