CyberWire Daily - Quantifying Cyber Risk [Special Editions]
Episode Date: July 19, 2016Cyber security comes down to risk management, and it’s hard to manage what can’t be measured. How can cyber risk be credibly quantified and communicated? We’ll talk to companies developing techn...ology solutions aimed at quantifying cyber risk and hear from insurance experts and other industry stakeholders grappling with this important new challenge facing businesses today. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Quantifying cyber risk. What is it? The concept has its home in financial analysis and portfolio theory,
but it's become increasingly important to cybersecurity,
particularly as business leaders come to understand cybersecurity
as an exercise in risk management.
Quantifying cyber risk has three components,
vulnerabilities, assets, and adversaries or threats.
When you know the value of your risk,
you understand your potential losses over a given period of time. Thank you. We spoke with experts in the security, insurance, and legal sectors about quantifying cyber risk,
how you determine it, what you do with it, and why it matters.
It's still a major challenge.
Ben Beeson leads the cyber risk practice at Lockton Companies,
the world's largest privately held insurance brokerage.
You know, we in the insurance industry are certainly banging our heads together
to try to solve this problem, both on the broker side where I sit,
really trying to help clients understand how best to quantify the risk.
And equally with insurance companies, the other side of that coin is how best to price the risk.
It's a problem any time there is a new risk and a new insurance coverage.
Eric Nordman is Director of Regulatory Services at NAIC, the National Association of Insurance Commissioners.
The first person that wrote an auto insurance policy
back in the late 1800s had to guess what the price was going to be because they had no experience.
They've gotten very precise over time. The first person that ventured out and wrote a
cybersecurity contract had the same experience, had no data really to go on. So they're going to
take their best guess, develop a price for the business, and then over time, as more and more of these contracts are sold, they will gain loss experience that will inform future pricing.
300 years, particularly if you look at where I came out of in London and the Lloyds of London market and where it started, and that's 300 years ago, you know, has typically modeled risk on
historical data. But how effective can that be moving forwards in a risk environment such as the
cyber domain where things don't stand still? So what I think is going to happen and where
the answers increasingly are going to come from
is from the technology world.
It's from stakeholders who have tools and technologies to help solve this problem.
And I think we're already starting to see real evidence of that.
Today, the insurance industry very rarely actually uses cyber data
to figure out what the price should be.
Julian Waits is the CEO of PivotPoint Risk Analytics,
one of a number of companies who are trying to tackle
the problem of quantifying cyber risk.
In the interest of disclosure, we should say that PivotPoint
was spun off from the same parent company as the CyberWire.
They use catastrophe models, hurricanes, tornadoes, earthquakes.
Those are all things that are governed and controlled by nature.
The problem with cyber is it's governed by human nature, human behavior, criminal behavior specifically,
because any type of cyber attack there is, there's always a human behind it somewhere.
It's dynamic. This risk does not stand still.
And it's a focus that we in the insurance industry, we've really been focused on one aspect of it,
and that is the liability to companies from handling people's personal data.
PII, you know, the acronym, personally identifiable information, or protective health care information.
An average mid-sized company or a small company may not even understand what its legal obligations are.
Howard Feldman is a partner at the Baltimore office of the law firm Whiteford Taylor in Preston.
And that there are state laws, for example, that require companies to have data security in place.
And so the starting point is to help a client understand what their legal obligations are
when it comes to data security.
And also to make sure companies understand that beyond their legal obligations are when it comes to data security and also to make
sure companies understand that beyond their legal obligations they may be
undertaking obligations that the law doesn't prescribe but they may be
undertaking in contractual agreements with vendors or other parties but if you
start to look at other corporate assets and the one that really stands out that is uninsurable today is intellectual property.
The insurance industry and underwriters have a very tough time understanding how to quantify
that risk.
So ultimately right now, if your IP or trade secrets are stolen or hacked and they're stolen,
you can't insure that for that very reason.
And then you move into other areas, other assets at risk,
and ones that you may not have thought would be at risk until relatively recently.
And really I'm talking about, under the banner of the Internet of Things,
how physical assets are becoming at risk.
And you put that into the context of oil and gas,
certain critical infrastructure industries where it might be more acute,
utilities. You think about healthcare with medical devices being connected.
Those types of risks are leading to consequences, lost consequences that are now not just about
liability, not liability driven, but more what we call first party driven,
and issues of property damage, business interruption, and bodily injury. And it is so new
right now that there is no actuarial data to quantify that type of risk. And so what you have
now is a lot of ambiguity, particularly within
the insurance industry, as to whether those types of risks are covered or not. An issue has been
the disconnect between IT teams protecting the assets and boardrooms. I don't think that there
was a clear understanding of how real it was and that there were true business implications.
Emily Mossberg is a principal on Deloitte's Cyber Risk Services leadership team.
I think that it was viewed as an IT problem, isolated to the protection of the IT systems,
and there wasn't the connection between, well, what do those IT systems support,
and how can that impact the business? There are, whether we like it or not, some level of silos within every enterprise.
And I think that it was very siloed as a technical problem. And it just wasn't being
talked about with the people that own the revenue, that own the customers and clients.
Not through anybody's fault. It just
wasn't part of the everyday dialogue. If nothing else is achieved, it's to get management and
technical staff to talk to each other because cybersecurity really is a team sport.
And there are a lot of stakeholders in a company that need to be talking to each other
to make sure a company is adequately secure.
And that could be the accounting department, human resources, marketing, as well as IT staff.
Because IT staff needs to understand why is it important for marketing to be holding this kind of data.
Do we really need 20 years of financial data stored in our system? Or do we
need 20 years of consumer data and credit card information stored in our system? And so rather
than operating in silos, those stakeholders in a company need to be talking to each other to
translate to each other what their needs are and what the company's needs are.
Until, let's say, very recently, organizations viewed cyber risk management as sort of a
necessary evil. Jack Jones is the originator of the risk management framework known as
Factor Analysis of Information Risk, or FAIR, and he's in charge of research and development
at RiskLens, a provider of cyber
risk management software. The auditors say we have to do it, or the regulators say we have to do it,
and we will do the minimum possible. That presented a number of challenges. You know,
if that is sort of management perspective, then they don't tend to take it seriously,
unless it's on fire. And so therefore, the professionals in our industry would tend to,
in order to get any attention or any love at all,
they would tend to portray things on fire whether they were or not.
The awareness in the boardroom is certainly there today,
whereas it wasn't two and a half years ago.
And I think it's around the time of Target onwards that you start to see why that has happened,
and that boardroom executives could be held accountable.
And there's nothing like understanding that you personally could be held accountable to drive your focus.
But then the next question is, well, how do I get an understanding of this problem? There's been a challenge since the dawn of this issue around what is the return on investment in cybersecurity and in mitigating your cyber risk.
And there's been a ton of work around, well, how do we quantify that return on investment?
return on investment. And that's part of the reason why we have looked to change the game a little bit in terms of how you quantify this issue to instead focus on if there is an incident
and there is a particular scenario that plays out, what would the overall value impact be?
My background comes from systems management. And when I was in systems management, we did something called business continuity management.
And the whole concept was, is if we were to lose the business due to some form of natural disaster,
no matter what, we would get the core business items that were needed to run the business up and running as quickly as possible.
Cyber hasn't done that. It's run behind the rest of the IT industry.
And it's also what's most important.
So it has to start with a business impact analysis.
If I'm a retailer and I have a POS system that uses payment card information,
well, that system is going to be pretty important to my ability to do business, or if it's not there, I can't do business.
So it should rank really high, not just on business continuity, but also from the standpoint of how I spend my cyber dollars. If I know my risk, my business is
most exposed, if I lose that, well, gee, I probably should protect it better than maybe
some other systems in my environment that aren't crucial to how I run my business every day.
And let's look at that scenario and say, okay, what would happen if we had an attack that looked like this?
How could that play out?
And is our program structured to minimize the potential of that kind of an incident?
And is it also structured in a way that we would recognize if that kind of an incident was occurring?
structured in a way that we would recognize if that kind of an incident was occurring and is it structured in a way that if it were happening we would
be able to respond as quickly as possible and minimize the potential
impact and that sort of the way the dialogue I've seen shift in the
organization's where we're seeing the most success in terms of the
communication and the dialogue with the executive management and the board.
If you're in the boardroom or you're in the executive team and you think more in financial terms in particular and risk to the business,
how do you get that type of information?
And we're seeing a lot of companies struggle with that at the moment.
But we're also seeing the major stakeholder within the organization who's not
used to speaking in financial terms, which is the IT department, start to understand that they've
got to make that happen. We all use the word risk. If you talk to senior executives and
corporations and board members, risk to them generally backs into some financial number.
If you talk to IT people, specifically security people in the cyber realm, it backs into some financial number. If you talk to IT people, specifically security people in the cyber realm,
it backs into stuff like it could be material or not material.
It's a high, medium, low risk, but it really doesn't translate to,
and it could cost us $1.2 million on an annualized basis.
There is a huge gap between the two when it comes to that.
It is very common for
me to go into an organization and look at their portfolio of quote-unquote high-risk issues,
and when I start probing and asking them to defend those high-risk ratings 70 to 90 percent of the
time, depending on their organization, they can't stand behind those high-risk ratings. They end up changing them because the issues don't represent high risk.
And so when you think about organizations trying to prioritize and focus on the stuff
that matters most, especially when we have a very active and evolving threat landscape,
and when you think of organizations where perhaps 90% of the quote-unquote high-risk issues aren't,
those organizations have put themselves in a deep, dark hole from a risk management perspective.
A board cannot ignore the fact that they need to invest in protecting the organization.
But it's an approach now that must be different, right, from perhaps two or three years ago.
It can't be just a sort of blind approach, just investing as much as you can in every tool that you can find.
You actually have to think now strategically, what are the assets that I want to protect?
Okay, let's identify those first.
What are the crown jewels that they say? And then it's about, I'm trying to understand by focusing on that, because, you know, you're
aligning then security with the business strategy.
Well, how much should I invest in?
And that's the hard question, right?
And what's the ROI that I'm going to get on that, of course?
And that's, you know, of course, again, where companies like Risk Lens and Pivot Point are
starting to emerge to help answer those types of questions.
To date, the conversation around cyber risk and security has been very technical in nature.
It's been focused a lot on the vulnerabilities and the threats associated with cyber risk.
What we haven't done a good job of to date is talking about the impacts.
And the risk equation is the threats, the vulnerabilities, and the impacts. And in order
to get to a place where everybody's speaking the same language, we have to start to talk more about
the business impacts of cyber risk. And that doesn't mean we aren't also talking about
the threats and vulnerabilities, but it really shifts the conversations to if those threats
are able to exploit those vulnerabilities, what does that mean to the business? And when you can
get to the conversation around what does that mean to the business, then there'll be the same language being spoken between those in leadership at the executive and board level and those that own the cyber risk program within the enterprise.
So saying, you know, here's how much loss exposure we had, you know, six months ago or nine months ago or whatever the case might be.
And because of these investments and these projects, such changes that we've made to our risk landscape, we have this much less risk, this much less loss exposure you know that is much easier and more meaningful to express again you're talking in dollars and cents rather than when you're saying
well we were we were red and now we're either less red or we're kind of yeah
moving towards the alone this dialogue in opening this up and saying hey we
think there's these other cost factors, these other value impacts that
need to be explored.
You know, it's not about fear mongering and saying, hey, this is a bigger problem than
anyone even knows.
I think there's plenty of fear around information security and cyber risk.
This is more about our organizations prioritizing their efforts, their programs, their remediation in the right places?
And if they took a broader look at this, and if they took a more scenario-focused approach,
understanding the overall potential business impacts,
might they make different choices in terms of what they prioritize?
Might they focus their efforts,
their time, the money that they are going to spend in different ways in order to protect those things
that ultimately may lead to the biggest business loss versus those things that might be more obvious?
According to both Jack Jones and Julian Waits, many companies make the mistake of using what's sometimes called a checklist approach, comparing their cyber defense posture against regulatory standards like NIST.
One of the biggest challenges any organization faces is prioritization.
And checklists cannot, they cannot help you prioritize in any real sense.
I mean, other than saying, well, these things we check yes and these things we check no,
they can't take you any farther than that.
The checklist approach is so superficial and so rudimentary that for all practical purposes,
in my view, given the risk landscape that organizations have to deal with these days,
they lose the battle.
Should you be auditing yourself against best practices? Should you have that in your cyber
hygiene? Absolutely. But it still ends up in, gee, if we're compliant with NIST CSF,
well, we think the probability of a breach is much lower than if we hadn't done it.
Take that same concept now. Instead of doing a gap analysis against NIST,
you're doing a gap analysis against your financial exposure using NIST as a tool to do that.
That's what CYVAR does for you. So you're still following the NIST framework, but now those NIST
controls are being ranked against what are the things that are most financially vulnerable
or expose us to most in the market, and we use
NIST to fill in those gaps. So now you're doing a gap analysis against your financial exposure
using NIST as a tool to fill in those gaps. Cybersecurity is not about checking the boxes
and putting a written information security policy, getting it typed up and putting it in a binder or in a file.
It's a constant evolving process of making sure that what you have in place is sufficient.
And so what you have today may have to be looked at again in six months or in a year to make sure that the safeguards you have in place are adequate.
Speaking of regulatory issues, Eric Nordman from the NAIC
believes insurance companies will play a role in guiding companies toward better cybersecurity
practices. Many of the safety devices that we have on our vehicles today, seatbelts is a great
example of them. It was the insurance industry that pushed the mandatory application of seatbelts by auto manufacturers as a safety
device. The anti-locking brakes is another. I would expect that we're going to see the same
sort of thing with cybersecurity standards of care, largely because the insurers don't simply
want to just go out and write a cybersecurity insurance contract
covering a host of risks without knowing whether the business has taken steps to actively protect
and guard against these incursions.
So if during the underwriting process the insurers that are writing a lot of this coverage will have cybersecurity experts that are going to go visit with the business, see what kind of things they do to protect their data, and will make a judgment about whether they're doing enough.
they're doing enough. And if the business decides they don't want to improve, then the price of the cybersecurity contract would go up or may become even unaffordable for them if they refuse to take
steps that the insurance company reps are going to recommend. Ben Beeson agrees. At the moment,
it's been a bit more stick than carrot and almost a pass-fail exercise. So in certain sectors, for example, if you're not
doing things like encrypting data end-to-end or using alternative control like tokenization,
if you have a lot of payment card data, for example, you might not even get insured.
But I think what's starting to happen, I think this will accelerate as more of these tech firms
emerge, is you're going to see more incentives. And it may
not just be a case of just clear-cut dropping the premium. It also may evolve as you're starting to
see with telematics and auto insurance, for example, and what happens there. Take a black
box in your car and we'll reward you for good driving through a
discounted policy so there is the incentive to do that will and I can see
that type of approach emerging for cyber as well now I'm not saying that insurers
are going to want to monitor a company's network or have a detection tool that
they will put on there but they certainly might reward you for using those types of tools.
And I do think that we're very close to that.
On the product side of things, companies like Risk Lens and Pivot Point
use sophisticated mathematical modeling to help determine risk and uncertainty.
Julian Waits explains Pivot Point's approach.
We do this thing called attack modeling,
where we create a virtual model of someone's network once we get that information.
And then we do our own virtualized pen testing against that network.
Every time we're successful with that, we average it in a simulation of scenarios that are run through a minor Carlo method.
It's a very sophisticated way of rolling the dice.
So with SciVar, because of that, we on average do a half a million to a million
scenarios for each customer environment that we're modeling because we want to make sure that we're
highly accurate in what we do. And we think it takes that many samples before you can begin to
predict something with some accuracy, especially when you're looking out into the future.
We're constantly ingesting information from the industry. We have partners that we license straight intel data from. We have data that we generate on our own. And then we have
breach data as it relates to financial impact across industries and then specific impact.
And then what we do is we benchmark that data against a specific customer's environment.
So then we're averaging them, we're looking at them as a relative number against
what's going on in the industry. All of our experts agree that organizations have to be
willing to adapt and to be agile in such a rapidly evolving threat environment. Here's Deloitte's
Emily Mossberg. I think that organizations really need to spend more energy and more time on data governance. And what I mean by that is,
in many cases, a true understanding of an organization's data assets does not exist.
There is no overarching enterprise data inventory, and there isn't a strong data classification system in place in order to allow
and support the rollout of a prioritized risk-based cyber risk program. And so I think that
there needs to be a movement towards this concept of data governance and ownership.
Like it's a real true transformation of ownership of the risk, not just within an organization
in IT, but across the enterprise.
And the people in the business that own the data, that have collected the data or created the data or the information need to understand that a cost of doing business is the protection of that information.
Because ultimately, if that data, if that information is compromised through loss,
through integrity degradation, through pure theft, the value to their business is going to decrease.
Well, first and foremost, do not view cyber insurance as a replacement for
mitigation or poor controls. It's not an either or, as unfortunately still seems to be
the perception by too many companies.
You know, it complements what you should already be doing to mitigate risk to those identified critical assets
that will be different, but, you know, to each organization,
depending on who you are.
So that, I think, is the number one thing to think about. And equally, you should also go into considering cyber insurance with your eyes open.
Again, this is not a commodity.
This is only a marketplace that is 16 or 17 years old.
It is a PII-focused product today.
It can address other areas.
It cannot address all areas of your risk,
depending on who you are. So it's important to understand what role or what cyber insurance can and cannot cover when you consider it. While you can always throw more money at cybersecurity,
what you have to assess is are we taking
reasonable steps given the nature of the data we have and the size of the
business involved to protect the data that we have. The most common mistake I
see is of management is for management not to ask the hard questions and not
even to know what questions to ask. What are our policies and procedures? When have they last been updated? What technical safeguards
are in place? How do we know they're adequate? A board member, for example, may not even understand
how they're adequate, but what have you done to confirm they're adequate? Have they been updated?
Because technology is changing every day. And so the antivirus software that was installed five years ago, if it hasn't been updated,
is probably not adequate to protect against present day threats.
We have to hold ourselves to a higher standard in terms of how we rate risk. I mean, if you're
going to measure risk, you can't put people in a position of measuring that who see the world as black and white.
They have to be critical thinkers.
They have to be able to deal with uncertainty.
But when you have people who don't have those characteristics, wave their wet fingers in the air,
you proclaim something that's high risk, medium risk, low risk, that sort of thing,
and nobody ever pushes back and really digs into why do you think that's high risk,
that puts us in a very bad place in terms of prioritizing
and having even a remote chance of managing risk cost-effectively.
There are tons of well-accepted methods for doing security management today
and managing from a cyber perspective.
And again, the whole concept is how do we change the paradigm
to focus people, organization, executives,
all on the same measure?
And the measure should be financial exposure,
not just what our security posture,
our compliance posture is.
Our thanks to Emily Mossberg,
Ben Beeson, Eric Nordman,
Howard Feldman, Julian Waits, and Jack Jones for sharing their views on quantifying cyber risk.
We thank you for listening and hope you'll help spread the word by sharing this show with your co-workers and on social media.
It's one of the easiest ways you can help support The Cyber Wire, and we do appreciate it.
You can find links to all of our shows and subscribe to our daily podcast and daily news brief on our website, thecyberwire.com.
The Cyber Wire is produced by Pratt Street Media.
Our editor is John Petrick.
Our social media editor is Jennifer Ivan.
Technical editor is Chris Russell.
Executive editor is Peter Kilby.
And I'm Dave Bittner.
Thanks for listening. Thank you. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.