Here Come the Accountants — The Codification of Cyber Risk
This article by Chip Block was originally published by Property Casualty 360 on Jan 19, 2016
Headline writers and producers of “Shark Tank” want us to believe that all new products and ideas come from rising stars and Silicon Valley grads.
While many deserve the attention, we must also look to the explosion of new products, services and capabilities resulting from innovations emerging from disciplines such as marketing, accounting or finance. A compelling product that has risen out of corporate America is the entrée of the insurance industry as a major player in the development and deployment of cyber technology.
Increasing threats of cyber attacks and cyber extortion demand the need for a product or service to protect and mitigate. The pressure is mounting on C-level technology officers (CTOs, CIOs and or CISOs) — especially since to most CEOs, cyber and cyber security are ethereal concepts involving unknown threats trying to steal unknown assets that can cause unknown damage.
How will corporate America address cyber risk?
It falls in the same line of protection as risk has for generations: insurance.
Like a natural disaster, a company cannot completely avoid a cyber attack, the next best option is to mitigate the impact of an attack. Because the range of impact from cyber attacks can be as minor as a picture of an employee doing something embarrassing to as critical as the total draining of the corporate bank accounts, there is no way to effectively prepare for all outcomes. The insurance model, therefore, fits the cyber security challenge very well — and corporate America creates its new product: Cyber insurance.
As Cyber insurance becomes a common element across the business landscape, accountants and actuaries will define the risks and assign financial value to these risks, otherwise known as codification.
This activity is much like how an insurance company determines how much the risk of a weather disaster is to a region of a country, the value of personal property, the likely cost of medical expenses and even estimating the cost of death. With cyber security, first a business risk calculation will be performed, then risks will be identified, plus there will be a review of enterprise monitoring, and finally determining regulatory compliance.
As the insurance industry codifies cyber risks, they will also assign pricing based on these risks and those activities that mitigate risks. No longer will C-level executives be faced with the ethereal concepts. Costs and expenditures will be defined in monthly premiums, deductibles and other familiar elements of insurance.
Along with the codification process, technology and the accompanying sales process for products will align with these codified insurance elements. In other words, the market will move to the insurance company’s direction.
Technology follows money
For those that think the codification of cyber threats is years away, think again.
In 2014, the Chief Risk Officer’s Forum released a report titled “Cyber resilience – The cyber risk challenge and the role of insurance.” The CRO Forum is a discussion group attended by chief risk officers of major European insurance companies. The report breaks the Cyber market into risk areas and provides a summary statement of what would be covered under each area: business interruption, restoration costs, regulatory defense costs, security and privacy, cyber extortion, intellectual property, data breach and crisis management.
New Cyber products and services are already hitting the market. For example, RiskLens, a software company out of Spokane, Wash., has released a product called Cyber Risk Quantification that provides a quantifiable risk assessment of a business. The tool uses the Factor Analysis of Information Risk industry standard risk model to calculate the quantifiable cost of areas such as business interruption, capital asset replacement, etc.
The insurance industry’s codification of risks will be incorporated into similar tools which will provide the quantifiable risks that companies can use to calculate what type, and how much, Cyber investment is needed for each area.
Carnegie Mellon Software Engineering Institute has developed a CERT Resilience Management Model that provides a maturity model of an organization’s cyber operations. Maturity modeling will allow insurers to assess a company’s cyber capabilities against the calculated financial risk.
Additionally, CISOs are being trained at places such as Carnegie Mellon to approach Cyber from a risk-based approach versus the formal, checklist-driven compliance methodology that has been employed in the past. This risk-based approach aligns with the objectives of the insurance industry.
The growth of the Internet of Things will involve insurance companies in the day-to-day cyber operations of everything from medical devices to home security. (Photo: Thinkstock)
Fear, uncertainty and doubt ... the Cyber sales model
The current sales model for Cyber products and services is to strike fear into senior executives to make a purchase or upgrade to avoid a could-be disaster of a cyber event. This sales model can only last for a limited amount of time. As the insurance industry codifies the market, sales and products will turn to a more quantitative approach.
Currently, the fear model makes it difficult to determine how much to spend on a product to protect an indeterminate risk. As risks and threats are quantified, determining if a large scale, enterprise security solution is needed or a localized, endpoint protection fits the bill will become evident. To quote a CISO from Texas, “you don’t put a $100 fence around a $10 horse.”
Expansion of risk with the Internet of Things
The insurance trend mentioned above is based on the current information environment where the loss to a company is primarily in business interruption, personal/financial data release, reputation attacks and similar events.
This will change rapidly as the Internet of Things becomes part of our daily lives. From driverless cars to the control of critical facility systems such as heating and security, the risks jump from the information domain to the physical domain. Risks then include the loss and damage of property and the health and safety of people.
This increased risk will further involve insurance companies in the day-to-day cyber operations of everything from medical devices to home security. A cost of doing business will include protection from cyber attacks that could cause serious harm.
The legal costs
As the quantification of risk becomes more defined, so will the liability calculations. This again will drive technology.
Take, for example, the financial community. The Securities and Exchange Commission released a Risk Alert under the National Exam Program for the Office of Compliance Inspections and Examinations Cybersecurity Initiative. This document describes areas where the OCIE could evaluate companies under the SEC auspices.
A logical legal defense against a hack of a securities company would be that companies that followed this guideline followed commercially reasonable efforts for protecting their environment. Companies will buy technologies that provide the regular reporting requirements to meet this SEC standard.
There will be a growth in technologies that support legal actions from breach notification, from e- discovery to forensics tools that can be used to defend or prosecute companies that have had a breach.
Furthermore, the interpretation of attacks will become a critical item. For example, many insurance policies do not cover “terrorism or acts of war.” If the government says that a cyber-attack could be the action of a foreign state, this could affect the recovery of insurance claims. The combination of the insurance and legal factions into the cyber marketplace will dramatically change the lexicon of how cyber attacks are described and attributed.
Chip Block is vice president of cyber security and infrastructure services company Evolver Inc. Contact him at firstname.lastname@example.org.
Learn more about codifying cyber risk in financial terms.