Markets have been slow to adjust to the multi-dimensional perils of cyber risk. Even headline-grabbing cyber incidents such as breaches of Equifax, Target, Anthem, Sony and Home Depot—along with NotPetya’s devastation of Merck, FedEx, and Maersk—have thus far had only fleeting impacts on assessments of major corporations’ prospects by investors, credit rating agencies and insurers. Many insurance brokers and carriers have continued to extend cyber risk coverage, explicitly or implicitly (through “silent cyber exposure” in property and casualty policies) and pay out for damages, despite mounting evidence that the premiums they collect appear grossly misaligned with the magnitude of the risks they assume.

This disparity reflects the broader problem of a “cyber risk gap” between corporations’ exposure to cyber risks and the adequacy of their efforts to address it. Investors, insurers, credit rating agencies and others presently face this gap, and have been only slowly waking up to its magnitude.

Wyatt Hoffman
Wyatt Hoffman is a senior research analyst with the Nuclear Policy Program and the Cyber Policy Initiative at the Carnegie Endowment for International Peace.
More >

The Equifax story is especially instructive. Even though the company’s main line of business was collecting, storing and analyzing highly sensitive personal information, its cybersecurity practices were appalling, and hackers were able to exploit a known vulnerability in its online dispute portal to steal personally identifiable information, including social security and credit card numbers of 145 million Americans.  According to an investigation by the Government Accountability Office (GAO), it took Equifax 76 days to detect and eject the intruders. The GAO report documents how, in the runup to the breach, Equifax failed to fix the flaw in its portal, let digital certificates for security measures expire and did not properly isolate and manage access to databases containing sensitive information. Now, long after the breach, Equifax continues to grapple with the consequences of its negligence, including payouts to victims, lawsuits and investigations, and significant expenditures to remedy cybersecurity weaknesses amounting to well over one billion dollars according to the company.

More broadly, the Equifax breach reveals the limits of governmental solutions to the problem of cyber risk exposure of private entities under assault by not only criminals but sophisticated foreign state sponsored adversaries. No real U.S. (or for that matter other foreign) government action against the perpetrators followed. Nor did the government move quickly to remediate the incident or prevent similar ones in the future. Equifax is only now starting to face serious penalties. With no single entity clearly responsible for holding Equifax accountable, it took a barrage of investigations and lawsuits filed by 50 attorneys general, the Federal Trade Commission and the Consumer Financial Protection Bureau, along with class-action lawsuits, to extract a settlement amounting to $700 million (possibly even higher factoring in other costs and fines). The settlement requires Equifax to implement a comprehensive security program, including technical safeguards and third-party assessments, and charges its board of directors with annually certifying compliance. However, Congress and the executive branch have otherwise done little to disincentivize such lax cyber security practices in the wider corporate world or create uniform cybersecurity standards, allowing for extremely diverse state cybersecurity regulations to emerge. Such an ad hoc approach of punishing corporations for the most egregious failures only long after the event—and only after drawn-out legal battles—is hardly the most expedient way to motivate and guide the private sector toward routine and proactive cyber risk management.

Looking ahead, there are slim prospects that government action will address the predicament highlighted by Equifax. Legislation and regulation can hardly keep up with constantly and rapidly evolving information and communications technologies and cyber threats. Tailoring them to the unique circumstances and risks facing different industries and individual corporations is challenging. More fundamentally, a governmental solution to the cyber risk gap would require the will to intervene in the marketplace more assertively and to assume greater responsibility for cyber risks. In doing so, governments inevitably risk creating a moral hazard by inducing complacency in the private sector while assuming onerous obligations to defend it. Ultimately, closing the gap thus requires tapping sophisticated market forces and stakeholders.

Some private sector entities are beginning to take steps to address the cyber risk gap. Predictably, insurers and reinsurers—as they have done historically with other major risks like terrorism that have proven difficult to assess and costly to assume—are first moving to limit their exposure to cyber risks by introducing and invoking exclusions to the coverage they offer (for example invoking war risk exclusions in property policies to avoid covering cyberattacks). The industry is also taking steps to limit silent cyber exposure by clarifying coverage of cyber risks especially in property and casualty policies. Meanwhile, credit rating agencies are beginning to factor in cyber risk assessments. Moody’s recently took the step of downgrading Equifax’s rating outlook from “stable” to “negative” following the 2017 data breach of the company—the first time cybersecurity served as an explicit justification for a downgrade. While the Moody’s action is a welcome development, it occurred a full two years after the breach itself. 

Ariel (Eli) Levite
Levite was the principal deputy director general for policy at the Israeli Atomic Energy Commission from 2002 to 2007.

Moody’s decision to downgrade Equifax’s credit outlook is merely a first step on the long road toward an alignment of business decisions with cyber risk management. Moody’s itself has pronounced its longer-term intent to incorporate cyber risk exposure more systematically into its credit ratings, recently forming a partnership with the Israeli cybersecurity group Team8 to develop a global standard to evaluate corporations’ management of cyber risks. Other credit agencies including Fitch and S&P appear likely to follow suit. Yet it remains to be seen whether their efforts will go beyond surface-level evaluations of cybersecurity or address sector-wide cyber risk factors. Fully accounting for cyber risks will require a deep-dive into an enterprise’s cyber dependencies, practices and exposure to incidents. To begin to address the cyber risk gap, such assessments need to be undertaken or incentivized by a much wider set of stakeholders. Premium and coverage adjustments by insurers, due diligence processes of investors of all types and vendor-selection decisions of corporations should all reflect cyber risk considerations. The market needs to move beyond just punishing corporations after major cybersecurity failures to instead steer them toward proactive and comprehensive cyber risk management by reducing vulnerability through security controls and minimizing the consequences of cyber incidents by channeling risks to insurers.

Such a systematic adjustment will require new tools for analyzing and monetizing cyber risks, along with continuous assessment of the potential consequences of exposure for virtually every aspect of business operations. A single weak point in a supply chain, service or third-party relationship can enable devastating attacks. The costs of a breach like Equifax’s pale in comparison to the potential for widespread disruption and damage demonstrated by other cyberattacks like NotPetya—a problem that will inevitably gain significance, in light of the ever-growing dependence on cyberspace for core corporate functions, interconnectivity and reliance on standardized products. Corporations cannot completely eliminate these risks, but more proactive risk management can harden them to better withstand and recover from cyber incidents. And because complete security is unattainable, they must thoroughly evaluate and prepare for the potential consequences of incidents—from financial damages to exposure to third-party liabilities to even physical harm to property and humans. Fortunately, the tools and metrics needed to gauge enterprises’ vulnerability, monetize the potential consequences and stress-test defenses are now maturing—pioneered by analytic platforms like CyberCube, Axio, Kovrr and Arceo.

More fundamentally, closing the cyber risk gap is not just a matter of pushing individual corporations to apply the latest cybersecurity solution. It requires addressing the underlying incentives shaping how corporations generate, collect and process data, and how they develop, adopt and deploy digital technologies. So far, such decisions have largely been driven by a commercial incentive structure that encourages corporations to embrace the latest digital technologies and amass vast data without assessing the prospects and potential consequences of a cyber incident. Only by harnessing the market forces described here can this incentive structure be reoriented to create a more balanced approach—one that encourages corporations to proactively build security controls to diminish exposure to cyberattacks, and systematically implement other cyber risk reduction and resiliency measures.

Government action should be guided by and placed within a holistic approach focused on unlocking the potential of market forces to close the cyber risk gap. There’s good reason to doubt the efficacy and desirability of a government-centered solution. However, governments have an important role to play in facilitating and empowering market forces. First and foremost, they must bound the scope of the cyber risk challenge for corporations and insurers. Corporations and insurers must manage cyber risks but can’t be expected to bear the full burden of cyber aggression; governments must assume responsibility for deterring and defending against state-sponsored cyberattacks, and should pursue some backstopping arrangement that can insulate insurers from liability claims in the event of catastrophic cyber incidents—as they have in other areas such as terrorism and nuclear liability. At the same time, insurance regulators should engage insurers in a dialogue on how the industry can prudently expand its cyber coverage while managing exposure to potential systemic risks.  The same risk monetization tools described above can be harnessed to gauge insurers’ exposure and calibrate premiums—striking a balance to address regulators’ deep concerns over insurers’ solvency while they assume greater cyber risks.

Additionally, governments can make an important contribution to the private sector through a range of actions: improving information sharing on threats; providing certification and accreditation of a professional cadre to hunt cyber threats; and laying our criteria, standards and incentives for adopting and properly implementing better cybersecurity practices. Through education and training they can also greatly expand the pool of expertise required for each of these functions.  

Moody’s has taken a first step—though a small one—toward closing the cyber risk gap. Much now depends on whether and how it and other key players take this further toward motivating fundamental behavioral changes to meet the cyber risk challenge.

This article was originally published in Lawfare.