Cyber incidents cause hiccups in business-to-business contracts all the time and the public is never going to hear about any of those incidents, Joseph DeMarco, a partner at DeVore & DeMarco said during a panel at Metrotech’s Pfizer Auditorium Thursday.
The incidents will never go public because neither party wants them to, but parties to contracts want protection from cyber incidents, so, as an attorney, he’s seeing more firms require their counterparties to have cyber insurance as a condition of making deals. So, the government may not need to require cyber insurance, as more and more companies require it of each other, DeMarco said.
DeMarco’s remarks were made during a conversation about enterprise-level cyber risk and the role insurance can play in mitigating that risk.
The panel followed AIG CEO Peter Hancock’s lecture on cyber insurance. In February of last year, the Department of Commerce’s National Institute of Standards and Technology (NIST) released a voluntary framework that companies could follow to insure a safe cybersecurity infrastructure. The security of large companies is now seen as a part of the national security of the country, so the Obama administration directed NIST to bring stakeholders together to come up with a framework for keeping information infrastructure safe.
NYU Law professor Judith Germano led the conversation. While the conversation ostensibly built on Hancock’s remarks, the real grounding element for discussion seemed to be the NIST framework.
The panelists were: DeMarco (also a former U.S. Attorney who took on computer hacking while in the Justice Department); Tom Finan, cybersecurity expert at the Department of Homeland Security; Cameron Kerry of the Brookings Institution (formerly of the Commerce Department); and Randal Milch, a Verizon executive.
The cybersecurity framework is broken up into three parts:
- Framework Core: Industry guidance for companies that want to get up to generally agreed upon standards for security. It breaks the work down into five ongoing parts: “Identify, Protect, Detect, Respond, Recover.”
- Framework Implementation Tiers: Four levels of readiness, described, in order to help companies assess where their security structure is at and help teams see where they could be.
- Framework Profile: This part helps a company define its threat profile. What kind of attacks might they face? What do they have that privateers and other governments might want? What could they do, over time?
The NIST framework is at version 1.0 and will be updated as stakeholders continue to share lessons learned. Here’s some notes on that framework and the participants’ thoughts on it, a year on.
- Threat profiles will define defense strategy. “No company’s threat profile is going to be the same as any other company’s threat profile,” Milch said. “Self-deception will probably be the most expensive thing you’re going to deal with.”
- Your company probably isn’t covered. “A lot of people who have insurance policies believe that their policies already cover things like a cyber loss,” Finan said. In truth, cyber insurance is, by and large, its own policy. If your company doesn’t have one that says “cyber” somewhere up at the top, it’s probably not covered. Enterprise Risk Management, or “ERM,” is a standard practice in big companies, but it usually neglects cyber risks, he said.
- Security can go too far. One way to make sure that in-house data stays in house is to limit employees’ access to the floor where their desk sits. That will limit how much information employees could get their hands on, but it would also make enterprise siloing vastly worse. If security undermines business, it’s not worth it.
- Cyberhygiene. Verizon’s annual study of breaches consistently shows that the vast majority could have been prevented, that they resulted from known flaws in security. Just keeping your infrastructure up to date with known threats goes a long way, Milch said.
- Where should the next dollar of infrastructure money go? Who knows. This is a question that the stakeholders hope to answer better with version 2.0 of the framework. This is the question everyone asks: What’s the best next investment? Not only does no one have a great way to figure this out yet, it’s also going to vary by industry and company.
- Boards need to be educated. Milch pointed out that corporate boards are full of successful people who got there before computers were really a thing. If the goal is for boards to take security seriously, companies need to spend the time educating their boards so that they don’t tune out when the chief security officer reports.
- Exercise your security. The more teams practice protocols, the better they get, Kerry said. Going through some breaches and false alarms made Commerce’s security team stronger, he said. There’s no need to wait for a breach: run drills.