Cyber Risk Beyond Compliance
Aspirin, Antibiotics, Surgery or Real Prevention and Cyber Health?
By: Stephen M. Soble and Jack Dufrene
*********************
The risks are ponderous, the exposures beyond most calculation, and the responsibility unrelenting. With the advent of Cyber compliance regs, the insurance industry faces baseline standards and a host of off-the-shelf solutions to deal with the pain, but the profound goal may well be lost as C Suiters, GCs and brokers select aspirin or antibiotics or even surgery, but fall short of the real tests of cyber wellnessa sustained defense that won’t require ongoing, costly visits to the pharmacy or the emergency room. There is a solution that has been developed by the top guns of cyber protection, now in the private sector, having left the service of major government intel agencies. Here is their thinking. SA
*******************
Cyber-attacks ranging from the recent WannaCry ransomware worldwide incident to the infamous Struts 2 attack which stole online banking credentials a few years ago, are only two of hundreds of documented cyber-attacks. Nearly daily, data breach incidents plague virtually every industry. And there are so many alerts of a possible attack from devices on the networks of major institutions that a new genre of tool has been developed to distill truth from fiction before the consequences occur.
And yet, when it comes to cyber risk insurance, despite years of trying to create a cyber insurance line which works for insurers and insureds alike, the insurance industry has been pursuing an insurance strategy for cyber risks, more akin to a trip to Las Vegas, than a traditional insurance model.
Lots of hype. Lots of What Happens in Vegas, Stays in Vegas thinking, but even serious thinking about risk identification, measurement and risk mitigation, heretofore, has been incomplete.
The essence of genuine insurance is missing. Insurance is financing the Digital Age. Only insurance links risk, loss, and recovery from damage. Bonds, stock, annuities and other instruments cannot do what insurance can.
Perhaps the reality that cyber-attacks cause permanent damage to reputation gives us some pause. We are all enamored with the fact that boards of directors, clients, and prospective clients are so confused, if not fearful, about cyber-attacks that they now sometimes clamber for a cyber insurance policy. And like a good Las Vegas stage show, we all want to give the customer what they want and we want them coming back for more.
How should cyber insurance work? We would like to empower the insurer and insured to understand objectively what their risks are, how to measure risk, how to mitigate those risks, and in the process, bring down the risk and the premiums for such insurance. If you cant truly measure the risk, you cant properly fix the premium. And from a customer satisfaction perspective, the insurance broker ought to be equipped with a tool which turns him or her into a key member of the trusted risk advisory team for the insured.
To date, this has not happened. But that is about to change.
Assured Enterprises has innovated the winning formula to usher in this change. Assured Enterprises is a different breed of company. We ask tough questions and many more of them than others in the field. We believe in hard engineering and science. We find scalable answers and we rely on solid data. We are at the beginning of a new era for insurance in the Digital Age. What follows is not an advertisement for us, but a look at what needs to go into a meaningful, sustainable program.
Crossroads
The Digital Age has reached a crossroads. We have the technological means of exchanging a vast and specific array of zeroes and ones (the binary language of the digital world). Yet, hardly a day goes by without news of someone getting hacked. And, the hackswith ransomware, data theft and data manipulation are, incontrovertibly, on the rise. In fact, the loss history attributed to cyber-attacks is about $500 Billion per year.
Sound cybersecurity is a sine qua non of the next phase of the Digital Age for the world of commerce. How can we allow autonomous vehicles without solid cybersecurity? How can auto insurance address this risk of loss? How can an auto insurer know whether the hack of IoT software or communications within the autonomous vehicle caused an accident? How can we shop online? How can we allow drones to deliver packages to our door? How can we bank online? The true losses of online shopping, banking and the future risk of automated package delivery and autonomous vehicles are mind boggling losses, taken together.
How can we buy and sell stocks and bonds without securing those exchanges with exceptional cybersecurity? And, do we just trust the name brand of the provider? Major banks have been hackedfrom PNC to JP Morgan to the Central Bank of Bangladesh. The entire economy and the cohesive feeling of connectedness which helps to define a vibrant polity is under siege. How can we invest in a new technology without knowing whether it is likely to be hacked? How can a company pursue a merger or acquisition without knowing whether their prospective partner is about to be hacked or worse, has been hacked and just doesnt know it? Remember the Yahoo! cyber-attack and the impact which those revelations of an ongoing hack had on the purchase price from Verizon? Between the loss in purchase price and the cost of the hack probably a cool billion dollars was lost.
Can anyone name another industry in which society and the insurance industry would tolerate $500 billion in losses? We cant. Improperly constructed aircraft never get off the assembly line. Defective power plants rarely get built. But when it comes to the assets which companies have built up over timeintellectual property, confidential business arrangements, plans for new product releases, operational efficiencies, and even moneywe are all at risk in the new Digital Age.
How Did This Mess Come About?
About thirty years ago, DARPA funded a program which enabled university research scientists to share electronic data over a network across the globe. No one thought about security. No one thought about the risk or the losses which could arise from stolen or disrupted data. University professors are a reliable lot, right? One of the earliest well-documented cases of cyber-attacks was unveiled in the good read, The Cuckoos Nest by Clifford Stoll.
As the Internet morphed into a tool for everyone, as the world of personal computing took hold, as the mobility of computers became the smartphones and tablets of today, we, as humankind, were so enamored with the versatility, the innovation, the upside of new business and financial models that we simply did not pay thoughtful, careful attention to the issue of security. We had neither a market nor a governmental mechanism to insist that serious security be built into the very fabric of the Internet and of those devices permitted to access it.
The constructive standards of privacy and security clashed with the commercial exigencies of speed to market, technological improvement, the freedom and equality created by smartphones in emerging market countries, and other factors. This gave rise to the disconnect between genuine cybersecurity and technological development in the Digital Age. Twenty-five years ago, spending on software games outstripped spending on security by a factor of more than 10 to 1. It hasnt changed today.
And, the Old-School advocates of cybersecurity solutionsthose selling aspirin, antibiotics or offering snake oil surgerywere, and still are, part of the problem, not part of the solution. The Old-School relies on signatures and rulesthats how your anti-virus protection and firewalls work. Theres nothing wrong with this, except that it is easy for a hacker to find a way around the rules and to change signatures, and thus relying only on these solutions creates a false sense of security, and a reality of low security. Then we had the rage of end-point solutionseveryone had a silver bullet designed to stop one problem. And any company which went for this plan spent a great deal of money on toys which didnt work well together and which still allowed the hackers easy access to their networks. Great for the revenue stream of the cybersecurity providers, but were companies even buying things which they needed? And what was the ROI on these purchases, especially if one continued to get hacked?
The Old-School model has been built on the model of buy my protection (which wont work), know that everyone will get hacked (which Assured believes is passé thinking) but be sure to call me in once you get hacked. This approach is obscenely lucrative for the Old-School cybersecurity firms. When a client is in crisis mode, they tend to overspend and to throw more money at the problem than warrantedespecially if the provider has the reputation or relationship with the board of directors that exudes an air of confidence. Actual solutions? Not so much. Adhering to the mantra of No one gets fired for hiring XYZwe have all heard it beforedrowns out other approaches. From the perspective of a business model to be discussed in business schoolit is a brilliant model for the cybersecurity provider. But, it could prove devastating for the customer or the victims of data breaches.
And, lo and behold, now we are deep into the first phase of the Digital Age and we are all emperors at a nudist colony. Speaking of whichwould the insurance industry provide insurance to those emperors against mosquito bites, without even knowing how to deter, deflect or eliminate the likelihood of mosquito bites? And, without the ability to measure the likelihood of occurrence or loss from each bite? Yet that is exactly how Old-School cyber insurance operates. Lots of emperor-customers. Few, if any, hard insights into the risk and impact for each individual client.
The misunderstanding of this fundamental problem led Assured first to create a new engineering archetypea legitimate paradigm shift. We focus on the data. We gather the data. We analyze and correlate the data to determine risk. No predictive analytics; no rules or signatures; no artificial intelligence which is often a disguise for some new rules, and no double speak.
How do we know how to do this? Our engineers. We have executives who handled some of the most sensitive digital security issues for the US Department of Defense and the Intelligence Community. We have engineers who devise innovative pathways to solve hard problems. We believe in the value of critical thinking. We are the guys who keep askingWhat if? and Why not? There are no lemmings on our team.
The Core
As one might expect, the core of our excellence is engineering. We have a superb team of hard core, nerdy cybersecurity engineers, comfortably facing the challenges of innovation.
What one might not expect is the excellence of our leadership superstructure. We have members of our board of directors who have served in the intelligence community, defense department and in sensitive positions where they had major responsibilities for cybersecurity. We have added to these policy leaders a very active board of advisors which includes a former deputy undersecretary of defense, responsible for cybersecurity in mission critical areas; a former deputy secretary of energy; a member of the private sector team of ten experts assembled by President Obama to advise on the relationship between government and private sector needs in cybersecurity; a member of the defense science board; and a seasoned businessman who has served on the board of directors for Fortune 500 companies, for an aggregate of over 55 years.
Solutions
We founded the company because we believe that a multi-layered approach to cybersecurity makes sense. We devised a system of seven+ independent, yet interlocking layers of protection, so that clients could deploy the products which gave them the best ROI, without having to over-purchase. Then we asked ourselvesHow do we know what solutions people need?
And this opened Pandoras Box. We had to be able to assess everything affecting cyber risk. Our system needed to be dynamic, comprehensive and tailored to each client, yet scalable. And because this is incredibly difficult and complex, it has never been done before. In fact, no one has even come close.
Thus, the rationale for inventing TripleHelixSMthe worlds most comprehensive cyber risk assessment system.
Here is how it works:
Measurement
Cybersecurity poses a complex challenge for organizations of every size in every industry. And the challenge continues to grow while executives, boards of directors and technical staff attempt to stay out of the headlines, meet compliance standards and cost-justify security.
With increased pressure to protect data and the growing list of standards and regulations surrounding cybersecurity, C-Suites and Boards know they must address the challenge together with their technical staff in order to mitigate the risk of cyber-attacks. Just think about the NYS DFS Cybersecurity Regulationswhich apply to even small companies in banking, finance and insurance, or the European Unions GDPRwhich apply to every entity in the world that processes identifying information belonging to any EU citizen. Fines under the NYS regulations are steep, but under GDPR they are astronomical. Fines for non-compliance with GDPR are a minimum of 20 million, but may rise to 4% of the last years annual revenue worldwide for any subject company. An insurance program which addresses this risk of exposure should be an invaluable, constant part of every major companys governance, risk and compliance program.
Until now there has been no clear methodology to link a clients cybersecurity efforts to cost-efficient choices. Without reliable metrics, how can one benchmark cyber health today and to measure the ROI of what might be expensive efforts to remediate or to improve cyber health in order to reduce risk?
TripleHelix?
With TripleHelix?, Assured Enterprises built the most comprehensive risk assessment system available, which gives organizations the capability to quantify and measure their cyber risk. It provides the granular information to inform legal, insurance, compliance, legal, and audit professionals.
It is well-suited for government agencies, commercial enterprises and critical infrastructure. With TripleHelix?, Assureds clients receive a clear picture of their current cybersecurity posture, and a comprehensive, written Roadmap that details both cost-effective improvements to their environment that can be implemented immediately, while it also lays out a plan for future improvements for which they can plan and budget for methodically. You need clear-cut recommendations for improvements to your cyber health. Why settle for a pass/fail mark without any guidance?
The TripleHelix? risk assessment system analyzes:
- Cyber Maturityreveals existing gaps, weaknesses, and vulnerabilities in the clients organization.
- Threatsidentifies the bad actors that pose the threats relative to the clients organization, including state-sponsored adversaries, hacktivists, organized crime, commercial spies, insider threats and more.
- Impactsevaluates the impact of potential cyber breaches from the vantage point of data, reputation and monetary loss, theft of intellectual property, legal ramifications, fines and other factors.
The correlation of these three strands yields a proprietary CyberScore®, a three-digit cybersecurity score akin to a FICO® score, that allows the management team to benchmark and to evaluate security readiness. The Assured CyberScore® empowers a CISO to chart a recommended course for improvement, even for a period of years, with a focus on what is most important for the organization, not on the latest fad in the cybersecurity marketplace.
TripleHelix? captures thousands of data points in 25 different categories which is far more comprehensive than any other assessment on the market. Additionally, we also use multiple system analysis tools that identify vulnerabilities, gaps and ongoing attacks. It is capable of measuring not only technical risks, but risks resulting from policy and procedural gaps. Plus, it has a unique focus on insider threats.
Assured uses a unique tool which identifies ongoing data breaches and allows us to remediate the attack immediately. As a corollary, Assured can provide a data breach detection continuous monitoring tool, to protect the clients data with a daily scan.
Covering All the Bases
At the end of TripleHelixSM, the client enterprise receives three important deliverables: a Roadmap with objective recommendations to improve cyber healthreflecting policies, procedures, software, hardware, and more.
Second, TripleHelixSMdelivers an understandable CyberScore®, as noted above.
Finally, most organizations are subject to multiple compliance standards or regulations. Instead of having to conduct multiple assessmentsoften with multiple vendorsto address compliance requirements for an organization, TripleHelix? offers a one-stop, cost-effective, comprehensive assessment with the option of delivering virtually any regulatory compliance cyber report into a personalized Regulatory Compliance Dossier.
Regulatory Compliance Dossier
TripleHelix? offers a one-stop, time- and cost-effective, comprehensive assessment and gives the client the option to have virtually any regulatory, compliance or best practices report prepared and delivered into the client organizations own Regulatory Compliance Dossier. Imagine having the regulatory agencys report before the regulators ever arrive. TripleHelix? ensures accuracy and demonstrates intent to achieve proactive cybersecurity and to begin the clients remediation plan before the regulators deliver their critique.
GDPR, PCI, HIPAA, NYS DFS, FISMA, FFIEC, NCUA, NIST, ISO and many other reports are now integrated into TripleHelix?. If an organization needs a report which isnt already integrated into TripleHelix?, Assured will integrate it for a client at no additional cost. (The actual report is not free, of course.)
The reports delivered within the Regulatory Compliance Dossier permit a company to anticipate and to remediate questions which might arise from the visit of a regulator. Moreover, these reports serve as a reliable double-check on the regulators accuracy.
Deep Software Scanning is Essential
How is it that hackers seem to have such an easy time getting into so many networks?
As we were building TripleHelixSM, we realized that, according to the most prestigious data breach reports (Verizon, HPE, NTT, Software Engineering Institute, etc.) between 70% and 99% of all successful cyber-attacks exploit known vulnerabilities in the software. Knowing this, Assured scoured the market for a scanner that could identify these known vulnerabilities in software. Such a tool would be valuable in assessing cyber risk clearly. Unfortunately, no such tool existed. So, we built our own: AssuredScanDKV®.
AssuredScanDKV® is the only deep software scanning tool which Detects Known Vulnerabilities (hence, DKV) at the binary level in every version of the software resident on a network. Now there is some engineering jargon to explain!
AssuredScanDKV® is a patent-pending technique which allows us to unbundle the bundled sections of the software code (executables) so that we can read all of the libraries. Yes, more engineering talk!
Lets explain this in laymans terms:
When software is newly developed, responsible software developers use a variety of tools to ensure that they have followed the best code development practices to guard against security defects. However, over time new vulnerabilities crop up in the world. NIST (the National Institute on Standards and Technology) adds over a hundred new vulnerabilities to their database each week, on average.
How do we find whether those newly identified vulnerabilities are in the software we are using? The answer is that before AssuredScanDKV® there was no comprehensive way of doing this.
And the reason why no one was conducting this essential scanning turns on the simple fact that most of the software code in a typical software package contains well-known, tried and truly performing libraries, dynamic loading libraries, and executables. Because these code elements are so reliable, they constitute over 80% of all applications, speeding development and insuring performance. Once bundled together, we discovered that no scanner on the market could get down to the binary levelthe zeros and onesthat make up the actual software.
And that is why AssuredScanDKV® represents a patent-pending breakthrough. We unpack or unbundle the executables so that we can detect software vulnerabilities within all components of the applications at the binary level. No one else can do this.
As cool an engineering tool as this might be, we needed to make it usefulreally useful. So, this tool is not a mere monitorcapable of detecting holes. We added features. We prioritize the vulnerabilities found so that we can advise on the order in which to remediate detected vulnerabilities. We also provide the precise remediation information so that the client can remediate their own proprietary software, or we can jump in and provide that service.
By the way, on our website we have an approved Case Study from the US Department of Defense which explains that our tool detected known vulnerabilities in mission critical, proprietary software, even in a lab which had run many other scanners, including those claiming to compete with us. According to the other scanners, the DoD software was free of vulnerabilities. AssuredScanDKV®, however, found many vulnerabilities in every software package we evaluated.
And AssuredScanDKV® does not require access to source code, nor to any data which the user created with the software. We just find the holes in the software and show you how to fix them, or if you like, we fix them for you.
Now to take this hard science and make it easy to understand: as part of a TripleHelix? assessment, we simply employ AssuredScanDKV® to find the vulnerabilities in software and to provide a remediation plan, if warranted.
Reduce the RiskImprove Cyber Health
Lets step back and see what the action plan might be to improve cyber health.
- Conduct a TripleHelixSM cyber maturity analysis, including a deep scan of software to detect known vulnerabilities, AssuredScanDKV®, as well as other tools that scour networks, SCADA, and business systems for cybersecurity gaps.
- As part of this, we run a comprehensive threat assessment, which focuses on adversaries from nation-states to insiders, from hacktivists to supply-chain threats, insiders and more.
- We also evaluate cyber readiness with a focus on assessing the impacts of potential data breaches from the perspective of both likelihood of a successful breach and likely monetary cost of a foreseeable data breach.
- We study and analyze the data collected in order to produce a Roadmap which provides options for improvements, considering cost-effectiveness in the clients environment.
- We correlate and issue a CyberScore®.
- We provide a unique Regulatory Compliance Dossier that includes any reports which the client may need.
Before TripleHelix?, the process of satisfying the latest compliance requirements, standards and best practices was an exhausting, time-consuming, expensive and thankless task. More importantly, without TripleHelix?, you simply have no way to achieve true visibility into the risk inherent in your enterprise. Reduce the Risk. Improve your Cyber Health.
What This Means for Cyber Risk Insurance
Imagine the future with a solid cyber risk insurance policy:
With CyberScore®, we layer the analysis so that we can determine:
- Whether a prospective insured is insurable (under the cyber risk policy).
- The maximum coverage possible.
- The pure premium for each insured, based on industry, key factors, and personal history.
- The appropriate program for evaluating improvements to cyber health.
- The benchmarking of the prospective insureds comprehensive cyber health.
- The measurement of changes in the CyberScore® arising from the adoption of improvements and remediation actions.
- The ROI on the cost of those improvements and remediations for the prospective insured.
- Targeted improvements in cyber health which will impact the amount of coverage for which the prospective insured may be eligible and improvements in the premium charge, based on genuine lowering of risk factors.
Some of this can be done wholly online in a few hours. Some requires the execution of the full TripleHelixSM assessment.
Managing Continuous Improvement
The results of a TripleHelix?/strong> assessment include two critical components: a unique CyberScore® that distills Assureds comprehensive analysis into one easy-to-understand number, and a Roadmap of detailed options for consideration to improve the clients cybersecurity posture and CyberScore®.
Cybersecurity is an ongoing process requiring changes and updates to keep ahead of the threats. TripleHelix? is designed for annual use, with periodic updates of the CyberScore® to measure the improvements from remediation and other actions.
Assured sees the requirements of security as affecting everything that comprises the data of our world. We are mindful of the power of the Digital Age. To this end, we are incorporating cybersecurity solutions into a full array of biometric technologies, with our strategic partner, Qafis, Ltd. of the Netherlands. Together, cybersecurity and biometrics will provide the next generation of critical infrastructure security. And with other strategic partners, new technologies will be employed to build out the solutions called for by the TripleHelixSMassessments.
Proactive cybersecurity is possible. Genuine risk assessment, based on hard-nosed factual engineering data and basic science is here. And, this is the story which will soon begin to change the cyber risk insurance world for the better.
Think well past the aspirin and antibiotics.
********************
About the authors:
Stephen M. Soble is Chairman and CEO of Assured Enterprises, Inc.
Jack Dufrene is Chief Technology Officer of Assured Enterprises, Inc.
More Information:
AssuredScanDKV® Deep Software Scanner
TripleHelixSM: Comprehensive Cyber Risk Assessment System