Category Archives: Risk management

What We Lack In Cyber Security

Posted on by
Reply

The severe moral and ethical failure of the insurance sector, when it comes to cyber security, must be understood in the context of the greater economic issues that it has created. Insurance is a very important foundation to risk management in the private sector. It’s well known that, in the absence of loss control and underwriting standards, insurance can become a subsidy for behavior badly. This is a classic moral hazard, which is made worse by the fact that cyber insurance underwriters have standardized the payment of ransom, endangering all of society and creating massive economic problems.

But there is actually more to it than that. Because of the affirmative disconnection by insurance leaders, who are hell bent on not discussing this sore subject, we have seen a massive divesture of the safety systems we need to keep society running smoothly. Insurance, as an economic force, provides some necessary services and incentives, which it currently does not.

Unfortunately: I can say with 100% confidence, that until the insurance sector gets their act together and starts making money, rather than losing it, we simply will be unable to make substantive progress in cyber security. Effectively, insurance underwriters have broken all economic incentives toward having better cyber security. This is not a minor thing. It’s exactly why we have the problems we do.

A good example is technical approvals. Without the ability to have independent authorities to test and approve individual technologies, it’s impossible to fully enforce good standards. This is vita and it’s unresolvable to not have technical level approvals or products and processes. At present, every organization is left to its own devices to develop its own standards and nothing can truly be mandated.

So why do they do this, when it loses them money? It seems to be a stubborn refusal to spend on cyber controls, because the geriatric idiots who run these pathetic companies are convinced that it’s too new-fangled to bother with. Also, if they decided to stop losing billions, it might cost them hundreds of thousands of dollars. Yes, of course, it’s stupid. It’s a classic case of intimidation by a seemingly new risk, wanting to save face and fear of anyone finding out how bad you’ve been doing at your job.

You see a lot of that in cyber security. Cyber security professionals are pretty used to walking into a client who has just made some terrible mistakes and needs some help getting their reputation back together. We see that more than almost any other area, and we are very empathetic to it. The fact that insurance companies have made such an extraordinary effort to exclude legitimate subject matter experts should tell you something.

One thing that should be kept in mind is that the insurance sector in general, has absolutely lost its way. That goes far beyond cyber security. Insurance has been taken over by purely finical people, who have no idea at all how risk management works and are absolutely opposed to spending a time on loss control or risk analysis. It’s sad because the loss of the ethical compass of the insurance sector has caused far greater problems. It’s why car fatalities have gone up and why nobody is pushing for better fire protection for California.

In case anyone has missed this: It would be substantially cheaper to pay for loss control than to continue to pay out losses, and it would boost profits significantly to reign in these losses.

The depravity of cyber underwriters, their extreme level of greed and their cowardly refusal to ever engage with a single person who understands the risk really underlies just how immoral and truly unethical these people are. They are not only hurting their companies, but endangering the very communities they live in. They’ve thrown their country, their investors, their policyholders all under the bus.

In future posts, there will be greater deconstruction of the terrible history of cyber insurance and how it has caused all these problems for society. The history is well understood. AIG started selling cyber insurance in 1999, without any qualifications. They were warned about this, but it was cheaper not to bother. The addiction to a quick profit, even at the cost of long term losses, seems to be pervasive these days. That sent the industry down a very dangerous path. Today, not a single cyber insurance underwriter knows a thing about the actual field of cyber security. No, I’m not kidding.

There is truly no place for cowards in risk management.

Things We Need to Fix The Cyber Problem

(But do not because of the severe lack of insurance buy in)

Continue reading

The Perfect Analogy for How We Manage Cyber Risk…

Posted on by
Reply

It has been over a year since one of the most bizarre freak accidents to capture the world’s attention. I am, of course, speaking of the Titan submersible, operated by the company Oceangate. The company had been operating the submersible for a few years, and it had already gone through a hull replacement, with the previous carbon fiber hull being replaced due to concerns over fatigue. This should tell you something, because most submersibles use materials with a great enough factor of safety and high enough confidence that dangerous levels of material fatigue are just not an issue.

At the time this happened, I, personally, knew very little about the operation. I had heard of a new private venture, which had been taking paying customers to the titanic. To be perfectly honest, that kind of thing isn’t all that interesting to me. Of all the shipwrecks in the world, few have been more thoroughly documented or more constantly bombarded by tourists and other activity. Sure, it still holds some level of scientific and historical interest. It is, after all, one of few liners of the era that still exists in any form. The only others that are still around are also sunk, such as the Britannic and Lusitania.

It would be one thing to lay a single plaque on the Titanic as a tribute to the tragedy, but it seems every single expedition feels the need to leave their mark and explain why they are the best and most poetic at memorializing the ship. At some point, it starts to look like litter.

Continue reading

Warren Buffet Is Dangerously Wrong About Cyber Risk

Posted on by
Reply

The unfortunate thing is that how Berkshire Hathaway decides it wants to handle the issue of cyber risk ends up impacting far more than Berkshire Hathaway. Buffet is so admired and Berkshire Hathaway such a giant player in risk and insurance, that his words impact everyone’s security.

Warren Buffet may be old, but he continues to be held in the highest of esteem by investors. He certainly has a great track record. Buffet is also admired because of his openness and candid discussion of his methods and stock picks. He’s always sworn by a long term investing strategy, which values not only growth but stability. His disciplined approach has been the key to great success.

For this reason, when he speaks, the investing and business world listen. He’s been called the Oracle Of Ohama. When his Berkshire Hathaway group holds its annual shareholders meeting, some investing companies take the day off and gather to watch the whole thing with the enthusiasm and fanfare of the Superbowl.

When Warren Buffet speaks, the financial world listens. The insurance world also listens, because Berkshire Hathaway has become one of the biggest players in insurance. The group recently purchased a large portion of Chubb, one of the largest providers of cyber risk coverage.

This is a problem, because when someone so influential speaks about something so important, they had better be correct, and in this case, he is dead wrong. I do not mean to criticize Mr. Buffet personally, of course, but it’s important to bring attention to this. As an expert in this area, I find his comments to be absolutely terrifying.

The reason it’s so terrifying is the impact that these comments, and others like it, from other business leaders, has caused to national security and the global economy. Insurance vital to how a capitalist economy self regulates and how risk is properly priced. Insurance is the bedrock of how risks are treated in the economy.

The unfortunate thing is that this very ignorance is at the root of the stagnation of cyber defenses, the layoffs of so many in the sector, the divestment of resources and the acceptance of such dire levels of loss. It’s terrible to think that anyone so followed could be actively telling people that cyber security is a mystery nobody has figured out. If that were the case, it would be pointless to spend on it and hire experts.

Shortly after this meeting, a large number of cyber security professionals were laid off.

Continue reading

Understanding the Core Problem in Cyber Security

Posted on by
Reply

From a technical standpoint, in terms of why bad things happen in IT systems, it’s pretty straight forward: We don’t do a good job of controlling access to accounts and we do not monitor accounts for problems. That’s 90% of the problem. It’s account access control. The reason for this is passwords do not work and efforts to standardize and mandate better access control have been poorly supported.

While cyber security may seem very complicated, this is really just because it is so unfamiliar and has been wrapped in mystery.  It is no more complex or perplexing than any other type of security, but it is a relatively small specialty and so there are really only a small number of subject matter experts who have any kind of clear-headed thinking on this one.

For the most part, the problem we have in cyber security is access control.  Specifically, we do not have great authentication of remote access control.  That’s it.  That’s the problem.  In most circumstances, most than 90%, in fact, it comes down to not being able to authenticate that a connection is legitimately who it says it is.  So, for example, the CEO’s email is being read by a foreign hacker, who stole the CEO’s password.

That might sound like it would not be an insurmountable challenge.  I mean, after all, how hard is it to make sure the CEO is who he says he is and not a foreign agent?  Surely, we could track the geolocation or the context or use his approved hardware.  And you would be correct, it is not insurmountable.  In fact, we can close all the holes in access control if we decide to.

Continue reading