CEO Tom’s objectives include growing sales and reducing costs by effi-ciently increasing reliance on technology and data analytics. While Tara, his chairperson, and her board of directors are happy with the optimistic financial projections based in part on Tom’s embracing technology, the board has also inquired as to whether technology and information asset reliance increases risk to the financial statements from cyber exposures. Can Tom’s organization build a quantitative model that addresses cyber exposures in order to maximize efficient allocation of resources, budget, and reporting? If so, can cyber exposures be quantified and cyber risk transferred to insurers in an effective manner? Tom rose to the challenge. He saw to it that his chief financial officer, Gloria, and chief risk officer, Nathan, were collaborating with key internal stakeholders (such as the general counsel, human resources, sales and marketing, product development, treasury, chief information officer [CIO], chief information security officer [CISO], and chief security officer [CSO]) and that they were developing a cyber risk transfer solution aligned with their organization’s enterprise risk management system in order to address the total cost of risk (TCOR).¹

Tailoring a Quantified Cost-Benefit Model

The reason for the board’s ask ...