Cyberinsurance

Last week, the Wall Street Journal ran a series of articles on Cyber issues of various types and insurance was one of them.  I didn’t comment on these articles because they didn’t seem to be very good, but they did remind me of some things that we went through in the 1980s with the same types of issues.

At that time, I knew Dr. Bob Edwards who was working for Loyds of London doing bank certifications.  The certifications were required before a bank could get insurance.  Bob spent his days going around looking at how banks ran their infrastructure and found more than a small number of chinks in the armor of some major banks.  He had the power to close the doors of the bank if they failed.  These were things that you would not think someone with responsibility for money would do.  They would just “know better” because banks have to be more careful than the other industries because they have money.  Yet, they didn’t always do what they should have been doing.  These days, we have cyber criminals going after the SWIFT infrastructure and major deposits of individuals using malware that gets into on-line banking apps on smart phones.

Equifax et al may have startled some people because of the volume of records that were taken and the length of time it took to report the loss.  Losing the security clearance records of military and government officials was a similar thing.  In both cases, the losses were preventable, but managers who oversaw the operations functions of IT did not do basic things that were required to make records they had in their possession safe.  IRS got hacked twice in the same year, over basically the same problems.

Policy is not very good in either the commercial or government circles that led to these losses.  The long line of issues for industries holding records of millions of individuals cannot be laid on Equifax alone.  What was the industry doing to get its act together?  New York is talking about having agencies attest to the Cybersecurity of a firm in order to “close loopholes” identified by the Equifax case.  That industry is asking for more government regulation because it hasn’t done enough to strengthen or standardize its own practices.  They have no enforcement mechanisms and have relied on self-regulation and reporting.  We know how well that works.

Audits are not doing what they should to discover and fix basic oversight of patching, security education and administration of internal security functions for the enterprise.  The enterprise is more than just the holders of the data, who contract to put it into third parties who have to have the same standards of care.  This applies to government and commercial industries alike.  Self regulation does not work.  What Loyds knew 30 years ago, still applies today.  It takes oversight by an external audit function to expose and fix the kinds of problems that lead to these losses.  There are mounds of excuses for the losses; there are coverups; there are post-mortums with blame assigned to nobody in particular.  But nobody gets decertified - because there is no certification to begin with.

We used to know who the bad actors were in industrial security.  The same companies always had the same problems time after time.  It would take strong oversight and audits to get them back on track.  It is mostly a management issue.  Leaders take a view that security is not that important and emphasize operations over other concerns.  Those people eveually had an audit that would declare them “unsatisfactory” and they could not get government contracts issued to them until those deficiencies were corrected.  Then, their audit frequency and depth increased.

We need to have certication programs for commercial and government businesses that rely on external audit for oversight.  Until we get it, we will continue to have managers decide what is good for the security of data they don’t even own.  If I could have done something to protect my data in Equifax or OPM, I would have.  We can’t.  Someone has to.