As the rate of cyber incidents pick up and gain more attention, the demand for additional standards and regulations take hold.
But, for instance, what does it mean to follow the National Institutes of Standards and Technology’s recent publication of a cybersecurity framework meant to provide a voluntary guide for critical industries which oftentimes overlap existing industry-specific regulations, such as PCI DSS, as well as global standards?
Stefan Dietrich, senior risk and technology advisor for global expert network Eleven Canterbury told Advisen that while frameworks are needed to establish clear communication with regulators, insurers and others on how to assess and manage risk, the new frameworks are “repeating a traditional risk framework.”
“[Frameworks] treat cyber risk like any other risk, but cyber risk is no randomly occurring event. It is an arms race which has an unpredictable outcome at any given time,” said Dietrich, adding that he wondered whether insurers have the deep technical expertise needed to anticipate the vast increase of sophistications related to cyber attacks.
Frameworks, regulations and standards cannot possibly take into account the variations in business models across industries. Add an organization’s culture, risk appetite, internal politics and shifting priorities and it is easy to see how each organization’s cyber risk challenges are unique. Can a framework exist to address them all?
In other words, would the adoption of NIST have made a difference in the Target breach? Target clearly has a unique risk profile for cyber with hundreds of millions of credit cards containing financial and other personally identifiable information, which is already governed by the PCI standards and audits.
The main difficulty, as described by David Notch, president of Intensity Analytics and former CISO at Thomson Reuters, is the quantification of risk.
“All these frameworks are built and constructed out of a set of controls—whether it’s NIST or ISO or PCI—but those controls are not created equal,” Notch said. “There may be 100 [controls] but 10 of them give you 80 percent of the risk-reduction benefit.”
“With so many frameworks in existence, a large, diversified, global enterprise may need to follow dozens of standards in different industry verticals and jurisdictions. Ultimately, effective risk management requires people who are familiar with how businesses operate and can put these risk frameworks into the proper context. This is still a rare skill and not easily done,” Notch added.
Insurance carriers are looking at the NIST framework as a starting point to understand an organization’s risk profile but they are currently not able to offer incentives or penalties based upon adoption in the manner a property insurer would give credit to a home with hurricane shutters or automatic fire sprinklers.
Dietrich and Notch questioned whether that was even possible, given the incredible fluidity of cyber risk. This dynamic makes frameworks “counterintuitive,” said Dietrich.
“Putting a framework in place should reduce your risk profile but here it does very little because the risk is so fluid, and so varied,” Dietrich continued.
Corporations today know they are being hacked on a daily basis and spend billions of dollars in protection and programs to keep ahead of the next breach. But a unique attribute of cyber risk is the potential for wide fluctuations in risk due to latent vulnerabilities.
“How would the insurance industry change is the flashpoint of wood was 40 degrees lower?” asked Notch. “And someone’s house burning down in Asia affects someone’s house in New York.”
On a regular basis, large technology corporations such as Microsoft release patches for vulnerabilities that have always existed but were either just recently discovered or were known but not made public. It then becomes a race between organizations and hackers to implement the patches or other defenses before they can be exploited.
“Cybersecurity is something that you think you understand the risk because you have a history of what has happened and the damages caused, and then there is some technical evolution and it throw all of your assumptions overboard,” Dietrich said.
The government role in cybersecurity should not be to specify standards, Notch added. “They can’t cover the different vertical markets with a single standard; they just can’t,” he said. Notch said he had at least a dozen different frameworks to comply with while at Thomson Reuters.
Penalties, Notch said, would change the behavior of organizations faster than a voluntary framework. Penalties would truly affect a company’s bottom line and drive different behavior within the organization.