Quantifying Cyber Risk
Dave Bittner: [00:00:03] Quantifying cyber risk - what is it? The concept has its home in financial analysis and portfolio theory, but it's become increasingly important to cybersecurity, particularly as business leaders come to understand cybersecurity as an exercise in risk management. Quantifying cyber risk has three components - vulnerabilities, assets and adversaries, or threats. When you know the value of your risk, you understand your potential losses over a given period of time. Since so much of our business is transacted online and since so much of what we value exists in the form of data - also accessible in cyberspace - knowing the value of your cyber risk is crucial to managing your enterprise. We spoke with experts in the security, insurance and legal sectors about quantifying cyber risk, how you determine it, what you do with it and why it matters.
Dave Bittner: [00:00:56] Time to thank our sponsor VMware. You've heard of VMware, the global leader in cloud infrastructure and business mobility - of course, we all have. But if you're a security software architect or engineer, you also know them as world leaders in virtualization. So think about them as a career destination, especially now because VMware is looking for experts to be part of an empowered and innovative security team that builds on VMware's industry-leading virtualization technology to deliver a new model of IT that combines flexibility and quick deployment with world-class security. If you're a security professional looking for a career with an innovative industry leader committed to making the networked-world a place that's not only secure but also easy to work in then navigate on over to careers.vmware.com and see what you and VMware might have to offer one another. The visit will be worth your time. That's careers.vmware.com. And we thank VMware for sponsoring our show.
Ben Beeson: [00:01:59] It's still a major challenge.
Dave Bittner: [00:02:01] Ben Beeson leads the cyber risk practice at Lockton Companies, the world's largest privately held insurance brokerage.
Ben Beeson: [00:02:07] You know, we in the insurance industry are certainly banging our heads together to try to solve this problem, both on the broker side, where I sit, really trying to help clients understand how best to quantify the risk, and equally, with insurance companies, the other side of that coin is how best to price the risk.
Eric Nordman: [00:02:30] It's a problem anytime there is a new risk and a new insurance coverage.
Dave Bittner: [00:02:34] Eric Nordman is director of regulatory services at NAIC, the National Association of Insurance Commissioners.
Eric Nordman: [00:02:41] The first person that wrote an auto insurance policy back in the late 1800s had to guess what the price was going to be because they had no experience. They've gotten very precise over time. The first person that ventured out and wrote a cybersecurity contract had the same experience - had no data really to go on. So they're going to take their best guess, develop a price for the business, and then over time, as more and more of these contracts are sold, they will gain loss experience that will inform future pricing.
Ben Beeson: [00:03:17] The insurance industry, for the last 300 years - particularly if you look at where I came out of, in London and the Lloyd's of London market and where it started, and that's 300 years ago, you know - has typically modeled risk on historical data. But how effective can that be moving forwards in a risk environment such as the cyber domain, where things don't stand still? So what I think is going to happen and where the answers increasingly are going to come from is from the technology world, is from stakeholders who have tools and technologies to help solve this problem. And I think we're already starting to see real evidence of that.
Julian Waits: [00:03:54] Today the insurance industry very rarely actually uses cyber data to figure out what the price should be.
Dave Bittner: [00:04:00] Julian Waits is the CEO of PivotPoint Risk Analytics, one of a number of companies who are trying to tackle the problem of quantifying cyber risk. In the interest of disclosure, we should say that PivotPoint was spun off from the same parent company as the CyberWire.
Julian Waits: [00:04:14] They use catastrophe models - hurricanes, tornadoes, earthquakes. Those are all things that are governed and controlled by nature. The problem with cyber is it's governed by human nature, human behavior. Criminal behavior, specifically. Because any type of cyberattack there is, there's always a human behind it somewhere.
Dave Bittner: [00:04:34] Ben Beeson.
Ben Beeson: [00:04:35] It's dynamic. You know, this risk does not stand still. And it's a focus that we in the insurance industry, we have really been focused on one aspect of it, and that is the liability to companies from handling people's personal data - PII, you know, the acronym personally identifiable information or protective health care information.
Howard Feldman: [00:04:57] An average, midsize company or a small company may not even understand what its legal obligations are...
Dave Bittner: [00:05:03] Howard Feldman is a partner at the Baltimore office of the law firm Whiteford, Taylor & Preston.
Howard Feldman: [00:05:08] ...And that there are state laws, for example, that require companies to have data security in place. And so the starting point is to help a client understand what their legal obligations are when it comes to data security and also to make sure companies understand that beyond their legal obligations, they may be undertaking obligations that the law doesn't prescribe, but they may be undertaking in contractual agreements with vendors or other parties.
Ben Beeson: [00:05:39] But if you start to look at other corporate assets - and the one that really stands out that is uninsurable today is intellectual property. The insurance industry and underwriters have a very tough time understanding how to quantify that risk. So ultimately right now, if your IP or your trade secrets are stolen or hacked, and they're stolen, you can't insure that for that very reason. And then you move into other areas, other assets at risk, and ones that you may not have thought would be at risk until relatively recently. And really, I'm talking about under the banner of the Internet-of-things how physical assets are becoming at risk. And you put that into the context of oil and gas, you know, certain critical infrastructure industries where it might be more acute - utilities. You think about health care with medical devices being connected.
Ben Beeson: [00:06:33] Those types of risks are leading to consequences - loss consequences that are now not just about liability - you know, liability driven - but more what we call first-party driven and issues of property damage, business interruption and bodily injury. And it is so new right now that there is no actuarial data to quantify that type of risk. And so what you have now is a lot of ambiguity, particularly within the insurance industry, as to whether those types of risks are covered or not.
Dave Bittner: [00:07:08] An issue has been the disconnect between IT teams protecting the assets and boardrooms.
Emily Mossburg: [00:07:14] I don't think that there was a clear understanding of how real it was and that there were true business implications.
Dave Bittner: [00:07:25] Emily Mossburg is a principal on Deloitte's cyber risk services leadership team.
Emily Mossburg: [00:07:30] I think that it was viewed as an IT problem isolated to the protection of IT systems, and there wasn't the connection between well, what do those IT systems support and how can that impact the business? There are, whether we like it or not, some level of silos within every enterprise. And I think that it was very siloed as a technical problem, and it just wasn't being talked about with the people that own the revenue, that own the customers and clients. Not through anybody's fault. It just wasn't part of the everyday dialogue.
Howard Feldman: [00:08:08] If nothing else is achieved, it's to get management and technical staff to talk to each other because cybersecurity really is a team sport, and there are a lot of stakeholders in the company that need to be talking to each other to make sure a company is adequately secure. And that could be the accounting department, human resources, marketing, as well as IT staff because IT staff needs to understand, why is it important for marketing to be holding this kind of data? Do we really need 20 years of financial data stored in our system, or do we need 20 years of consumer data and credit card information stored in our system? And so rather than operating in silos, those stakeholders in a company need to be talking to each other to translate to each other what their needs are and what the company's needs are.
Jack Jones: [00:09:05] Until, I'd say, very recently, organizations viewed cyber risk management as sort of necessary evil.
Dave Bittner: [00:09:12] Jack Jones is the originator of the risk management framework known as Factor Analysis of Information Risk, or FAIR, and he's in charge of research and development at RiskLens, a provider of cyber risk management software.
Jack Jones: [00:09:25] The auditors say we have to do it or the regulators say we have to do it, and we will do the minimum possible. That presented a number of challenges. You know, if that is sort of the management perspective, they don't tend to take it seriously unless it's on fire. And so therefore, professionals in our industry would tend to - in order to get any attention or any luck at all, they would tend to portray things as on fire whether they were or not.
Ben Beeson: [00:09:55] The awareness in the boardroom is certainly there today, whereas it wasn't two, 2 1/2 years ago. And I think it's around the time of target onwards that you start to see why that has happened, you know, and that boardroom executives could be held accountable. And there's nothing like understanding that you personally could be held accountable to drive your focus. But then the next question is, well, how do I get an understanding of this problem?
Emily Mossburg: [00:10:22] There's been a challenge since the dawn of this issue around, what is the return on investment in cybersecurity and in mitigating your cyber risk? And there's been a ton of work around, well, how do we quantify that return on investment? And that's part of the reason why we have looked to change the game a little bit in terms of how you quantify this issue to instead focus on, if there is an incident and there is a particular scenario that plays out, what would the overall value impact be?
Julian Waits: [00:11:00] My background comes from systems management. And when I was in systems management, we did something called business continuity management. And the whole concept was, is if we were to lose the business due to some form of natural disaster, no matter what, we would get the core business items that were needed to run the business up and running as quickly as possible. Cyber hasn't done that. It's run behind the rest of the IT industry, and it's also what's most important. So it has to start with a business impact analysis. You know, if I'm a retailer, and I have a POS system that uses payment card information, well, that system's going to be pretty important to my ability to do business. Or, you know, if it's not there, I can't do business. So it should rank really high, not just on business continuity but also from the standpoint of how I spend my cyber dollars. If I know my risk when my business is most exposed, if I lose that, well, gee, I probably should protect it better than maybe some other systems in my environment that aren't crucial to how I run my business every day.
Emily Mossburg: [00:12:00] And let's look at that scenario and say, OK. What would happen if we had an attack that looks like this? How could that play out? And is our program structured to minimize the potential of that kind of an incident? And is it also structured in a way that we would recognize if that kind of an incident was occurring? And is it structured in a way that if it were happening, we would be able to respond as quickly as possible and minimize the potential impact? And that's sort of the way the dialogue I've seen shift in the organizations where we're seeing the most success in terms of the communication and the dialogue with the executive management and the board.
Ben Beeson: [00:12:46] If you're in the boardroom or you're in the executive team and you think more in financial terms, in particular, and risk to the business, how do you get that type of information? And we're seeing a lot of companies struggle with that at the moment. But we're also seeing the major stakeholder within the organization who's not used to speaking in financial terms - which is the IT department - start to understand that they've got to make that happen.
Julian Waits: [00:13:11] We all use the word risk. If you talk to senior executives in corporations and board members, risk to them generally backs into some financial number. If you talk to IT people - specifically security people in the cyber realm - it backs into stuff like, it could be material or not material. It's a high, medium, low risk, but it really doesn't translate to - and it could cost us, you know, $1.2 million on an annualized basis. There is a huge gap between the two when it comes to that.
Jack Jones: [00:13:43] It is very common for me to go into an organization and look at their portfolio of, quote, unquote, "high-risk issues." And when I start probing and asking them to suspend those high-risk ratings, 70 to 90 percent of the time, depending on their organization, they can't stand behind those high-risk rating. They end up changing them because, you know, the issues don't represent high risk. And so when you think about organizations trying to prioritize and focus on the stuff that matters most - especially when we have a very active and evolving threat landscape - and when you think of organizations where perhaps 90 percent of the, quote, unquote, "high-risk issues" aren't, those organizations have put themselves in a deep, dark hole from a risk management perspective.
Ben Beeson: [00:14:32] A board cannot ignore the fact that they need to invest in protecting the organization, but its approach now - that's - must be different - right? - from perhaps two or three years ago. It can't be just a sort of blind approach, just investing as much as you can in every tool that you can find. You actually have to think now, strategically. What are the assets that I want to protect? OK. Let's identify those first. What are the crown jewels, as they say? And then it's about just - I'm trying to understand by focusing on that because, you know, you're aligning Ben's security with the business strategy. Well, how much should I invest in - and that's the hard question, right? And what's the ROI that I'm going to get on that, of course. And that's, you know, of course, again, where companies like RiskLens and Pivot Point are starting to emerge to help answer those types of questions.
Emily Mossburg: [00:15:25] Today, the conversation around cyber risk and security has been very technical in nature. It's been focused a lot on the vulnerabilities and the threats associated with cyber risk. What we haven't done a good job of, to date, is talking about the impacts. And the risk equation is the threats, the vulnerabilities and the impacts. And in order to get to a place where everybody is speaking the same language, we have to start to talk more about the business impacts of cyber risk. And that doesn't mean we aren't also talking about the threats and vulnerabilities, but it really shifts the conversations to, if those threats are able to exploit those vulnerabilities, what does that mean for the business? And when you can get to the conversation around, what does that mean for the business, then there'll be the same language being spoken between those in leadership at the executive and board level and those that own the cyber risk program within the enterprise.
Jack Jones: [00:16:36] Being able to express that in dollars and cents - so saying, you know, here's how much loss exposure we had, you know, six months ago or nine months ago or whatever the case might be - and because of, you know, these investments and these projects and such and changes that we've made to our risk landscape, we have this much less risk. It's much less loss exposure. You know, that is much easier and more meaningful to express when, again, you're talking in dollars and cents rather than when you're saying, well, we were red, and now we're either less red or we're kind of, you know, moving towards yellow.
Emily Mossburg: [00:17:16] This dialogue in opening this up and saying, hey, rethink there - this - these other cost factors, these other value impacts that need to be explored - you know, it's not about fearmongering and saying, hey, this is a bigger problem than anyone even knows. I think there's plenty of fear around information security and cyber risk. This is more about our organizations prioritizing their efforts, their programs, their remediation in the right places. And if they took a broader look at this and if they took a more scenario-focused approach understanding the overall potential business impacts, might they make different choices in terms of what they prioritize? Might they focus their efforts, their time, the money that they are going to spend in different ways in order to protect those things that, ultimately, may lead to the biggest business loss versus those things that might be more obvious?
Dave Bittner: [00:18:19] According to both Jack Jones and Julian Waits, many companies make the mistake of using what's sometimes called a checklist approach, comparing their cyberdefense posture against regulatory standards like NIST.
Jack Jones: [00:18:31] One of the biggest challenges any organization faces is prioritization, and checklists cannot - they cannot help you prioritize in any real sense - I mean, other than saying, these things we checked yes and these things we checked no. You know, they can't take you any farther than that. The checklist approach is so superficial and so rudimentary that for all practical purposes, in my view, given the risk landscape that organizations have to deal with these days, they lose the battle.
Julian Waits: [00:19:04] Should you be audiencing (ph) yourself in - as best practices? Should you have that in your cyber hygiene? Absolutely. But it still ends up in - if we do - if we're compliant with NIST CSF, well, we think the probability of a breach is much lower than if we hadn't done it. Take that same concept now. You - instead of doing a gap analysis against NIST, you're doing a gap analysis against your financial exposure, using NIST as a tool to do that. That's what CyVaR does for you. So you're still following the NIST framework, but now those NIST controls are being ranked against, what are the things that are most financially vulnerable - or expose us to most in the market? And we use NIST to fill in those gaps. So now you're doing a gap analysis against your financial exposure, using NIST as a tool to fill in those gaps.
Howard Feldman: [00:19:52] Cybersecurity is not about checking the boxes and putting a written information security policy, getting it typed up and putting it in a binder or in a file.
Dave Bittner: [00:20:02] Howard Feldman.
Howard Feldman: [00:20:04] It's a constant, evolving process of making sure that what you have in place is sufficient. And so what you have today may have to be looked at again in six months or in a year to make sure that the safeguards you have in place are adequate.
Dave Bittner: [00:20:20] Speaking of regulatory issues, Eric Nordman from the NAIC believes insurance companies will play a role in guiding companies toward better cybersecurity practices.
Eric Nordman: [00:20:31] Many of the safety devices that we have on our vehicles today - seatbelts is a great example of them - it was the insurance industry that pushed the mandatory application of seatbelts in - by auto manufacturers as a safety device. The anti-locking brakes is another. I would expect that we're going to see the same sort of thing with cybersecurity standards of care, largely because of the insurers - don't simply want to just go out and write a cybersecurity insurance contract covering a host of risks without knowing whether the business has taken steps to actively protect and guard against these incursions. So if in - during the underwriting process, the insurers that are writing a lot of this coverage will have cybersecurity experts that are going to go visit with the business, see what kind of things they do to protect their data. And we'll make a judgment about whether they are doing enough. And if the business decides they don't want to improve, then the price of the cybersecurity contract would go up or may become even unaffordable for them if they refuse to take steps that the insurance company reps are going to recommend.
Dave Bittner: [00:21:54] Ben Beeson agrees.
Ben Beeson: [00:21:57] At the moment, it's been a bit more stick than carrot and almost a pass-fail exercise. So in certain sectors, for example, if you're not doing things like encrypting data end to end or using alternative control like tokenization - if you have a lot of payment card data, for example, you might not even get insured. But I think what's starting to happen - I think this will accelerate as more of these tech firms emerge - is you're going to see more incentives. And it may not just be a case of just clear-cut dropping the premium. It also may evolve, as you're starting to see, with telematics and auto insurance, for example. And what happens there, you know? Take a black box in your car, and we'll reward you for good driving through a discounted policy. So there is the incentive to do that. Will - and I can see that type of approach emerging for cyber, as well. Now, I'm not saying that insurers are going to want to monitor a company's network or have a detection tool that they will put on there. But they certainly might reward you for using those types of tools. And I do think that we're very close to that.
Dave Bittner: [00:23:07] On the product side of things, companies like RiskLens and Pivot Point use sophisticated mathematical modeling to help determine risk and uncertainty. Julian Waits explains Pivot Point's approach.
Julian Waits: [00:23:19] We did this thing called attack modeling where we create a virtual model of someone's network once we get that information, and then we do our own virtualized pen testing against that network. Every time we're successful with that, we average it in a simulation of scenarios that are run through a Monte Carlo method. It's a very sophisticated way of rolling the dice. So we - so with CyVaR, because of that, we, on average, do a half a million to a million scenarios for each customer environment that we're modeling because we want to make sure that we're highly accurate in what we do. And we think it takes that many samples before you can begin to predict something with some accuracy, especially when you're looking out into the future. We're constantly ingesting information from the industry. We have partners that we license straight intel data from. We have data that we generate on our own.
Julian Waits: [00:24:08] And then we have breach data as it relates to financial impact across the industries and then specific impact. And then what we do is we benchmark that data against a specific customer's environment. So then we're averaging them, we're looking at them as a relative number against what's going on in the industry.
Dave Bittner: [00:24:26] All of our experts agree that organizations have to be willing to adapt and to be agile in such a rapidly evolving threat environment. Here's Deloitte's Emily Mossburg.
Emily Mossburg: [00:24:35] I think that organizations really need to spend more energy and more time on data governance. And what I mean by that is, in many cases, a true understanding of an organization data asset does not exist. There is no overarching enterprise data inventory, and there isn't a strong data classification system in place in order to allow and support the rollout of a prioritized risk-based cyber risk program. And so I think that there needs to be a movement towards this concept of data governance and ownership. Like, it's a real, true transformation of ownership of the risk, not just within an organization, in IT, but across the enterprise. And the people in the business that own the data, that have collected the data or created the data or the information need to understand that a cost of doing business is the protection of that information because ultimately, if that data, if that information is compromised through loss, through integrity degradation, through pure theft, the value to their business is going to decrease.
Ben Beeson: [00:26:07] Well, first and foremost, do not view cyber insurance as a replacement for mitigation or poor controls. It's not an either or, as unfortunately still seems to be the perception by too many companies. You know, it complements what you should already be doing to mitigate risk to those identified critical assets that will be different but - you know, to each organization, depending on who you are. So that, I think, is the No. 1 thing to think about. And equally, you should also go into considering cyber insurance with your eyes open. You know, again, this is not a commodity. This is only a marketplace that is 16 or 17 years old. It is a PII-focused product today. It can address other areas. It cannot address all areas of your risk, depending on who you are. So it's important to understand what role - or what cyber trends can and cannot cover when you consider it.
Howard Feldman: [00:27:18] While you can always throw more money at cybersecurity, what you have to assess is, are we taking reasonable steps, given the nature of the data we have and the size of the business involved, to protect the data that we have? The most common mistake I see is - of management is for management not to ask the hard questions and not even to know what questions to ask. What are our policies and procedures? When have they last been updated? What technical safeguards are in place? How do we know they're adequate? A board member, for example, may not even understand how they're adequate. But what have you done to confirm they're adequate? Have they been updated? - because technology's changing every day. And so the antivirus software that was installed five years ago - if it hasn't been updated - is probably not adequate to protect against present-day threats.
Jack Jones: [00:28:12] We have to hold ourselves to a higher standard in terms of how we rate risk. I mean, if you're going to measure risk, you can't put people in a position of measuring that who see the world as black and white. They have to be critical thinkers. They have to be able to deal with uncertainty. But when you have people who don't have those characteristics wade their wet fingers in there and proclaim something is high risk, medium risk, low risk, that sort of thing - and nobody ever pushes back and really digs into, why do you think that's high risk? That puts us in a very bad place in terms of prioritizing and having even a remote chance of managing risk cost-effective.
Julian Waits: [00:28:53] There are tons of well-accepted methods for doing security management today and managing from a cyber perspective. And again, the whole concept is, how do we change the paradigm of - to focus people, organization, executives all on the same measure. And the measure should be financial exposure, not just what our security posture or our compliance posture is.
Dave Bittner: [00:29:19] Our thanks to Emily Mossburg, Ben Beeson, Eric Nordman, Howard Feldman, Julian Waits and Jack Jones for sharing their views on quantifying cyber risk.
Dave Bittner: [00:29:28] And thanks to VMware for sponsoring this Special Edition. And we want to remind you that their product security group is looking for security architects and engineers. So visit careers.vmware.com to check out the career opportunities there.
Dave Bittner: [00:29:41] We thank you for listening and hope you'll help spread the word by sharing this show with your co-workers and on social media. It's one of the easiest ways you can help support the CyberWire, and we do appreciate it. You can find links to all of our shows and subscribe to our daily podcast and daily news brief on our website thecyberwire.com.
Dave Bittner: [00:29:58] The CyberWire is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.