Let’s Declare Cyber Independence Day!

That line from the original Independence Day movie (1996) captures the current angst about cyber breaches. Like locusts, hackers move from one organization to the next, and everyone is in imminent danger. While great individual weapons (technologies) have been created, no one is leading a charge to nuke the b@st@rds!

Many leaders of organizations seem unmotivated to attack the problem. Some don’t believe they are targets, and still others fail to address critically important cyber risk, focusing instead on urgent daily issues. A key challenge for anyone leading the charge against cyber crime is finding a motivation strong enough to change organizational behavior, regardless of industry.

There’s a natural historical precedent for the cyber risk challenge we face. In 1905, F. C. Oviatt wrote a fascinating “Historical Study of Fire Insurance in the United States,” published in the Annals of the American Academy of Political and Social Science. It details the realization of the need for fire insurance, the creation and evolution of the first policies, and the impact that insurers had on practices and regulations over the century and a half before. Key outcomes included basing rates upon the type of industry, moving from all volunteers to paid fire departments, and conducting regular fire inspections to lessen the likelihood of fires and the associated amount of damage.

Two highly impactful advances occurred:

1. The evolution and enforcement of compliance with building standards. Identifying and encouraging practices that diminished risk and lowered the probability of fires enabled insurers to become profitable enterprises stable enough to be trusted by customers. That resulted in a vibrant industry able to motivate improvements in building practices that mitigated risk.
2. The regular gathering and analysis of data about the level of risk involved. “On the first of May, 1856, William H. Martin, a civil engineer, was employed by the Aetna to make maps of important points where the company was transacting business” that would enable “the manager in the office to know quite accurately about the character of the risk he is to pass upon. The amount which the company has in any block is marked on the map, so that at a glance, it is possible for the company to decide whether it desires to increase its holdings.”

Underwriters wrestling with setting rates for cyber-related policies find it daunting. Lacking universally applied standards for cyber risk mitigation, it is very challenging to gauge the relative danger that one company faces versus another.  The lack of data across a broad range of companies about compliance with accepted best practices for internal defensive measures precludes having a basis for making well-founded underwriting decisions.

We need a Cyber Independence Day! How can we muster the national will to increase the nation’s overall level of cyber security readiness? Who are the key players in such an effort?

Ben Beeson and I reviewed a recent SANS/Advisen survey in “Who’ll Be the Gap Closer in Cyber Insurance.  This insightful survey identified four “conceptual gaps that often make it difficult for members of the cyber security and cyber insurance communities to find a common basis on which to develop reasonable standards of security and insurability.” We concluded that, of all the key players dealing with cyber risk, brokers are in the best position to lead the charge toward needed changes.

What resources can brokers leverage to achieve success?

Data Aggregators

A key step in the evolution of the fire insurance industry was capturing data to determine which construction practices reduced risk. Discussions about cyber breach data sharing occur most frequently in legislative bodies. Although some government agencies are in a position to gather data from multiple sources, private companies and individuals raise issues of trust that have kept initiatives from moving forward. An industry body composed of independent groups could successfully aggregate data on breaches and their causes. (Advisen maintains the most comprehensive data we’ve seen to date.)

Compliance Frameworks

As more was understood about sources of fire risk, building codes were developed and building inspections became common. The cyber risk equivalent of building codes is the key cyber risk frameworks developed by experts at NIST, ISO, HIPAA, FFIEC, PCI, ISO, and others. Automating the collection and aggregation of cyber risk data drawn from these frameworks is critical to making significant advances in mitigating risk.

Underwriters/Insurers

C. Oviatt’s description of the expanded vision that evolved with fire insurance groups points to needed changes in the cyber insurance industry. “These men soon realized that the sole business of fire insurance was not simply to pay losses. The evolution has naturally been gradual up to the point where the skilled and capable underwriter recognizes that his business, being a part of public progress, should subserve the public interest best by preventing fires. Therefore, he has made concessions in rates for the men who will take the extra precautions in the line of building and fire prevention. His horizon has broadened and he sees that fire fighting and construction are closely related in the prosperity of his business.”

Summary

Oviatt concluded by saying that “it should be noticed here that fire insurance had been going through an evolution, and step by step, the scope had become broader and better calculated to assist the business development of the country.” The economic impact of mitigating cyber risk will be immense, and it will ultimately free up dollars that can be invested in growing new businesses and jobs.

We’ve attacked this piecemeal long enough. Let’s nuke ‘em. Let’s declare Cyber Independence Day!