The severe moral and ethical failure of the insurance sector, when it comes to cyber security, must be understood in the context of the greater economic issues that it has created. Insurance is a very important foundation to risk management in the private sector. It’s well known that, in the absence of loss control and underwriting standards, insurance can become a subsidy for behavior badly. This is a classic moral hazard, which is made worse by the fact that cyber insurance underwriters have standardized the payment of ransom, endangering all of society and creating massive economic problems.
But there is actually more to it than that. Because of the affirmative disconnection by insurance leaders, who are hell bent on not discussing this sore subject, we have seen a massive divesture of the safety systems we need to keep society running smoothly. Insurance, as an economic force, provides some necessary services and incentives, which it currently does not.
Unfortunately: I can say with 100% confidence, that until the insurance sector gets their act together and starts making money, rather than losing it, we simply will be unable to make substantive progress in cyber security. Effectively, insurance underwriters have broken all economic incentives toward having better cyber security. This is not a minor thing. It’s exactly why we have the problems we do.
A good example is technical approvals. Without the ability to have independent authorities to test and approve individual technologies, it’s impossible to fully enforce good standards. This is vita and it’s unresolvable to not have technical level approvals or products and processes. At present, every organization is left to its own devices to develop its own standards and nothing can truly be mandated.
So why do they do this, when it loses them money? It seems to be a stubborn refusal to spend on cyber controls, because the geriatric idiots who run these pathetic companies are convinced that it’s too new-fangled to bother with. Also, if they decided to stop losing billions, it might cost them hundreds of thousands of dollars. Yes, of course, it’s stupid. It’s a classic case of intimidation by a seemingly new risk, wanting to save face and fear of anyone finding out how bad you’ve been doing at your job.
You see a lot of that in cyber security. Cyber security professionals are pretty used to walking into a client who has just made some terrible mistakes and needs some help getting their reputation back together. We see that more than almost any other area, and we are very empathetic to it. The fact that insurance companies have made such an extraordinary effort to exclude legitimate subject matter experts should tell you something.
One thing that should be kept in mind is that the insurance sector in general, has absolutely lost its way. That goes far beyond cyber security. Insurance has been taken over by purely finical people, who have no idea at all how risk management works and are absolutely opposed to spending a time on loss control or risk analysis. It’s sad because the loss of the ethical compass of the insurance sector has caused far greater problems. It’s why car fatalities have gone up and why nobody is pushing for better fire protection for California.
In case anyone has missed this: It would be substantially cheaper to pay for loss control than to continue to pay out losses, and it would boost profits significantly to reign in these losses.
The depravity of cyber underwriters, their extreme level of greed and their cowardly refusal to ever engage with a single person who understands the risk really underlies just how immoral and truly unethical these people are. They are not only hurting their companies, but endangering the very communities they live in. They’ve thrown their country, their investors, their policyholders all under the bus.
In future posts, there will be greater deconstruction of the terrible history of cyber insurance and how it has caused all these problems for society. The history is well understood. AIG started selling cyber insurance in 1999, without any qualifications. They were warned about this, but it was cheaper not to bother. The addiction to a quick profit, even at the cost of long term losses, seems to be pervasive these days. That sent the industry down a very dangerous path. Today, not a single cyber insurance underwriter knows a thing about the actual field of cyber security. No, I’m not kidding.
There is truly no place for cowards in risk management.
Things We Need to Fix The Cyber Problem
(But do not because of the severe lack of insurance buy in)
Lobbying for better security – This may seem like a minor thing, but the complete disconnect from insurance and the refusal to support cyber security means that there is a terrible imbalance in the private sector efforts to lobby on the topic of cyber security, and this is largely why public policy has failed. Lobbying is a powerful force, especially when it is one-sided. Industry and tech have lobbied hard against more stringent cyber security standards. Because the insurance sector refuses to get involved, there is nobody lobbying for more comprehensive cyber security requirements.
Additionally, there are matters of collective public policy that need to be addressed: Cyber security badly needs tort reform. As a nation, we need to reassess the use of the Social Security Number as a secure identifier. We need to establish some reasonable standards for accountability. Without insurance, absolutely nobody is willing to fight for this.
Incentives For Better Safety – For the most part, companies lack any strong incentives to improve security. This has always been the case but the acuteness of the problem has only recently become apparent. In general, companies do not see benefits from enhanced security. Insurance companies are currently not capable of assessing the risks accurately or understanding the importance of certain risk controls. The market does not reward security, in and of itself. Outside of the banking and credit card processing sector, there is almost no enforcement or auditing in the private sector. There is little in the public sector, as there are simply not enough government resources. The government is generally not flexible and responsive enough to police risks that change so rapidly and are so based on the current technology. In general, the market itself is unlikely to reward good risk management, except in narrow cases where the losses are severe and apparent enough to cause strong aversion.
Mandatory Security Controls – There are very few security controls of any kind that are truly mandatory. There are mandatory requirements in the banking and financial sector and government contractors are, at least in theory, held to certain basic control standard baselines. That said, government requirements are based on voluntary reporting and it’s not uncommon for contractors to still not meet their full compliance requirements. What is needed is a well-funded and fully committed effort to enforce good standards of compliance, which first requires establishing what those standards should be. Without insurance, this is unlikely to happen.
When working with clients, at for example, a Big 4, on security projects, there is almost no time you can tell the client they are required to have a control in place. If a client wants to have the worst security in the world, unless they are in the banking sector, and with a few other minor exceptions, it is very rare that anyone can be told “I’m sorry but this control is mandatory and you have to have it in place.” That barely exists in cyber security.
Formal Approval of Technologies to Meet Standards – One of the most important roles of insurance is in providing an approval process for technologies to meet certain standards. It is one of the most lacking areas of cyber security and it makes most cyber standards difficult or impossible to enforce. By necessity, regulations are vague and standards include requirements such as “Industry Standard Encryption” or “Durable Media.” But these terms do not tell organizations exactly what technology meets the requirement, leaving a great deal of subjectivity.
Technical approvals are required to make these standards specific and enforceable. At present, any certifications that a product does carry are largely based on the attestation of the manufacturer and there’s little agreement as to what systems meet standards for given situations.
The only cyber technical approvals that exist are in the banking and financial sector, which does carefully test and audit technology. With other technologies, the technical approval is typically paid for by the manufacturer and overseen by insurance organizations. The insurance sector has a long history of torture testing products and establishing their safety at places like Underwriters Laboratories, but this does not exist for cyber technologies, although the ability to do so is not overly complex and is well established.
Third Party Data Retention/Backup – The era of ransomware demands a different strategy in terms of how data is protected against malicious deletion or encryption. To accomplish this best, organizations should have a trusted third party, located off site, with their own security procedures retain backed up data copies. This is an important loss control and it is something few companies get right. An insurer would be the best third party to make sure all data was carefully backed up and data backups align well with the mission of insurance companies. However, none provide this service and organizations need to figure out their own way with backup retention.
General Advocacy – There is extremely poor advocacy and public outreach on cyber security. There’s really no effort to have any kind of cheerleader for good cyber hygiene and the idea. Solid, results-driven cyber advice does not exist in the media. There’s been almost no public advocacy at all in favor of cyber security. In fact, much of the rhetoric from figures like Warren Buffet has resulted in a divestiture and a general doubt that cyber security is even a thing that can be achieved. Of course, it’s not just Warren Buffet, and he should not be singled out. It’s simply an example of what kind of message the world is getting from the media and from trusted public figures that businesses look to. The message is wrong and it’s also very harmful. When you have CEO’s and world-famous investors convincing people an entire area of expertise is a sham and does not work, there is a huge uphill battle.
Good Standards for Training – Cyber training firms exist, but they tend to all use different standards and the training available is rarely designed to address specific roles. With no solid accreditation and standard enforcement, it’s impossible to know if cyber training is any good or addresses a company’s needs. Simply requiring “A day of cyber awareness training” is not going to get the kind of results necessary. The curriculum must be specific, evidence-based and updated frequently.
Trusted Advisory for Businesses – It is clear that companies are confused about cyber security. They don’t know what products and services they should be using; they have no idea if they are getting good value, and they lack awareness of what risks they are even exposed to. Advisory firms, like Deloitte, PWC and Accenture are an imperfect place to turn here, because these firms are primarily concerned with selling projects. Advisory firms have done a relatively poor job of providing high level strategic cyber insights to leaders and are often a bit afraid to take a stand on which way a client should make a decision.
An insurance company is a natural place to turn for a quick piece of risk advice like “Is this firewall any good” or “Do I need to install an antivirus on my phone.” A few insurance companies now do have advisory for cyber security, but in general the services and knowledge is simply lacking and the entire effort is at least a few years behind where it should be.
Effective Recall Infrastructure – When a product is flawed and needs to be pulled from the market, the manufacturer may recall the product or a regulator may require it. When this happens, many products have mature infrastructure to get the word out. Medications are recalled through the FDA and vehicles recalls are handled by dealers, the DOT and state agencies. But in the case of software and IT products, no such infrastructure to get the word out and coordinate repairs, patching and retrofitting of problematic products. This has resulted in some of the worse cases of multi-party security breaches, with some of the attacks happening months after it was first established that a product was defective.
Private Sector Offensive Security – Offensive security, that is, attempts to go after the root of the problem by attacking the hackers themselves and attempting to do things like disrupt the ability to launder money, out the perpetrators or post rewards and bounties. Currently, this is really only done by governments, and it has barely been done at all. Private sector efforts to root out security issues have a long history of effectiveness and when driven by profit can be extremely efficient. There also have been circumstances where companies have reacted as much in outrage as anything else when they were attacked by criminals.
Shipping companies have taken on pirates, banks hired the Pinkertons to root out robbers and posted bounties, railroads have their own private police forces. This kind of methodology obviously requires regulatory oversight and is often done in a collective and collaborative fashion, with banks working together to deal with the problem of robbery.
Insurance companies are really the only organizations who are positioned and have the profit incentive to take on cyber threats, but this is not something that is really done in cyber security, which is unfortunate, because we do have the capability to severely disrupt operations, if we made an effort.
Pragmatic Results-Driven Risk Management – The existing standards and practices for cyber security are rarely based on evidence and intended to deliver pragmatic real-world results. The only exception to this exists in banking and financial services. Standards do exist, but many are overly complex and intended for the most high security environments, often with vague implementation (because of the lack of approvals). For example, NIST standards, which are intended for government contractors are very comprehensive, but for a small business, which does not need to worry about state actors attempting to break encryption with supercomputers, there are portions that simply do not apply.
Risk management standards should be easy to follow, concise, self-enforcing and based on evidence. They should prioritize the most important controls and allow some flexibility for edge cases. Unfortunately, these don’t exist.
As an example, access control is one of the most important parts of cyber risk management. Authenticating by password alone is not considered secure. So what is secure? Having a code sent to your phone? Does it need to be a company owned phone? Does it need to be sent every single time or just once per computer? Is it important to also limit connectivity to company owned computers? Which access control provider is best? Do USB keys work well? How about a smart card.
The problem is there are no set in stone standards here. Nobody is all that specific. It’s up to organizations to figure this one out for themselves.
Support for Cyber Security Organizations – Professional organizations such as ISC2, ISACA, OWASP and the Sans Foundation exist and play a pivotal role in cyber security, maintaining quality control, advancing standards and conducting independent research. Collaboration is truly the life blood of cyber security. Unfortunately, these organizations have received little support and are generally underfunded and understaffed for the scale of what they now face.
Mandatory Phase-Out – These is a lot of technology that is still in place despite not being compatible with modern security standards or having known flaws. Unfortunately, there’s really nothing stopping anyone from running a server on Windows XP. Some organizations may have internal policies, and again, in some circumstances, such as financial and government contractors, there may be some requirements. This is a huge problem. In many cases, 99% of the technology has been retired, but there remain a few stubborn hold-outs.
This is especially true with infrastructure technologies, which are often out there and being used by all despite being known to be obsolete. For example, DNS is a technology that routs internet traffic and it’s been known for a long time that it is not secure. Therefore, a newer version, DNSSEC (DNS + Security) exists and should be transitioned to. The transition has been extremely slow and many companies still use the old DNS. In fact, non-secure DNS still exists on the internet, and it really should be phased out completely. Nobody, however, is interested in making this their issue.
Recognition of Professional Certifications – Amongst cyber professionals, certifications are of the highest importance. They represent far more than passing a test, but are about buy-in and require a continued engagement with the cyber community. The difference between a certified professional and one who is not is vast. Most non-certified individuals are not full-time cyber security specialists. If companies were encouraged to value certifications and preferentially hire certified experts or subsidize the certification of their staff, it would result in a huge improvement in quality of expertise and a giant risk reduction.
Unfortunately, there is little recognition, in most companies, for certifications. CISO’s and other high ranking cyber security positions should absolutely require a certification, but they don’t. Few companies require certifications for any job and most don’t even see them as something they should have a strong preference for.
Independent Testing and Auditing – In general, the only companies that are consistently and fully audited are banks and other financial institutions. This is because it is mandatory and the audit reports are generally received by other banks who they connect with. There is a solid sense of stakeholdership, and that is very important in assuring the audit is of a high quality. Entirely internal audits or audits with no third-party disclosure are harder to trust. It is really necessary for insurers to be capable of receiving audit reports, which is currently not something that most can do.
Proper security does require some level of third party stakeholdership and the audit standards used should be reviewed by someone with some skin in the game. Additionally, it is important that audits be properly governed. Audits should be done by Certified Information System Auditors and must be done under circumstances that avoid bias and do not incentivize the auditors to paint an overly rosy picture. Audits are critical, and most companies have nobody to hold them accountable to audits.
Independent investigations and Forensics – One of the most cutting edge areas of cyber security is forensic investigations of cyber crime and the reverse-engineering of the tools and methods used by hackers. Such work is done at antivirus makers and security firms, but the overall availability of advanced cyber forensics is limited and generally only available to the largest institutions. Many large organizations have to build their capabilities from scratch. In fact, it might be surprising to learn that one of the most accomplished cyber forensic laboratories is operated by the Target big box store. This grew out of the need to combat fraud and hacks in their stores and is an outgrowth of their greater loss control efforts. Today, Target is so highly regarded that they have lent their skills to tough law enforcement cases.
What should be understood about cyber forensics is that, in a world so connected, cyber forensics is no longer just for strictly cyber cases. The forensic examination of communications and social media is often pivotal to solving missing persons cases. Most forensic accounting is now basically working with electronic transactions and companies have all electronic records. E-discovery has become vital to all manner of civil actions, and it is one of the most lacking capabilities in the legal sector.
Greater Disclosure of Cyber Risks and Controls – Most organizations are loathed to tell the world what they have in terms of internal security controls. The protest given is usually that revealing security details would compromise security. That’s not true, however. Many security controls can be disclosed and creating a full ecosystem of trust, with full disclosure of security controls is necessary for organizations to know who they can safely do business with. The reason for this has more to do with a fear of regulations and a general corporate aversion to disclosing anything that could result in criticism or liability.
Audits, with disclosure of the findings to perspective clients do exist and are common in consulting and cloud services, but few clients take the time to read the audit reports and the standards and enforcement are spotty at best.
The SEC, for its part, has tried to step in and improve disclosure to investors. Unfortunately, this has been largely opposed by business. If cyber risk were treated like any other risk, it would be included in risk reports and require controls under the Sarbanes-Oxley act, but it remains treated like a special case by so many that this has not happened fully.
For their part, public auditors have generally opposed including cyber risk assessments in audits. It comes down to not wanting to rock the boat with clients and the perception that it would increase their costs in doing the audits and might also introduce new liabilities. It’s simply not a risk they are used to dealing with in the audit department and that makes them uncomfortable. Properly accommodating this need would require transferring talent from advisory to public audit, and nobody is willing to do that.
Results-Driven Scientific Research – The lack of funding for curiosity-based and results-driven research into the subject matter of cyber security is very noticeable. Academic attempts to quantify which methods work best are almost non-existent. Few results-driven inquiries into how to best accomplish cyber security goals exist. Most research and development in cyber security is done by private product developers. This results in a lot of biased results that may make their product or service seem better than it is. A very few organizations, such as the Cyber Rescue Alliance and Verizon Communications actually publish global statistics that can aid in the researching of trends in cyber security.