Redefining the Cybersecurity Attack Surface Part 2: Risk & Liability
This is the second part of a 3-piece series on the concept of “attack surface”. Part 1 argued that an organization’s exposure to cyber risk – traditionally calculated as a tally of the technologies that house and traffic data – also includes the people who touch all those technologies.
Boards of directors take on a special type of risk, unlike anyone else in the company. That’s why D&O insurance exists. Qualitatively different from other insurance, it’s designed to cover what may be called a “meta-risk”. When an operational, financial, or cyber risk event occurs, directors face a risk of being held to account. We are seeing this more and more when cyber risks are realized as data breaches: directors are under attack. The adversaries in this case are regulators and shareholders who pursue damages, and the attack surface – or liability – is equivalent to the magnitude of those damages that were inflicted on shareholders and customers.
Typically, discussions of the “attack surface” of an organization refer to the sum of the different points where an unauthorized user can try to enter data to or extract data from an environment. But when talking about the risk faced by boards of directors, the attack surface is different: abstract, intangible, and often staggeringly large. Defining this attack surface has traditionally been the domain of insurers. However, we continue to see and hear of instances where D&O insurers carve out cyber risk from their policies. The question, then, is how do we identify, define and defend this attack surface?
Cyber risk can be thought of as a series of layers like sedimentary rock, where the oldest layers hold the artifacts of the earliest stages of evolution. The lowest (oldest) layer is technology risk; the risk of a failure with the routers and firewalls that stand at the network perimeter. Technology risk is relatively easy to identify, and is owned by the custodians of the network: ¬IT and security operations (SecOps). Data risk sits on top of the technology risk, and includes the likelihood/impact of a loss of data, defined by the type and quantity of data held by the company. Very often it is spread across a variety of functional areas. Taken together, these two layers comprise the traditional concept of an attack surface.
The next layer is Process Risk. This is where we begin to find the human element and the behaviors that can decide whether or not an attacker gains access. The majority of what may be called today’s “cyber archaeologists” focus on understanding how workforce behaviors contribute to cyber risk. They are learning that the majority of cyber risk derives from this layer of process, policy, and procedure. Given this fact, how can managers ensure that cybersecurity best practices, procedures, and policies are properly designed, implemented, and encouraged?
Process risk gives rise to what we’ll call “Governance Risk”. This risk doesn’t lend itself easily to observation and thus is difficult to quantify or measure. When a cyber risk manifests as an incident the root cause can be a minor blip in procedure, yet the consequences lead to a vast devaluation of the enterprise. For example, a billion-dollar breach could be traced back to the failure of a simple authentication policy or mechanism. Even more challenging, these various governance risks accumulate and interact, making them exceedingly difficult to predict. This risk accumulation creates risk profiles with vast potential for negative impact on the firm.
The cyber meta-risk faced by a corporate director, therefore, is an emerging consequence of the interactions between technology, data, human behavior, and governance. And the liability – the attack surface – becomes obvious when those risks eventually enable a cyber breach to occur. When we think about it in this way, it is easy to understand why a D&O insurer might carve out coverage for cyber. The vast, dark space that begins at the margins of what we are able to know about risk is unknown territory. No responsible actuary would attempt building that risk model. No reasonable insurer would enter without defining the limits of governance with a bright white line.
In Part 3, we will discuss ways to manage and measure the emergent meta-risk faced by boards of directors.