As the power struggle rages on in cyberspace, the cyber battleground still remains full of unknowns, including major players, minor players, and rules of war. In the hidden battlefields of cyberspace, the casualties have been quietly piling up. It seems all nations have been hit and/ or are at risk of being hit. No nation: its government, industries, organizations, and academia (NGIOA) is being spared, including common citizens.
With the war moving to cyberspace, it is necessary to recognize that while the best defense is a good offense, constructing proactive security risk defenses rather than passive ones becomes a necessity for survival as well as sustainability in not only cyberspace but also geospace and space (CGS).
As the internet has grown exponentially in its reach and scope, so has every NGIOAs dependence upon cyberspace for social, economic, governance, and security functions. Each nation has reached a significant decision point today as they not only must continue to defend their current systems and networks in the geospace and space but also attempt to get out in front of their challengers and competitors in cyberspace. In order to build on the good, to be prepared for the bad, and to face the unknown, there is a need to create new effective cyber abilities.
The fierce mapping of cyberspace has already begun and security breaches have become an actuality of life. Amidst that, the important question is:
- How do we secure cyberspace?
- What are the cyber-security risks?
- What is the actual cost of a cyber-security breach to a nation and its entities?
- Do we understand cyber-security risks and its impact?
- Can entities afford the increasing costs of cyber-security breaches?
When the expense of dealing with a Cyber-Security breach is getting higher day by day, it is important to evaluate how the cost of Cyber-breach can be effectively minimized and managed. This is where Risk Management comes into play!
Before we go further, it’s important to evaluate how entities should evaluate cyber-security risks:
- Entities need to begin by identifying and understanding their independent as well as collective assets in CGS.
- Entities need to identify and understand their vulnerability in CGS.
- Entities need to identify and understand their threats in CGS.
The reality today is that any entity within any NGIOA has the potential for loss, damage, or destruction of its assets in cyberspace, geospace, and space as a result of a threat brought on by cyberspace. When entities evaluate cyber-security risks, they will see that there is a clear linkage between cyberspace threats, vulnerabilities, and assets. When conducting a cyber-security risk assessment, the formula that should be used to determine cyber-security risk is CGS Assets + Cyberspace Threat + Security Vulnerability = Cyber-Security Risk.
If we don’t understand the difference brought on by cyberspace, we will never understand the true risk to our NGIOA assets.
Now, identifying and understanding cyber-security risks is one thing, and managing it effectively is a whole another thing. Cyberspace has brought each and every entity a liability due to the security risks brought to assets in CGS that may or may not belong to them. Amidst that, the big question today is how can any entity within any NGIOA across nations insure cyber-security liability –individually and collectively? The answer may lie in cyber insurance!
Cyber-insurance is a risk management (risk transfer) technique via which cyber-security risks can be transferred to an insurance company, in return for a fee. While cyber-insurance is already here in some form, whether it will be a meaningful risk transfer tool to cyber-security for assets in CGS and grow in the coming years needs to be seen.
When entities evaluate purchasing insurance to specifically protect against losses from cyber-crime, what is important to understand is whether cyber-crimes can be managed with cyber insurance? While we know that cyber insurance is in its infancy and is evolving, there is no doubt that the insurance industry has a significant role to play within the cyberspace value chain and ecosystem to help shape a true offensive model for combating cybercrime.
At the moment, cyber liability insurance largely includes data breach/privacy crisis management which covers expenses related to the management of a security incident, the investigation, the remediation, data subject notification, call management, credit checking for data subjects, legal costs, court attendance, and regulatory fines. In many cases, it also includes multimedia/media liability which covers third-party damages including specific defacement of website and intellectual property rights infringement. Some cyber liability coverages also include extortion liability which is losses due to a threat of extortion, professional fees related to dealing with the extortion, and so on.
In addition to incorporating all relevant cyber-security events, an effective cyber liability policy will need to ensure that all potential cyber-security risks are fully catered for. However, when what constitutes cyber-security is still not clear to most, it is completely fair to say that a lot still needs to be understood before cyber-security risks can be properly identified and insured.
Understanding the security controls, risks, data protection principles and compliance to regulations beyond the cyber-security risk transfer is important as the connected computers, the computer code, and the internet has spun a whole new “web” of liability exposures. While a large portion of any entity or a nations assets and its valuation in CGS resides in its intellectual property, trade secrets, and strategic plans, its loss to adversaries and thieves who steal the confidential secrets to valuable assets in CGS to become direct competitors with identical or better value propositions is a grave concern.
Each individual or entity with any valuable asset within any NGIOA —especially the ones that have growth, development, success, prosperity, and potential in its corner, has the possibility to be the next potential security risk target from adversaries. For those individuals, entities, and nations, success, strategy, and sustainability are at risk as there are many who want to cut short the traditional innovation and entrepreneur journey and lifecycle to be successful. There is a need to evaluate and understand what this means for each and every individual, entity, and nation for its ongoing survival, sustainability, and viability in CGS? The bigger question is how can anyone protect their confidential secrets and maintain a fair competitive and strategic advantage in the global marketplace without sacrificing the potential and value of cyberspace?
As nations lack effective security infrastructure in cyberspace and the level of sophistication among cyber-criminals is often on par with the cyber defense community, the computer code and connected computers are creating a perfect storm for cyber-attacks and espionage, with the rapid acceleration of crisis, catastrophe, and chaos.
It is important to understand that when the intellectual, operational, and strategic capital of any entity within any NGIOA is threatened and at-risk by cybercriminals, the resultant impact on not only the share price but the survival and strategic sustainability becomes critical. How can individuals and entities from across NGIOAs secure themselves from such a complex crisis and be covered for this?
Due to a vulnerability in security, cyberspace is expected to trigger an increase in the number of regulations to the already existing complex web of regulations each nation already has. When the security vulnerability of one entity has the potential to negatively impact assets in CGS that may or may not belong to them, Cyber insurance becomes a necessity and serious business. As integrated CGS risks are becoming better understood over the years, the Cyber-Security risk management community needs to better evaluate the promise of insurance protection as a viable risk transfer tool against potential losses of assets in CGS. The question is whether the current form and role of Cyber-Insurance are effective and meaningful? I would say probably not as the effectiveness depends on Insurance’s ability to go hand in hand with the Security centric Risk Management Framework.
There needs to be clarity that cyber-insurance, though around in some form for several years is mostly a concept that has in itself serious risks of perception and effectiveness. While the availability of cyber insurance protection has evolved dramatically over the past decade, how should the cyber-insurance community evolve in terms of coverage, services, limits, and pricing amidst the fundamental changes brought on by the Internet of Things (IoT) and more?
The greatest challenge for the insurance industry is perhaps to keep up with the complex cyber-security developments in CGS and provide meaningful cyber-insurance solutions to individuals and entities across NGIOA at the right price.
It needs to be understood that the security of any entity within any NGIOA builds for itself is precarious and uncertain until it is secured for everyone within that nation in cyberspace. Tradition becomes our security, so if all the entities within a nation build a culture of managing cyber-security risks that are within the control of their entity effectively, it will lead them to internal and independent security in not only cyberspace but also geospace and space (CGS). For the security risks that are not within their control, cyber-insurance is likely a way to go.
How will the insurance industry insure the cyber-crimes like cyber extortion: data kidnapping and ransom exposure, which involves viruses holding corporate data hostage for ransom.
The proposed integrated NGIOA Cyber-Security Risk Management model provides nations a framework for a foundation to build security in every action and decision every entity and individuals take. It provides an ability to manage internal cyber-security risks and flag those risks that are outside their corporate boundaries and needs to be managed collectively. Now the important question is what cyber-insurance has got to do with insuring cyber-security risks that are external to corporate boundaries. Why cyber-insurance should be tied to enforcement of the CSRM framework acceptance and implementation universally.
What needs to be understood is that a cyber-insurance policy is just one piece of the cyber-security puzzle. The foundation of a new model for cyber-security strategy must bring all the pieces of the puzzle into the final equation. Any cyber-security risk management strategy is grossly incomplete if all the security elements are not addressed with a high degree of efficacy. Finding Security vulnerabilities must be rewarded across NGIOA and proper incentives need to be in place as most existing security programs are outdated and ineffective and security barriers get easily penetrated. Conversely, a bottom-up, proactive, integrated NGIOA Security risk management program affords the best measure of advanced proactive cyber-security protection along with the pre-loss perspective required to effectively address current and emerging cyber-security threats.
So how does the insurance industry begin to drive effective security risk management change in this new cyberwar? It is my recommendation that as part of the underwriting process, the insurance providers need to have a mandatory requirement for a Security centric Risk Management framework for policyholders. This will ensure a structured integrated effort to manage internal security risks while having the ability to identify and flag the risks that are outside their corporate boundaries. As the CSRM model is designed to reinforce the connection between security drivers and cyber-security activities, the loss or risk prevention program could be modeled on a security-centric Cybersecurity Risk Management Framework. In addition, this will eliminate the culture of transferring risk at its root. Issuance of insurance policy will mean that entities will do everything in their power to proactively manage the internal cyber-security risks while identifying the external cyber-security risks that are not within their control (and purchasing cyber-insurance products for those risks) and flagging them for collective Security Risk Management!
Insurance will need to play an important role in enforcing acceptance and implementation of Cyber-Security Risk Management frameworks for managing internal cyber-security risks in CGS while insuring the entities for security risks that are outside their corporate boundaries and need to be managed collectively.
There is a critical need for such cyber-insurance products that are tied to proactive, security-centric integrated risk management programs. To reach there requires considerable hurdles to overcome, mainly around identifying and understanding insurable cyber risks, independent and collective risk management responsibilities, and independent and collective costs and premiums. For example, questions like who will be the insurer of last resort—who will be responsible for managing Cyber-Security risks that are not within anyone’s clear jurisdiction? Other questions that need to be addressed include how personal liability protection for individuals should be incorporated, within and outside of entities, especially if entities do not have a CSRM framework. In addition, how can coverage for regulatory investigations and proceedings, notification and reporting costs, third-party civil liability for data breaches, calculation of reputational damage, and more be determined?
Cyberspace and its ecosystem are making it increasingly clear that the cyber insurance industry needs to be integrated with proactive security-centric risk management frameworks and programs. Ensuring the implementation of risk management programs will likely need to be a new expected role for insurance professionals.
Insurance can play a significant role in safeguarding the security of cyberspace, and regulators must be willing to move forward with innovative cyber-insurance products that are tied to the mandatory implementation of cyber-security risk management frameworks.
Nations must transform their mindset and adopt a protective and proactive cyber-security strategy that involves individuals and entities across every nation: its government, industries, organizations, academia (NGIOA) and where insurance providers must act as the enforcer to ensure that requisite cyber-security risk management framework protection is present to safeguard value, constituents, shareholders, and customers of not only cyberspace but geospace and space. To do this, they must become the driving force in implementing security-centric cybersecurity risk management programs and putting necessary security controls at their disposal to protect intellectual property, trade secrets, and competitive and strategic advantage.
A partnership of insurance and security-centric cyber-security risk management will form the most effective offense – and will always be the best defense!
About the Author
Jayshree Pandya (née Bhatt), Founder and CEO of Risk Group LLC, is a scientist, a visionary, an expert in disruptive technologies, and a globally recognized thought leader and influencer. She is actively engaged in driving global discussions on existing and emerging technologies, technology transformation, and national preparedness.
Her work focuses on the impact of existing and emerging technological innovations on nations, national preparedness, and the very survival, security, and sustainability of humanity. She believes that the reality of the imminent technological and economic singularity necessitates that Darwin’s evolution theory, a theory that has evolved from natural selection to the survival of the fittest to symbiosis to mutualism be translated and scaled from micro to macro level and understood and evaluated from the perspective of the transformative and evolutionary changes seen across nations (largely triggered due to technology transformation and re-defining and re-designing of systems at all levels). Her research in this context evaluates the evolution of intelligence in all forms, researches strategic security risks emerging from disruptive innovations, reviews the diminishing capacities of the risk management infrastructure, points out the changing role of decision-makers, defines dynamic decision-making approaches with machine intelligence, integrates all components of a nation: governments, industries, organizations and academia (NGIOA), and defines strategic security risks so that nations can improve the state of risk-resilience across cyberspace, geospace and space (CGS). As nations make a move from centralization towards decentralization, the re-defining and re-designing of systems at all levels evaluated in Dr. Pandya’s comprehensive research scholarship include artificial intelligence, machine learning, deep learning, internet of things, blockchain, cryptocurrency, quantum computing, virtual reality, synthetic biology, big data analytics, drones, nanosatellites, biotechnology, nanotechnology, gene editing, and much more. Her research is much needed for the survival and security of humanity today and in the coming tomorrow.
Jayshree’s doctorate work in the 1980s focused on hydrogen production by Halobacterium halobium, for which she received India’s National Young Scientist Award in Biochemistry. Her many publications on this work have been cited in several books, journals, and reports published by governments, including a report from the United States Department of Energy. Her work on anti-cancer drugs also received worldwide attention and, amongst other citations, has been referenced in a report published by the World Health Organization. In 1991, she was invited to come to the United States (under the Scientist Exchange Program) to continue research on hydrogen production and was awarded a post-doctoral fellowship at the Hawaii Natural Energy Institute. After that, she researched atherosclerosis at the University of Chicago Medical School. Next, she took a job at Aurotech, a biotech company based in Wisconsin. As in her Ph.D. research, she used microorganisms to develop natural processes and technologies, and some of the projects she worked on were quite promising. While her doctorate and post-doctorate studies gave her the first taste of the power of interdisciplinary research, it also introduced her to the repressive power of institutional silos and inefficiencies. As a result, her physical location wasn’t the only thing that shifted in the 1990s; her focus did as well. Since Microbiology trained her to see changes in tiny organisms coming from natural selection, she began to see similar forces at work in the evolution of individuals as well as entities across NGIOA and society in general. It’s all the same basic mechanism. Her career took another turn after she was asked to consider risk management as part of a strategic planning effort by one of her employers. She quickly realized that most risk management is all process, with no actual benefit. That was the beginning of Risk Group, the strategic security risk research organization she founded in 2002, from where she is passionately creating and managing cutting-edge security ventures that bring a futurist perspective to nations and all its components to improve innovation capacity and to define and design new ideas, innovations, products, and services for security and sustainability.
From the National Science Foundation to organizations from across nations, Jayshree is an invited speaker on emerging technologies, technology transformation, digital disruption, strategic security risks, industry risks, and country risks. She is the author of the book, The Global Age: NGIOA @ Risk and has also published many scientific and technical papers.
Jayshree advises decision-makers at all levels on existing and emerging technologies: emerging applications, impact, and solutions.