In AT&T’s 2017 Global State of Cybersecurity survey, 28% of respondents saw cyber insurance as a replacement for cyber defenses. Part of the issue is frustration with the apparent lack of effectiveness of cyber spend in reducing the prevalence in incidents, while part of the issue is a desire to make this problem someone else’s problem. But the fundamental issue is actually a misunderstanding of risk management.
One of my favorite similes in Information Security is that risk is like energy, it cannot be created or destroyed, rather, it simply changes forms. Risk has four forms of treatment: acceptance, avoidance, mitigation, and transference. All risk, whether identified or unidentified, falls into one of the four categories. Information Security is a risk mitigation strategy and cyber risk insurance is a risk management strategy. Therefore, if you were to ask me if you should mitigate risk or transfer risk, my answer would be “Yes”. You should do both to varying degrees, and the proper amount of investment in each is dependent on the risk profile of your organization, but asking whether you should do one or the other indicates a misunderstanding of risk and risk treatment. Therefore, even though most readers are likely familiar with the terms defined below, it is clear that understanding of these terms is not ubiquitous.
This is the default strategy. If you were to do nothing at all to identify or treat the risk in your business, risk still exists. Consequently, ignorance of risk is de facto acceptance of that risk. Put another way, in order to apply any risk treatment strategy other than acceptance, the risk must be identified and treated. If risk isn’t identified, the vast majority of risk is automatically accepted. Risk acceptance isn’t necessarily bad, so long as it is identified and consciously accepted by someone who has the authority to accept the level of risk on behalf of the organization. I often tell people that CISOs that get in the business of accepting risk on behalf of the organization are the reason why the average tenure of a CISO is so short. Some minor risk can be accepted by the business units, but risk acceptance is generally the domain of the CEO.
Risk avoidance is sometimes popular in organizations with limited resources because it has no direct cost. This strategy essentially says if something is risky, we will simply not do it. The classic example of Risk Avoidance is turning off USB access for all employees because you are concerned sensitive data will leak. A risk mitigation strategy for loss of sensitive data is to deploy a Data Loss Prevention technology, but those technologies may appear to be expensive to deploy and maintain, so the organization instead chooses to disable a core capability of their organization’s computing environment. While disabling the capability may not have a direct cost, there is often a significant opportunity cost manifested by lost productivity in doing so. Since risk avoidance is generally accomplished by limiting features of the IT environment, risk avoidance or the lack thereof is likely the domain of the CIO. While risk avoidance can be a problem from an opportunity cost perspective, it is often more of a problem when a CIO deploys a change or a technology that deprecates the avoidance of a risk without working with the CISO to mitigate that risk and instead accepts the risk on behalf of the CEO. This is a recipe for disaster that manifests itself time and again.
The entirety of cyber security falls into risk mitigation. Everything the CISO does is a mitigation strategy whether the solutions he or she deploys are people, process, technology solutions or any mix of the three. It is notoriously difficult to quantify risk mitigation as it is hard to quantify what didn’t happen but likely would have happened if a specific control was not in place. However, since risk does not get created or destroyed, it is much easier to quantify accepted or avoided risk. Looking at risk mitigation as movement from one of the other categories allows an organization to quantify risk in their environment and therefore define the benefit of the aggregate of their risk mitigation strategies against their cost.
Risk Transference is the classic insurance use case. The problem with risk transference is that you can only transfer risk for the direct costs associated with an incident. While this is a minor problem for insurance products like home and auto, it is a major issue for cyber risk insurance given that a full 66% of an average breach in the United States is categorized as an indirect cost. Put another way, if you are one of the 28% of companies that use cyber risk insurance as a replacement for cyber defense, your best case result is that you have transferred 34% of your risk and accepted 66%. In reality, you have likely not identified and transferred all risk factors, so you are likely accepting upwards of 80% of your risk. If you are the CEO and highly risk tolerant, this might be an acceptable strategy, if you are not, you likely don’t have the authority to make such a bold decision. Because risk transference is a strategy that is generally associated with buying down identified risk, it is most often the domain of the CFO.
The Genius of the AND
Jim Collins is an influential author of business philosophy books who has a multitude of quotable sayings, but one of the concepts that he is known for is the tyranny of the OR and the genius of the AND. This is applicable to risk management in a profound way. Those that are asking if they should buy a cyber risk insurance policy OR deploy cyber defenses are asking the wrong question. Essentially, a healthy organization should have Risk Mitigation strategies AND Risk Transference strategies AND Risk Acceptance Strategies AND likely some Risk Avoidance strategies. Ultimately, the quantity of risk and the likelihood that risk materializes are the factors that should go into the calculation of a Risk Transference premium, so it could be argued that Risk Transference should be the final strategy deployed in order to avoid accepting risk that cannot be mitigated or avoided. Unfortunately, too many organizations are trying to finish before they start and leading with the end.
While all four risk management strategies are important to treat risk in an organization of any size, it is important to ensure we do not allow frustration to prevent us from deploying sensible risk mitigation strategies. The truth is there is no easy button. That includes cyber risk insurance. It’s true that cyber risk insurance is a relatively immature market, but regardless of how much it matures, it will always be a part of the equation of how to treat risk and not the answer. Just as light energy and heat energy are inextricably linked, risk mitigation, risk transference, risk avoidance, and risk mitigation will always be components of a sensible risk mitigation strategy. The proportions of each will vary by organization, but they will all be omnipresent. So the answer to the question of whether an organization should buy a cyber insurance policy or build a program to mitigate as much risk as possible, is “Yes!”, and it always will be.