There are several ways of address the risks that originate from a risk assessment; you can avoid the risk entirely (withdraw), reduce or mitigate the risk, transfer the risk (e.g. insurance) or accept the risk.
If you consider a datacentre operator who houses a large amount of IT equipment, fire is a risk, whether that is due to an electrical malfunction or a fault with customer equipment.
- Withdrawing from the activity is not an option.
- Reducing or mitigating the risk with VESDA smoke detection, gas suppression and comprehensive fire detection systems makes perfect sense.
- Transferring elements of the risk with buildings insurance and business interruption insurance provides some added comfort in the event the steps to mitigate fail.
- It is unlikely a datacentre could accept the risk of fire and have no mitigating controls or insurance policies.
Proper datacentre design, building controls, competent M&E consultants and a comprehensive testing regime would significantly reduce the risk for a datacentre from the outset. Buildings and datacentres are also constructed to known standards; floor loadings, cable calculations, noise, heat dissipation, redundancy, etc.
These same steps apply for cyber attacks. Take the example of an online retail business who, during a risk assessment, identified data breaches or cyber-attacks as a real risk to their business:
- Withdrawing from online activity is not an option. It is their shop front.
- Reducing or mitigating the risk with IPS systems, firewalls, systems hardening, DDOS mitigation platforms, endpoint protection and a security architecture all make sense. These measures will go some way to limiting the cyber-risk, but by no means 100% eliminating it.
- Transferring elements of the risk is possible to some extent. They could outsource the protection of their platform to a third party. The platform outsourcing could provide a remedy for a cyber-breach however it is unlikely these liabilities would extend to cover the organisation’s loss of earnings or reputation (investment attractiveness could be irreparably damaged, as discussed in an earlier post).
- Transferring elements of risk with cyber insurance is an option, but one that many believe does not provide adequate protection, yet.
- Accepting the risk could be an option. This is what many online businesses will do today (in the absence of a fit-for-purpose cyber insurance regime).
The actuarial challenge – cyber insurance
Many commentators touted 2014 as the “year of the data breach”. I thin 2013 may have also been the year of the data breach too. Perhaps 2015 is planned.
Data breach insurance is widely discussed but the reality is many organisations feel data breach, or cyber insurance, when you read the small print, simply does not make sense. The high premiums, excess, deductibles and exclusions make the whole cyber insurance affair utterly pointless.
(Full disclosure, I am not an actuary nor an insurance salesman – so my brief perspective of the insurance industry will perhaps not do it justice!)
Insurance is very much based around risk.
Insurance companies employ teams of skilled actuaries who leverage complex algorithms and whose job it is to calculate risk, and to shape premiums. These calculations could be based on historic data and past events, determining the retrospective risk and looking forward. They use complex models, scientific data, demographic data and market data to determine the risk going forward.
The insurance companies will also consider what controls you have in place to mitigate the risk, and how effective these controls are. The effectiveness and impact of these controls on risk can be based on past data but also their own calculations.
In the case of car insurance; your age, sex, the presence of car alarms and immobilisers, the number of miles you drive, advanced driving certificates and the regional crime statistics all help shape the risk.
This number crunching is a classic application of big data and this statistical analysis of so many data points can be quite staggering. Machine learning, artificial intelligence, computational actuarial science, gradient descent, hessian matrices, poisson models and covariates – all feed this scientific approach to risk. The end game to you and I? An insurance policy and a monthly premium.
Cyber insurance and the dynamism of risk
A business may feel hacking, cyber attacks and data breaches pose a real risk to their business and they may opt for cyber insurance.
The challenge with cyber insurance is the comparative lack of data (compared to say car theft) and the ever moving threat landscape. Political events, military action, software flaws, platform integration, poor quality software, a lack of standardisation, geographically dispersed infrastructure and a complex and diverse IT supply chain muddy the waters. With the internet, there are so, so many actors who are not limited by region or indeed country.
The risk is truly global and this is exponentially increasing year on year. The internet of things (IoT), the rate of mobile adoption, eHealth, big data, data flows and the way the world is embracing technology, it is simply mind blowing.
If traditional risk was an animal, it could be seen as relatively inanimate, somewhat predictable, the construct of its region and us humans had evolved to both predict, control and accept its behavior.
However in the internet world, this animal would be a truly schizophrenic, spontaneously morphing, semi-transparent beast which can rear its head in the least likely of places. Its aggressive and unjustified actions could be triggered by the most unlikely events in Mexico, the UK or China.
This hyper risk dynamism coupled with a comparatively lack of cyber actuarial data make it very difficult for an insurance company, and its actuaries, to competently and quantitatively assess cyber risk to the point where the risk is fully understood and a premium begins to make sense for an enterprise.
How do you quantify the impact?
If your house goes on fire, it burns down. Your holiday home doesn’t burn down, nor does your Spanish office. Your UK insurance company covers you, your rebuild/repair, and carry on.
If your UK office suffers a data breach, but the lateral movement of the attackers triggers a data breach in your US, Japan and Argentinian offices – then you have a problem. Data relating to UK citizens, Japanese health data and information relating to the finances of Argentinian businesses is now on the internet.
EU data protection will certainly impact (a % of worldwide revenues..), the US may have civil lawsuits, in Japan and Argentina – who knows? Both the cyber risk and the cyber impact are difficult to quantify.. So how do you underwrite that?
Is it even worth it?
If your business struggles to determine the impact of a cyber event, despite rigorous quantitative calculations and statistical analysis, you may question is cyber insurance even worth it?
Why data breaches don’t hurt stock prices
Harvard Business Review (HBR) ran a piece entitled Why Data Breaches Don’t Hurt Stock Prices. The article basically concluded that, whilst a companies’ stock prices were largely not affected by a breach, there were other serious consequences.
So whilst stock prices were largely unaffected, it was the subsequent improvement of security controls, civil suits and damaged reputation that cost them. It is worth remembering these scenarios are relatively ground breaking and it is very much new ground. If Target or Sony suffered a second large-scale data breach, would the markets be equally forgiving? Who knows?
I discussed how many underwriters, actuaries and insurance companies are finding it difficult to fully understand cyber risk, this is also true from a shareholder point of view. The HBR article outlines the following:
This mismatch between the stock price and the medium and long-term impact on companies’ profitability should be addressed through better data. Shareholders still don’t have good metrics, tools, and approaches to measure the impact of cyber attacks on businesses and translate that into a dollar value. In most cases, at the time a security breach is disclosed, it is almost impossible for shareholders to assess its full implications
Now that major security breaches have become an inevitability in doing business, companies should put strong data security systems in place, just as they protect against other types of business and operational risks.
From what I can see, there is no clear solution.
Many organisations will stack multiple cyber insurance policies in the hope that, collectively, they provide a level of cover.
Determine cyber posture
Companies such as BitSight will attempt to determine and measure cyber-security risk, as a service. They state a number of Fortune-500 companies embed their technology as a means to continuously assess risk and the effectiveness of their controls. How this is different to a robust risk assessment remains to be seen, however I assume BitSight do much of the legwork. (I will be researching this type of business in more detail).
Develop the science.
Universities, computational actuarial scientists and academia are no doubt working away in an attempt to perfect the science, the data and the algorithms needed to assess cyber risk. Their findings will no doubt find their way into mainstream applications.
Data breach notifications
This is potentially a novel thought. Many governments (including the US) are trying to force companies to notify the relevant authority in the event a data breach occurs. There is some reluctance to do so, for a number of reasons (outside the scope of this piece), however there could be some implications on cyber insurance.
Anonymised cyber breach data sharing to drive actuarial science
Could the solution be some form of public-private partnership whereby:
- Data breaches are reported to the authorities.
- With some supporting meta-data, these are anonymised and populated onto some form of structured data breach register.
- Insurance companies and actuarial scientists can leverage this repository to better shape their insurance products and determine the effectiveness of controls and particular vendor solutions.
- Given the sensitivity of breach data, the Governments will need to ensure they too have sufficient controls to prevent a data breach exposing data breach information!
This concept of a public-private colloborative cyber breach data sharing initiative may already be underway (I would be interested in anyone who knows this to be the case).
Data protection, cross-border data flows, the responsibility of storing this breach data and the global context of any initiative is a real challenge.
Insurance = Assurance
If the bar is set high for cyber insurance, driven by science, real-world data and calculated risk – a cyber-insurance policy has a secondary benefit.
If an organisation can satisfy the requirements, develop a strong security posture and exceed the rigorous requirements of a cyber insurance policy, this achievement becomes some form of hallmark, or level of cyber-assurance.
Paradoxically, if an organisation attains this high level of cyber integrity assurance, does this now make the organisation the focal point for future attacks, therefore increasing the risk! On that note….