Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, Univ. of South Dakota, Nov. 13, 2019

120 views

Published on

PP slides from an Invited Talk by Jay Kesan on Nov. 13, 2019 at the CLEAR Cyber Conference, University of South Dakota, Nov. 13, 2019.

Published in: Law
  • Be the first to comment

  • Be the first to like this

Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, Univ. of South Dakota, Nov. 13, 2019

  1. 1. UNDERSTANDING CYBER RISK: Challenges in the Business and Law of Cybersecurity Jay P. Kesan, Ph.D., J.D. Professor and H. Ross & Helen Workman Research Scholar University of Illinois at Urbana-Champaign All recent work is on the Social Science Research Network, http://www.ssrn.com Thanks to my students and colleagues, Linfeng Zhang, Carol M. Hayes, and the Critical Infrastructure Resilience Institute (CIRI), a DHS COE at the University of Illinois
  2. 2. Cybersecurity Concern • Cybersecurity is tied to the health of the U.S. economy. Malicious cyberattacks could throw the financial industry into chaos. • The World Economic Forum estimates that ineffective cybersecurity may cost the world’s economy as much as $3 trillion by 2020. • Cybersecurity is also national security. Critical infrastructure systems, from transportation to nuclear power, are vulnerable to cyberattacks. • Hospitals and police departments have been targeted with ransomware that severs access to vital information. • The primary focus of my work is the private sector and on improving cyber security in the private sector through market-oriented solutions. • Proper risk assessment and management can improve companies’ resilience against cyber risks through market-based solutions
  3. 3. Cyber Risk Definition • “Operational risks to information and technology assets that have consequences affecting the confidentiality, availability, or integrity of information or information systems”. • Encompasses various types of cyber incidents caused by different perils 1. Cyber Extortion 9. IT - Configuration/Implementation Errors 2. Data - Malicious Breach 10. IT - Processing Errors 3. Data - Physically Lost or Stolen 11. Network/Website Disruption 4. Data - Unintentional Disclosure 12. Phishing, Spoofing, Social Engineering 5. Denial of Service (DDOS)/System Disruption 13. Privacy - Unauthorized Contact or Disclosure 6. Digital Breach/Identity Theft 14. Privacy - Unauthorized Data Collection 7. Identity - Fraudulent Use/Account Access 15. Skimming, Physical Tampering 8. Industrial Controls & Operations
  4. 4. Cyber Risk in Private Sector • The general awareness of cybersecurity is low • Businesses and individuals often underestimate the risk they are facing • Cognitive biases that may lead to unpreparedness (Meyer & Kunreuther): • Myopia: Lack of long-term planning for cyber risk • Amnesia: Not learning from past experiences • Optimism: Underestimating the probability of cyber incidents • Inertia: Hesitating to make changes and invest in cybersecurity • Simplification: Overlooking cyber risks all together • Herding: Lack of a cyber risk management culture
  5. 5. Managing Cyber Risk • Different ways to manage cyber risk • Avoidance (e.g., not use cyber systems at all) • Mitigation (enhance cybersecurity and reduce exposure) • Self-insurance • Transfer to third-party (cyber insurance) • Cyber insurance is a risk transfer vehicle • Complement to cybersecurity enhancement • Helps insured businesses quickly recover from cyber incidents
  6. 6. Status of Cyber Insurance • The market is still in its infancy • U.S. penetration level of insureds is < 15% (< 1% in other countries and regions) • Less than 5% of small and medium-sized businesses purchase cyber insurance in the U.S. • The market is growing • $2 billion written premium in 2018 • Annual growth rate in terms of written premiums is slowing down • 12% growth in 2018, 30% in 2016 and 2017 (Data Source: A.M. Best) • The market has a lot of uncertainty and lacks insights • Warren Buffett’s comments on cyber insurance: “We don’t want to be a pioneer on this. I don’t think we or anybody else really knows what they’re doing when writing cyber.”
  7. 7. Issues with Cyber Insurance Market • Lack of sound cyber risk assessment – data, analyses, and metrics • Large understanding gaps between directors and managers within organizations and between insured and insurers regarding cyber risk • Difficult for organizations to create optimal risk management plans or consider cyber insurance as a feasible risk management solution • Organizations are often underprepared for cyber incidents
  8. 8. Questions We Try to Answer • Financial Risk: • Businesses face all kinds of financial risks: • Property damage • Shareholder value • Reputational risk • Notification costs (obligation to authorities, customers) • Business interruption costs • What is the financial risk associated with the most likely breach? • How likely is such a breach? • How much financial risk should we transfer (through insurance)? • Legal Risk: • What is our exposure to third-party liability claims? • Will my insurance cover my losses?
  9. 9. Our Approach to Estimating Cyber Risk • Gathering extensive public and private data regarding known cyber incidents from multiple sources coding/tracking multiple variables • Performing extensive analyses on every important aspect of cyber risk, such as economic, financial, reputational and legal impact, to get more insights into cyber risk • Uniqueness: Comprehensiveness of the multiple datasets we are building. Allows us to carry out research on important topics such as the financial impact of cyber incidents that no prior studies have covered.
  10. 10. Our Solutions • Financial Risk Solution: Cyber Risk Impact–Data and Analytics (CRIDA) • Identify financial risks and predict future risks based on empirical and event analysis of: • Historical and real-time cyber incident databases • Historical and real-time financial and capital losses • Legal Risk Solution: Cyberinsurance Litigation Analytics Database (CLAD) • Affordable, accessible SaaS that allows businesses to identify legal risks based on: • Historical court rulings on cyber-relevant insurance litigations • Our interpretations and analyses of these litigations
  11. 11. CRIDA (Cyber Risk Impact–Data and Analytics) • CRIDA utilizes cyber incident data and our predictive models to perform cyber risk assessment and forecast future cyber risk based on users’ input. • Helping businesses understand the causes and outcomes of cyber incidents, so they can take appropriate measures to avoid or mitigate cyber risk • Identifying major trends in cyber risk to help businesses prioritize risk management tasks • Estimating the frequency and severity of cyber incidents, which gives insights into the financial aspect of cyber risk • Helping insurers distinguish companies with different risk levels
  12. 12. CRIDA - Identify Trends • CRIDA helps businesses identify major trends in cyber risk • Example 1: For a large financial institution (i.e., in the Finance and Insurance industry with more than 500 employees), this plot shows how the expected number of incidents it experiences in a year changes over time.
  13. 13. CRIDA - Comparison between Risks For example: Malicious Data Breaches and Unintentional Data Disclosure are similar (both represent breach of confidentiality of information), but: • Malicious Data Breach (red) has a higher probability of causing losses (left figure) • Unintentional Data Disclosure (blue) has a higher severity in general (right figure, higher mean, larger right tail)
  14. 14. CRIDA - Estimate Cyber Loss • Based on our predictive models, CRIDA forecasts the incident frequency and severity in a future year, say 2020, and provides intuitive summary statistics. • For example, CRIDA provides an estimation that in 2020, a large financial institution has a 79.27% probability of suffering a loss from cyber incidents, and there is a 5% probability that the loss will exceed $148.79 million.
  15. 15. CRIDA – Distinguish Risks • CRIDA makes it easier for insurers to compare the cyber risk of different companies. • Comparison between companies of the same size in different sectors • A financial institution with more than 500 employees • A manufacturing company with more than 500 employees
  16. 16. CRIDA - Distinguish risks (cont’d) • CRIDA makes it easier for insurers to compare the cyber risk of different companies. • Comparison between companies of different sizes in the same sector • A large financial institution with more than 500 employees • A small financial institution with fewer than 10 employees
  17. 17. CLAD - Insurance Litigation • Cyberinsurance Litigation Analytics Database (CLAD) • Granularly coded and extensively analyzed every lawsuit (170+) at the federal and state level involving cyber losses and insurance coverage • Analysis of Litigated Policies Identifies the Sources of Legal Risk in Policy Coverage • Understand the sources of legal uncertainty that aggravate an already uncertain cyber insurance market • Propose policy recommendations 18
  18. 18. CLAD - Insurance Litigation • Most of the Policies Were Not Cyber Policies • A lot of the insurance litigation involved applying Commercial General Liability policies to digital harms. • Many cases involved multiple policies. • “Technology” policies included cyber insurance policies as well as technology errors and omissions. 19 60 8 118 1 3 28 4 16 2 6 29 Policies in 176 cases CGL CGL and Technology Crime and Technology Crime policy D&O D&O and Technology First party First party and Technology Multiple
  19. 19. Incentivizing Reduction of Cyber Risk Through Legal Reform
  20. 20. Liability for “Data-Related Injuries” • Data insecurity affects all of us to a significant degree • Law needs to step forward and cope with the challenges posed by data breaches, data misuse, and data injuries • To create an analytical framework for data breach cases, we need to address: • The Duty and Injury to shape the contours of liability for data injuries
  21. 21. Liability for “Data-Related Injuries” (contd.) • Courts should recognize a legal duty to secure data • This duty is made necessary by the pervasive cognitive biases that result in systematic underestimation of cyber risk by firms and individuals • This underestimation interferes with the risk management process • Recognizing a legal duty encourages engagement in a risk- management process: mitigate; self-insure; or third-party insures
  22. 22. Liability for “Data-Related Injuries” (contd.) • Courts struggling with fitting data insecurity injuries within existing legal models • Part of the reason for is the preoccupation with economic harm, which is a poor method for quantifying privacy injuries. • The erosion of privacy through neglect of security is troubling, the legal system must shift away from traditional economic measurements of injury and focus instead on the fact that data insecurity is a social harm. • Data insecurity is both a privacy injury and an injury to autonomy that interferes with self-determination, and it should be analyzed as such.
  23. 23. CFAA Needs Revisiting/Reform • Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030 • Congress enacted a version of the CFAA in 1984 and substantially amended it in 1986. Between 1986 and 2017, CFAA amended nine times, with the most recent amendments in 2008 • The CFAA broadly prohibits unauthorized activity on a protected computer, and a few other offenses • There is considerable disagreement on the meaning of “Authorization,” “Damage,” “Loss,” and the application of the CFAA to active defense (i.e., hackback) and cloud computing
  24. 24. Need for Federal Data Breach Legislation • No general federal data breach law • Some sector-specific federal information privacy statutes include requirements to follow in the event of a breach • Today, data breach statutes are state laws • The adoption of state data breach laws was spread out over a decade. As of 2018, all fifty states have a data breach statute • Large state-by-state variations in: • What information must be protected under the law • When must breached entities provide notification and to whom • Providing for private cause of action
  25. 25. Federal and State Identity Theft Laws • Identity theft laws in the U.S. have wide variation across all fifty states and at the federal level. • The federal law, 18 U.S.C. § 1028, covers eight different scenarios, using various requisite intents and acts. • All these crimes are classified as “fraud and related activity in connection with identification documents.”
  26. 26. South Dakota Cyber Security Laws • Computer Crime, S.D. Cod. Laws §§ 43-43B-1 to 43-43B-8 • Identity Theft, S.D. Cod. Laws §§ 22-40-8 to 22-40-18 • False Personation, S.D. Cod. Laws §§ 22-40-1 • Data Breaches, §§ 22-40-19 to 22-40-26
  27. 27. UNDERSTANDING CYBER RISK: Challenges in the Business and Law of Cybersecurity Jay P. Kesan, Ph.D., J.D. Professor and H. Ross & Helen Workman Research Scholar University of Illinois at Urbana-Champaign All recent work is on the Social Science Research Network, http://www.ssrn.com Thanks to my students and colleagues, Linfeng Zhang, Carol M. Hayes, and the Critical Infrastructure Resilience Institute (CIRI), a DHS COE at the University of Illinois

×