[BreachExchange] The Case for Cyber-Risk Prospectuses

Audrey McNeil audrey at riskbasedsecurity.com
Thu Dec 26 21:56:06 EST 2019


Sometimes our investments lose money. It’s not for lack of trying, indeed
most investment firms make money off the growth of our investments. But
despite best intentions and detailed investment plans, we sometimes end up
with less than that with which we started. This can be due to outside
forces like market-wide swings associated with unemployment or interest
rates; it can also be industry-specific indicators, such as the way in
which the new housing metric affects the home improvement market’s outlook.
If you chose to read those SEC required booklets for each of your
investments(instead of quickly tossing them into the recycling bin), you’d
see some form of that old adage that past performance is not an indicator
of future results. One could draw a similar parallel to an organization’s
cyber-risk profile as well.

Any single organization may go years without a security breach, and during
this time, it’s easy for them to think they may never get hacked, and that
all those other breaches going on around them are due to their superior
practices or low profile. They may (implicitly) believe their governance
structures and reporting are so on point that the things being done are
good enough to fend off attackers indefinitely. In fact, this complacency
can effect an organization such that they no longer invest in security the
way they should. Critical things can be cut, such as staff, training funds
and upgrades for technologies and capabilities. Even basic security hygiene
functions like patching and endpoint protection can be jettisoned or pared
back significantly. Inevitably, this state of security atrophy leads to a

An organization’s response to this scenario is now tautological: These
organizations “take it seriously,” offer credit monitoring, and more often
than not, change their senior security leadership. These responses are
really implicit admissions of failure that pierce the veil. It’s never
expressed in so many words, but the manufactured vision of a secure
organization stoically safeguarding your data falls aside once confronted
with a breach.

Instead of this current state, where we are complicit in the fictional
narrative that organizations might never be hacked, what if we all openly
admit what the reality is and embrace it. Imagine a world where
organizations are upfront about what their cyber-loss forecast looks like.
Firms could utilize a Cyber Risk Quantification (CRQ) methodology to
forecast how often the firm believes they will experience a breach and in
so doing, how much capital would be required to weather such an event. This
is not a stretch as these firms are already required to calculate
risk-based capital (RBC) for much of their financial operations and good
practice dictates they should include operational risk in these
calculations as well. Many banks undergo stress testing, which is a very
public exercise, that discloses the adequacy of their RBC. This proposal
would extend that into simple to understand disclosures for customers.

Imagine customers choosing banks based on a selection of plain language,
truth in lending-style facts that include a breach forecast, say once over
a five, seven or 10 year timeline. To create this, a risk profile,
including an appropriately quantified cyber value-at-risk (VaR) metric,
with a corresponding timeline, can be developed that express both the good
years and the bad years. Some years, there will be no breaches (no losses),
but sometimes, inevitably, there will be a loss.

While regulatory agencies, like the SEC, are requiring increased disclosure
of incidents that impact materiality, this kind of disclosure I’m proposing
here would be focused on the future; a measure to help set the expectations
of the consumers who are investing their data with an organization.
Pretending that your organization will never have a breach would no longer
be an option. Instead, when customers open a checking account or apply for
a new credit card, they will receive a disclosure from the bank saying
their current information security program is able to keep breach frequency
to about once every five years.

Another bank might be able to assert they can keep it to once every seven
years. They may even be able to tie financial incentives to this metric,
whereby customers benefit if something happens before the predicted period.
Any bank operating in this marketplace that asserted no breaches, or were
silent on it, would be immediately revealed as having an immature
information security and cyber-risk program.

This kind of marriage of reality with consumer perspective will likely not
be industry driven, however, an avant-guard organization can begin to build
a reputation for good cyber-risk management and pierce the illusion that an
organization can exist without security incidents over time. Such a
cyber-disclosure statement can be valuable in helping customers understand
the reality of cyber-incidents and their exposure to loss.

It can also build a more competitive landscape for firms to use their
information-security teams as marketplace differentiators.

Much like the prospectuses we receive for our retirement investments, it’s
important to understand that losses will occur over time and there is no
reality where losses do not occur eventually. We have allowed ourselves and
others to believe that information-security incidents can be postponed
indefinitely. We need to advance the maturity of cyber-risk practices by
accepting the reality that over time, everyone fails. Information-security
program maturity is not about never having incidents, but how you respond
when they do happen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20191226/76ae498c/attachment.html>

More information about the BreachExchange mailing list