Due to the length of this detailed topic, it will be broken into multiple parts. One of the reasons this post is so long is the extreme entrenchment of incorrect views, and therefore, a need to provide detailed explanations of why they are wrong.
As written about earlier, Warren Buffet is one of the worst out there when it comes to spreading misinformation and unnecessary alarm about cyber security risks. He’s not the only one, however. There seems to be an incessant and rather insane cry of “Well, there are third party risks and they could be systemic. Lets throw our hands up in the air and say there is nothing we can do.”
Of course, this is not the case, in the finite and artificial world of cyber security, no risk is insurmountable and all can be understood. Third party risks come from the fact that so many organizations are dependent on various third parties, such as vendors and contractors. Even clients and customers can be a third party risk, because some organizations rely on a relatively limited number of clients.
In this video-accompanied post, I will do my best to provide detailed information to refute this dangerous and deeply entrenched idea.
Lets be clear on something, this is not new or unique to cyber:
There is nothing new or novel about this concept at all. Some policyholders have always been dependent on a limited number of vendors or service providers. Even in the years before cyber security, a major failing of the power grid, as happened in 2003 and 1977, can cause widespread loss across a large area. A single storm can impact a huge area, or a bad hurricane season can bring devastating storms to a large area. That’s what a systemic risk is.
However, in cyber security, all systemic risks can easily be detected ahead of time, if we care to look. They’re artificial, based on the relationships we choose to have and the artificial, man-made, engineered systems we use with the human-created, anthropogenic, artificial, man-made, ARTIFICIAL RISKS. And therefore finite and easy to understand. It’s always easy to know your risks, when they are in engineered systems you own, right?
(Putting aside the author’s obvious frustration)
When the risk is artificial, you can more easily understand, quantify and control it. For example, lets say that you are afraid that too many of your policyholders are totally dependent on UPS to get their products to customers, and a major failing of UPS systems could cause them to lose a great deal. It would make sense to require them to have a contract with FedEx to step in if UPS could not deliver their goods on time.
In the past, telecommunications systems have failed and resulted in mass losses, even when the failure was only temporary. The fact that we are more dependent on telecom than ever before may make these seem insurmountable, but they’re not, because we also have more backup systems that we can turn to.
The idea of “third party risk without upper bounds” is something nobody who is a legitimate cyber security professional would ever say. And statements like
“Because when you insure something, you really want to think of what, how much can you lose? And the question, I remember the first time it was happened, I think in the 1968 when there were the riots in various cities, because I think it was the Bobby Kennedy death that set it off for the Martin Luther King death….
When you write a policy, you have a limit in that policy. But the question is, what is one event? So if somebody is assassinated in some town and that causes losses at thousands of businesses all over the country, if you’ve written all those thousands of policies, you have one event, nor do you have a thousand events. And there’s no place where that kind of a dilemma enters into more than cyber. Because if you think about it, if, you know, let’s say you’re writing $10 million of limit per risk, and that’s fine, if you lose 10 million for some event, you can take it.
But the problem is if that one event turns out to affect 1000 policies and somehow they’re all linked together in some way and the courts decide that way.”
– Warren Buffett
That has to be one of the stupidest things I have ever seen. It’s downright alarming to see that kind of misinformation being stated without any kind of refutation. Companies being dependent on their suppliers is not the same as a black swan social event. But the most unsettling part of these statements is the general idea that it is a great abyss of unknowns. Nothing could be further from the truth.
Important Principles In How Third Party Risk Can Be Managed in Cyber Security Settings:
Building third party risk management into company policies and procedures
Some ways that an organization can reduce third party risk is to strive for vendor neutrality and for open source industry standards, when possible. It is important to have policies that avoid allowing a vendor to become a single point of failure in mission critical applications.
It’s important to look at this in multiple dimensions. In addition too looking at the possibility of a vendor being hacked, there is the possibility that a service will become outdated and support will be deprecated by the vendor. There is also the possibility that it will become a weak link in a more secure ecosystem you would prefer to move to, but may find your self still stuck to one vendor you invested heavily in, .
You must also consider things like last mile failures. One thing I have always said is this: any location that feels it is necessary to have backup power must also be able to operate entirely cutoff from the internet for prolonged periods of time. I truly believe this is true, because it is not inconceivable that a natural disaster, if nothing else, could knock out internet to a region, and in such circumstance, the available bandwidth by emergency wireless and satellite links would be very stretched and potentially unavailable.
Of course, it’s probably even more likely that the cloud service provider could be themselves knocked offline due to a major breach or just an engineering problem.
Third party risk management really should be part of business continuity planning, so basic risk mitigation would include: being able to operated at a reduced bandwidth, if necessary, having a secondary cloud service provider to fall back on, mutual aid agreements for facilities being offline, having local caching and backup capabilities that can operate outside the cloud, having vendor neutral solutions, practicing for internet service outages, keeping localized backups, auditing cloud service providers and so on.
Utilizing Existing Risk Management Standards For Third Party Risk Management
It is frustrating that insurance is not more on the forefront of this, but instead, insurance really does not even fully embrace what we have for standards in risk evaluation and risk management. There are existing standards that are industry and government recognized as means of assessing and mitigating risk.
In the United States, all government agencies are required to derive their standards for cyber security from the National Institutes of Standards and Technology NIST SP 800 standards for risk management in federal information systems. It is regarded as the latest evidence based standard for risk management.
As a result, all government contractors are, to one extent or another, supposed to conform to all the risk management standards laid out in that publication or on sister publications by NIST, and because of its open source nature and the fact that it is maintained by the US government and considered the highest standard, NIST is the basis for a great number of industry standards and also just voluntary compliance by organizations seeking to base their risk management governance on a trusted standard.
There are also standards from ISO, the international standards organization. I am not going to go into that as much, but as you might imagine, the standards align pretty well with NIST standards as NIST is a member of ISO, but ISO standards are broader and much less centered on American needs with no emphasis whatsoever on US government needs.
There are also standards that go beyond these. There are best practices guides from government agencies and NGOS. There are industry and professional standards organizations that provide guidance and standards and work with government agencies. There are standards for reporting weaknesses and open source repositories of known attack vectors and standards for evaluation that are ever evolving.
Confirming that there are the correct controls in place for proper risk management and evaluating risk can be done through the mature process of cyber security auditing. A good cyber security audit conforms to ISACA (Information Systems Auditing and Control Association) standards and there are different types and levels of audits. A comprehensive audit may seem like a tall order, but it’s a mature process and it an oſten be largely automated.
Most insurance underwriters cringe at the idea of information systems auditing, and that is understandable. It certainly sounds complex, and like any kind of audit, it does require specialists in the field of that particular type of auditing. There is simply no way to do it properly other than to hire experts. The only alternative would be to send the underwriters all to cyber auditing school, which would surely be even less popular an option. This is really part of a greater effort to deny the inevitability of full ownership of cyber security. There seems to be an insane and irrational insistence that it is not the job of insurance companies to preform compliance audits. However, it is very expensive not to.
Certification is all the more important if they are to trust external auditors. That’s because auditing requires a level of objectivity and disclosure that is not found in many other fields. Only CISA certified auditors should ever be counted on to provide accurate and objective auditing, conforming to ISACA’s code of ethics.
You truly do get what you pay for with risk auditing. The evaluation of risk in an organization can be preformed to extreme precision, limited only by the quantity and quality of data on that organization. Extreme confidence in risk evaluation, based on compliance auditing is possible. To achieve the best results, audit to the highest ISO and NIST-based standards by a third party auditor, overseen by ISACA certified CISAs and sometimes even with multiple auditors is how one can get this data and do a proper evaluation.
There are organizations that do this, voluntarily. This is found primarily in highly regulated sectors and those which need to report on their risks and compliance to others, such as certain regulatory bodies and industry groups. Primarily, this is seen in the banking sector.
What is unfortunate is that insurance companies do not even have the knowledge to use these auditing standards to their advantage, call for voluntary disclose of risk audits, incentivize the auditing of systems. Considering many of their clients already do audit, the inability to leverage this process is a real lost opportunity for insurers who are so insistent on never hiring anyone with a cyber risk background.
Of course, you can go above and beyond with auditing, and there are standards that go above NIST basics for some industries. There are banking standards, there are HIGHTRUST standards for HIPPA compliance, there are best practices recommended by the bar association of various states and other organizations out there. Some
It should be noted that one reason why third party standards are weak is that insurers have not adopted them and therefore, there is little effort to enforce them. The lack of an insurance-backed process of technical approval is a huge problem for cyber security enforcement and has lead to a lack of consistency. Technical approval is what really gives compliance enforcement its “teeth.”
Proactive Management Of Risks With Vendors
It should not be taboo to have the conversation about risks and security with vendors before the fact. In fact, I would be afraid of any vendors who are unwilling to provide open access to their security policies and procedures. Its important to note that security rarely requires secrecy, so vendors who are unwilling to submit to public inspection are likely hiding incompetence. Instead, insist on vendors who adhere to open industry standards and enforce with third party audits.
There are existing standards for SOC audits (Service Organization Control) and these can provide full assessments of whether vendors are following scrupulous controls for their security. Few organizations hold vendors accountable for providing this data, although, in theory, all vendors should do so if requested. Many vendors strive to meet SOC2 standards for risk reporting, but it should be noted that SOC2 compliance only assures compliance with the risk reporting standard, not that the controls are sufficient. For this reason, underwriters do need to turn to those with the skills to read and understand SOC reports.
There is the important issue of SLA’s or Service Level Agreements. These are important agreements as to the quality of service and things like security controls and what is necessary to meet your baseline expectations, and, importantly, what the remedy will be if they fail to deliver as promised.
It should be noted that this is also a potential area to save money and simply have a better understanding of the risks with a vendor. For example, a cloud service provider may be able to provide you data in long term storage for a very cheap price, but at the cost of only using one facility with limited backup capacity and no guarantee of available bandwidth. For you, that may be a great deal for data that you don’t ever expect to truly need in a hurry. The cloud is really supposed to be about flexibility and better on the fly management, and this can also be used to create more flexible and available recovery options.
It’s also important to maintain an understanding of what liabilities belong to you and what are fully indemnified to the vendor, such as if they are breached and PII is leaked of your employees, is it understood that they will fully accept liability to such a loss, or do you still end up getting hit? Also what insurance do they carry and is it sufficient. It is also important to understand the limits of this in various contexts and jurisdictions, some of which make a first party explicitly liable for what happens with data, regardless of arrangements with third parties who interact with it. The Graham Leach Bliley Act is like this.
Limit Risks Through “Principle of Least Privilege” with Vendors
This is an important part of vendor relationship management. It is important to avoid as much risk as possible by giving vendors as little access to sensitive systems and information as possible. For example: If you have a vendor who processes medical bills or employee claims for disability, there could be quite a bit of risk exposure if that vendor was hacked and your employees medical history exposed.
So is there a way to avoid this risk by passing on a minimum amount of information to this vendor? You may find that the vendor can provide you with a worker allies number, to replace their social security number. They may be able to provide you with data masking options, reducing the visibility of the data they see while processing the transactions.
There may be ways of limiting the potential for vendor’s being hacked and perpetrating financial fraud against you by using a secure payment system or a one-time credit card number to pay them. There may also be ways of indemnifying them with the risk and liabilities, should this happen.
A “zero trust” solution is an ideal one there. Zero trust is really the future, and insurance companies should embrace it. It’s a concept and implementation I can go into further, but it’s a way of limiting the available access to a single transaction at a time and thereby limiting damage in even the worst cases to only a small transaction.
Ideally, the idea of limiting things to “need to know” should extend beyond vendors. Companies should really try to reduce this risks both internally and externally. Taking this thinking to the next level, organizations can ask themselves if they really “need to know” something like the social security number of customers. They probably don’t, but this level of mature thinking remains blocked by the impasse due to the belief that executives can’t understand this, so it’s not worth trying.
Embrace Penetration Testing For the Most Critical Systems
Penetration testing is the gold standard for evaluating the risk of an organization, and can extend to all its systems and technologies. It can include things like attempting to find problems in how code is implemented and how things are used and oſten includes attempts to use all the classic attacks used by hackers to get into a system. Penetration testing can include attempts to socially engineer ones way into an organization and even include simulated insider threats. It really depends on how far you want to take this, but some institutions to go the extra mile with full pen testing.
Pentesting can be used as a requirement to reduce third party risk. For example, requiring that your payroll provider be fully pentested would be an example of holding them to a very high level of security standards. Predictably, once insurance starts to fully embrace the role of loss control in cyber security, vendors will be expected to undergo pentests and publish the results. This is identical to a concept that underwriters area already familiar with: the stress testing of devices against physical security attack, in a controlled environment, such as Underwriters Laboratories. You would not buy a safe, thinking it was resistant against attack, unless you knew that skilled safe crackers, and also thugs with sledgehammers had attacked it. Hence, to underwriters, the idea that a place like UL is a good place to validate the technology that vendors use should not be the hardest sell in the world.
Pentesting your own infrastructure can help find weak devices and third party risks in the stack that may be exploited such as unpatched old items of cloud service provers who are using old soſtware to monitor for threats. It can tell you whether your systems would be capable of surviving an onslaught of attack from anyone, even a privileged vendor.
Pentesting all systems fully and fully auditing all systems is something that can give you extremely low risks you can count on. An excellent pen tester will assure you that a system can’t be breached, unless the most obscure and difficult methods are used, which most threat actors won’t bother with.
Utilize Technology and Defense in Depth
Critical processes should not be protected by one control. Use controls to keep the bad guys out, minimize the damage if they get in, detect them quickly and rapidly respond to the situation. Use an “All of the Above” approach.
This is part of the same thinking as principle of least privilege. You really do not want to ever have to rely on one control to stop a bad thing from happening or at least mitigate the impacts if it does. So for example, there are technical controls that can stop a lot of human errors from propagating to the next step, thus reducing the risks.
For example: lets say I want to address the risk that a trusted third party has their email account compromised and uses that to send fake invoices to my employees but it’s all fraud.
So the first line of defense might be to review your relationships and policies and procedures and ask if it is a normal thing to receive unsolicited invoices from a vendor and just pay them. You might review the rules and how this is done. In the process, of course, you might find you could drastically improve this.
So it’s important to note that studies on this have shown that paper-based requirements on this seem to always go poorly enforced. So you’d next look at technical controls: An AI based email service that looks for any signs of phishing. It could also flag unexpected invoices and send them to a special folder that requires special permission to open. Next you could institute special requirements for vendor payments, which may require paying through a special secure funds transfer account, with logging and escrow for payments to non-confirmed sources.
You could next go to your bank, you could talk to them about fraud protection, about whether they could agree to indemnification of some of the risk of fraud on your account. Make sure you get a clear understanding of whose liability it is see what fraud protection services the bank has.
Reduce your risk of employee identity theſt by using the latest firewall for all servers containing PII, but also, monitor and log files for suspicious activity, but reduce the use of employee by deprecating Social Security Numbers for Allies numbers but provide your employees with identity theſt insurance and credit monitoring ahead of time (It’s a great value, because it’s a nice perk for work, but also reduces your risks)
Conclusion
The management of third party risks is an absolutely well established and mature area of business science. It’s based on principles that are well understood and logical. Cyber risks are not really special, when compared to other service provider or financial third parties. They are certainly quantifiable, and measurable, since they are artificial.
However, because of the insistence that this is not true, and the fact that we have figures as respected and varied as Warren Buffet spouting this nonsense, it will be a tall hill to climb to retain a footing in sanity on this. That’s why this post is so long. When someone is “Not even wrong” it often takes pages of analysis to fully explain all the things they managed to get wrong in 30 seconds.
Future Sections Will Include: (though not necessarily in this order or grouped as such)
- A better understanding of how “Zero Day” risks are managed.
- A greater description of how standards are enforced.
- A section on the greater need for collective and “big picture” leadership in risk.
- Descriptions, in greater detail, of what to look for in experts who can handle this.
- Some examples to prove exactly how this all can work.
This is a critical issue, because the misunderstanding of third party risk appears to be at the root of why insurance companies have steadfastly refused to provide the services, incentives and oversight that other industries have, and which are necessary to manage this risk.
Third party risk management will be fully achieved when we have an enforceable mandate for testing, certification and following of good conventions. This is obviously the only way we can ever get to the ecosystem of trust we need.
Although you are right, I feel you are leaving insurance off the hook by giving them advice. You should keep this to yourself. We all known, if you worked in security that insurance caused this problem and other people were telling them to gut it out and not pay ransom years ago.
I do not think insurance deserves a guide. I feel like they need to fire all the cyber underwriters and hire experts. If they do not, then why do those who caused the problem deserve to get more money from it?
Cyber insurance is a joke, but it isn’t funny because of how much it has hurt the world and most especially in healthcare, which we all need.