Someone to Watch Over You: Dan Geer on Cyberinsurance

Q: Before I buy infosecurity malpractice insurance and presumably pay pricey premiums, I’d like to know that someone’s done a credible job of defining a standard for what constitutes malpractice. Has that been done? And by whom?

A: Malpractice insurance would assume that we know what malpractice is, and we simply do not—although the next-to-last draft of the National Strategy to Secure Cyberspace did invite the licensure of security professionals. Absent licensure, there is no gating competence standard for security professionals. The only other standard would be a code of ethics and a professional body to hold the stone tablets on which they were writ. We don’t have that either. Hence the claim that we do not know what malpractice is, at least not in the way more venerable professions do.

What we do have is liability insurance, such as Directors and Officers (D&O) insurance and Errors and Omissions (E&O) insurance. A sole practitioner really does need some sort of protection from professional liability, as does a consultancy, both probably more in the form of E&O. There is not yet an established sense of what constitutes good security professional work, however, and it will be hard to define. The competence standard will get defined, whether or not the recommendations for licensure fall out of the National Strategy (as they did under lobbying pressure).

In the case of D&O, policies do differ, but it is very difficult to know what you have to work with. For example, a leading market underwriter has a war exclusion in its policy. The underwriter classifies terrorism as invoking war and further classifies hackers as terrorists. Where such a classification scheme is in place, it is hard to imagine collecting insurance money for the impact of an attack from the Internet, assuming you define malpractice as equivalent to a D&O liability. To carry that a bit further, the same insurance carrier voids its business continuity coverage of “failure to patch” and in turn voids its D&O coverage where the covered party “fails to maintain insurance.” In short, malpractice is about character. The business decisions are about who can sue whom and for what.

Q: How do you think 9/11 has affected cybersecurity initiatives? What course will the cybersecurity market take going forward?

A: Disaster preparedness has been affected most since 9/11. Before that day, the press and public would say that a cyberattack proved that the victim was asking for it. After 9/11, the press and public grasp that there are bad people in the world and that perhaps the victim was not asking for it. Companies must pay attention to their forensic abilities, which require planning for forensic data collection before an attack, if they want to pursue attackers. No doubt there will come a time when incident response will be part of the mandatory professional skill set of security professionals and therefore its absence would be a malpractice marker.

Malpractice insurance, per se, does not have a logical basis, but liability risk won’t wait until it does.

Q: Who is responsible when a physical security breach occurs?

A: This is a best practices sort of question, and I hope you don’t have to figure out who is responsible at the time of the breach. As such, physical security is properly the province of those who maintain the building in question. These include the people who own the building, the survivability of its systems and to whom deficiencies from inspection reports fall to for correction. If data is at risk—for example, if a company’s security posture depends on a physical boundary around the electronic asset—then of course facilities and data people have to work together.

The place to start working is around incident handling—something everyone needs to plan for and few do anyhow. If for no other reason, do it because the result of making such a plan is valuable (not having to choose between operational recovery and evidence preservation) and so is the byproduct (common understanding around the actual requirements for integrity, continuity and auditability). Speaking to the CSO, if a single building failure takes you out of business, you are either the leader of a small company or you are insufficiently paranoid. Both can be fixed.