Incentive model for managing cyber risk in the supply chain

Competition has transformed many economic processes, from manufacturing to financial services, into complex supply chains. Entities along these chains specialise in core processes in which they have a competitive advantage, measured by their ability to manage the process risk at the lowest cost. Outsourcing of non-core processes does not relieve these entities from the associated regulatory compliance obligations and other liabilities. The rapid rise in financial liabilities from cyber-attacks, from record fines to class action settlements, demands a better understanding and handling of these outsourcing arrangements. Unfortunately, our limited understanding of the rapidly evolving nature of cyber-attacks and the difficulty of quantifying cyber risk present a challenge in managing liability from cyber risks. The traditional compliance-based approach does not offer an assurance of security, with an increasing number of organisations suffering major data breaches despite being certified. This research explores an alternative approach in building an incentive driven risk-sharing approach to minimise preventable data breaches. It focuses on improving cyber resilience at the source of risk. An incentive model ontology leveraging quantification techniques is presented to identify the key elements in the incentive model. This approach has been validated through the APRA CPS 234 and a cyber insurance use case.