Cyber-disclosure statements noting how long a company can go without a breach can help customers understand the reality of cyber-incidents and their exposure to loss.
Sometimes our investments lose money. It’s not for lack of trying, indeed most investment firms make money off the growth of our investments. But despite best intentions and detailed investment plans, we sometimes end up with less than that with which we started. This can be due to outside forces like market-wide swings associated with unemployment or interest rates; it can also be industry-specific indicators, such as the way in which the new housing metric affects the home improvement market’s outlook. If you chose to read those SEC required booklets for each of your investments(instead of quickly tossing them into the recycling bin), you’d see some form of that old adage that past performance is not an indicator of future results. One could draw a similar parallel to an organization’s cyber-risk profile as well.
Any single organization may go years without a security breach, and during this time, it’s easy for them to think they may never get hacked, and that all those other breaches going on around them are due to their superior practices or low profile. They may (implicitly) believe their governance structures and reporting are so on point that the things being done are good enough to fend off attackers indefinitely. In fact, this complacency can effect an organization such that they no longer invest in security the way they should. Critical things can be cut, such as staff, training funds and upgrades for technologies and capabilities. Even basic security hygiene functions like patching and endpoint protection can be jettisoned or pared back significantly. Inevitably, this state of security atrophy leads to a breach.
An organization’s response to this scenario is now tautological: These organizations “take it seriously,” offer credit monitoring, and more often than not, change their senior security leadership. These responses are really implicit admissions of failure that pierce the veil. It’s never expressed in so many words, but the manufactured vision of a secure organization stoically safeguarding your data falls aside once confronted with a breach.
Instead of this current state, where we are complicit in the fictional narrative that organizations might never be hacked, what if we all openly admit what the reality is and embrace it. Imagine a world where organizations are upfront about what their cyber-loss forecast looks like. Firms could utilize a Cyber Risk Quantification (CRQ) methodology to forecast how often the firm believes they will experience a breach and in so doing, how much capital would be required to weather such an event. This is not a stretch as these firms are already required to calculate risk-based capital (RBC) for much of their financial operations and good practice dictates they should include operational risk in these calculations as well. Many banks undergo stress testing, which is a very public exercise, that discloses the adequacy of their RBC. This proposal would extend that into simple to understand disclosures for customers.
Imagine customers choosing banks based on a selection of plain language, truth in lending-style facts that include a breach forecast, say once over a five, seven or 10 year timeline. To create this, a risk profile, including an appropriately quantified cyber value-at-risk (VaR) metric, with a corresponding timeline, can be developed that express both the good years and the bad years. Some years, there will be no breaches (no losses), but sometimes, inevitably, there will be a loss.
While regulatory agencies, like the SEC, are requiring increased disclosure of incidents that impact materiality, this kind of disclosure I’m proposing here would be focused on the future; a measure to help set the expectations of the consumers who are investing their data with an organization. Pretending that your organization will never have a breach would no longer be an option. Instead, when customers open a checking account or apply for a new credit card, they will receive a disclosure from the bank saying their current information security program is able to keep breach frequency to about once every five years.
Another bank might be able to assert they can keep it to once every seven years. They may even be able to tie financial incentives to this metric, whereby customers benefit if something happens before the predicted period. Any bank operating in this marketplace that asserted no breaches, or were silent on it, would be immediately revealed as having an immature information security and cyber-risk program.
This kind of marriage of reality with consumer perspective will likely not be industry driven, however, an avant-guard organization can begin to build a reputation for good cyber-risk management and pierce the illusion that an organization can exist without security incidents over time. Such a cyber-disclosure statement can be valuable in helping customers understand the reality of cyber-incidents and their exposure to loss.
It can also build a more competitive landscape for firms to use their information-security teams as marketplace differentiators.
Much like the prospectuses we receive for our retirement investments, it’s important to understand that losses will occur over time and there is no reality where losses do not occur eventually. We have allowed ourselves and others to believe that information-security incidents can be postponed indefinitely. We need to advance the maturity of cyber-risk practices by accepting the reality that over time, everyone fails. Information-security program maturity is not about never having incidents, but how you respond when they do happen.
Jack Freund is director of risk science at RiskLens, former director of cyber-risk at TIAA and co-author of the FAIR standard.