Improving cybersecurity: national cyber breach law or better business insurance?

Recently, a colleague of mine sent me a link to a video of a panel interview with Richard Clarke and retired General Michael Hayden. Richard Clarke is a former White House Cybersecurity Advisor and Michael Hayden is the former Director of both the CIA and NSA.

The first part of this interview, moderated by the Washington Post, was focusing on aspects of using cyber not as an instrument of attack, but as information warfare. Before the topic went too far down the path of “RUSSIA, RUSSIA, RUSSIA,” the Equifax breach became the main talking point.  As many of you know, Equifax sustained a breach this year. Millions of Americans as well as Europeans and Canadians were impacted by this event. So to quickly recap:

• A vulnerability was discovered and a patch made available
• Patch not applied and a breach occurred
• Numerous flaws in how this issue was addressed once identified
• Questionable actions by C-Suite on selling shares of stock before share prices plunged about 35 percent in the wake of the public disclosure
• CEO forced out
• CEO forced to come to Capitol Hill to be skewered by Congressmen and Women
• New talks on a national breach notification standard instead of the current model where 48 states have their own unique requirements

During this interview, the notion of a national standard was broached by the former CIA and NSA Director and was followed by Richard Clark echoing the need but that the minimum requirements should be  “no less”  than that of California’s current law. There was a reference to a former attempt by the Department of Commerce to intercede, which never materialized. Here is where the discussion becomes more pointed.  Richard Clarke stated, “…companies like Equifax will continue to screw up until there is a penalty for doing so…”

As a business owner myself, I really have no desire to have more regulations in place that govern my ability to provide value to our clients; However, business owners rarely act unless consequences are going to impact their bottom line. Mr. Clarke is spot on in his assertion. He further describes a notion if the offending party is charged by the record lost, that type of sanction would have a profound impact and improve organizational aptitude in addressing cyber risk. 

There was an analogy about cyber risk made to the oil industry and specifically what happened after the Exxon Valdez tragedy. Mr. Hayden described the scenario where oil companies began to look for insurance and the subsequent requirements to even obtain insurance. Because the U.S. Government imposed a clearly defined metric that was actionable and repeatable (how many barrels of oil are lost) for sanctions and penalties, the insurance carriers had better data to quantify the risk of an oil spill. 

This very closely aligns with what the market needs for cyber today but is it ready? We first have to examine what is the issue we are looking to address when it comes to insuring cyber. 

• Are we talking about incident response costs to a cyber incident that impacts system operations by disruption or destruction?
• Are we talking about the inadvertent disclosure of sensitive information like Personally Identifiable Information (PII) – including healthcare data or potentially Controlled Unclassified Information (CUI) or;
• Combination of both?

In a recent webinar by GENEDGE, there was a topic of knowing who you adversaries are and without this knowledge, making informed decisions on cyber risk is not likely to occur. This is a factor that the insurance sector does not evaluate. Specifically, there is not a question to date that asks if the applicant’s risk assessment defined who its adversaries are in the cyber realm.

While asking such a question may have little implication in determining lines of coverage or premium decisions, this does tie back to the need for the insurance sector to vastly improve how it assesses cyber risk of applicants and tying potential penalties into the cost calculation. I have heard from many brokers and carriers, “We already do that.”  When pressed as to how they do that (e.g. determine how many states the applicant does business in, do they hold European PII under GDPR, does the applicant hold CUI, etc.). Other than a very limited scope to Credit Card and Healthcare data, applications are in dire need of aligning with today’s cyber threat landscape and how this landscape translates to business risk (i.e. translating cyber threats into business risk and identifying mechanisms to lower the total cost of ownership in the face of a cyber incident).

So while Mr. Hayden and Mr. Clarke make excellent points, until the insurance sector adopts more stringent requirements to obtain a policy, these topics are merely academic discussions.

If a national standard or requirement is enacted, what would that look like? Mr. Clarke references the State of California as a minimum baseline. If the United States enacted such a law, who would enforce it, The Department of Commerce? What about the Federal Trade Commission (FTC)? If FTC, how would they enforce/police it? How would it differ than their current enforcement actions under Unfair and Deceptive Business Practices when cyber is at hand? How many people would have to be hired to conduct audits and at what costs?

Some stakeholders are discussing a GDPR-like rule here in the United States. If we cannot get Congress to agree on taxes and healthcare, what is the likelihood they can ratify a national requirement on cyber?  

I am attending the National Association of Insurance Commissioners (NAIC) Cyber Working Group Forum in California this week where Mr. Clarke is a featured speaker. I greatly look forward to learning more about the insurance industry addresses concerns about the Equifax breach and perceived implications of GDPR. As I learn more, the Cyber Insurance Forum will highlight all relevant takeaways from this event.