Company

We’re empowering businesses to become stronger, more adaptable, and resilient.

PRESS RELEASE
ISS-Corporate Announces New Cyber Risk Modeling Tool for Corporates
Solutions

Explore our suite of solutions that help businesses make informed decisions that meet the demands of the market and strengthen their organizations.

Corporate Governance

Utilize our data-driven platform to develop and manage a governance program that helps you respond to the demands of the market and your shareholders.

Executive Compensation

Take a research-backed approach to designing and monitoring executive compensation to show that your pay is aligned to performance.

Corporate Sustainability

Approach sustainability management and reporting with developed, targeted methods, and inform stakeholders and regulators of your progress.

Sustainable Finance

Get an independent, outside-in assessment of your sustainable finance offerings, ensuring they meet the highest standards demanded by the market.

Cyber Risk

Get an outside-in view of your cyber security posture so you can better identify and mitigate your cyber risk exposure.

Strategic Partnerships

Access the essential tools to inform corporate client strategies.

Resources

Explore the latest trends and practices in corporate governance, compensation, sustainability, and cyber risk.

FEATURING
How Defensive Diligence Leads to Better Cyber Risk Oversight

  • Company

  • Solutions

    For Advisory Firms

  • Resources

    •
    Cyber Risk

    How Defensive Diligence Leads to Better Cyber Risk Oversight

    • 5 min read
    How Defensive Diligence Leads to Better Cyber Risk Oversight

    Cybersecurity events are a risk even for well-managed firms. The Securities and Exchange Commission reported a 600% rise in data breaches over the past decade, with business, issuer and investor costs estimated in the trillions. The impacts of cyber incidents are wide-ranging, from lost revenue and reputational harm to regulatory fines and legal damages – which, according to IBM, made up more than half of breach costs in 2024.

    While cyber risks can’t be completely eliminated, organizations can mitigate costs by demonstrating diligence in managing cyber risks, maintaining a high-performance cyber operation and proactively addressing threats.

    In this blog post we provide an excerpt of our recent report, Defensive Diligence with Cyber Risk Quantification, published in collaboration with Chartis Research. For a more in-depth look, see the full report here, which provides important background for legal professionals looking to understand this topic.

    Defensive diligence is emerging as a best practice for legal teams to defend their organization’s cyber risk position in the event of a cyber incident. In short, defensive diligence is the proactive and sustained management of liability risk. It’s a key component of an organization’s standard duty of care, requiring organizations to implement reasonable and appropriate safeguards against cyber threats, and positioning the firm to best defend itself from claims of negligence in the event of an impactful cyber-related issue.

    A Proactive Liability Defense

    Defensive diligence is not a silver bullet; rather, it provides the key building blocks for an affirmative defense against fines and liabilities that may result from a data breach or other impactful cyber incident. Through a program of ongoing and objective measurement of cyber risk, coupled with commensurate and responsive mitigation, defensive diligence creates a factual and evidentiary basis for the rebuttal of negligence claims.

    In the event of a cyber breach, an established posture of defensive diligence helps a firm’s legal team:

    • Demonstrate that the firm had reasonable grounds to believe they had proper protection in place against a breach prior to the event
    • Communicate that the firm had consistently taken steps to minimize the impact to stakeholders in the event an incident occurred

    These protections would include, but would not be limited to:

    • A comprehensive inventory of the assets to be protected from a cyberattack and the organization value of those assets
    • An understanding of potential threat scenarios and their likelihood relative to the assets being protected
    • Historical data on past loss events and an understanding of the potential of similar events to create future losses
    • An assessment of the inherent risk of a cyberattack or other cyber incident
    • Quantification of the inherent risks and the implications of using internal controls and other standards of care
    • Analytic models, working with proper governance, that quantify cyber risks and that are transparent, explainable and repeatable, using reliable public and private source data

    Quantify, Integrate, Validate

    At a high level, three major components form the basis for a strategy of defensive diligence, helping firms proactively demonstrate a standard duty of care. They are:

    • Quantification and contextualization of cyber risk: A central component of defensive diligence is the ability to quantify cyber risk through transparent, explainable and repeatable analytic models. Cyber risk scores – benchmarked against industry peers – provide a defensible, objective measure of an organization’s exposure and preparedness.
    • Integration across the three lines of defense: Defensive diligence is reinforced by integrating cyber risk quantification across the three lines of defense (business operations, risk management/compliance and internal audit). Leveraging quantitative metrics also demonstrates that risk management is evidence-based and comprehensive throughout the organization.
    • Independent validation and continuous improvement: Obtaining independent, empirically based assessments is critical for demonstrating appropriate diligence. These assessments help identify gaps missed internally, validate the effectiveness of controls and provide robust evidence of organizational diligence to external parties.

    The current Duty of Care Risk Analysis (DoCRA) standard strongly values cyber risk quantification to ensure that organizations implement ‘reasonable and appropriate’ safeguards. DoCRA emphasizes that risk analysis should not focus solely on financial losses or reputational harm but must also consider the broader impact on all stakeholders, including employees, customers, partners and the wider community.

    By quantifying cyber risks – whether in financial terms, incident odds, affected populations or other measurable metrics – organizations can more clearly communicate and justify their security decisions to regulators and other relevant authorities. In the event of an impactful cyber incident, those same measurements may also help organizations defend against claims in court by making a powerful argument to a judge or jury that risks were duly considered and risk performance measured, and that mitigating actions were reasonably aligned with those measurements. This kind of proactive risk quantification supports the legal principle of ‘duty of care’ by demonstrating that safeguards are proportionate to potential harm, balancing protection with the burden placed on the organization.

    More details on each of these three steps can be found in our report, Defensive Diligence with Cyber Risk Quantification.

    Conclusion

    Defensive diligence is emerging as a best practice for legal teams to defend their organization’s cyber risk position in the event of an impactful incident. For legal teams looking to demonstrate their diligence in cyber oversight to stakeholders, establishing a posture of defensive diligence – through objective cyber risk quantification, integrating quantification across the organization, and obtaining independent validation assessments of their cyber risk preparedness – is crucial.

    For a more in-depth discussion of defensive diligence and the role that cyber risk quantification can play in managing risk, please access the full report here.

    Authors:

    • ICaCR

      ISS-Corporate and Chartis Research