This document discusses challenges in managing cyber risk for businesses. It notes that while cybersecurity is important for the economy, many businesses underestimate cyber risks. The author's work focuses on improving private sector cybersecurity through market solutions and risk assessment. Some key challenges include a lack of sound risk assessment data and understanding gaps between businesses and insurers. The author's approach involves gathering extensive cyber incident data to better understand and predict risks. Solutions proposed include the CRIDA tool for financial risk assessment and the CLAD database for analyzing insurance litigation. The document also discusses needs for reforming laws around data breaches, computer crimes, and identity theft.
1. UNDERSTANDING CYBER RISK:
Challenges in the Business and
Law of Cybersecurity
Jay P. Kesan, Ph.D., J.D.
Professor and H. Ross & Helen Workman Research Scholar
University of Illinois at Urbana-Champaign
All recent work is on the Social Science Research Network, http://www.ssrn.com
Thanks to my students and colleagues, Linfeng Zhang, Carol M. Hayes, and the Critical
Infrastructure Resilience Institute (CIRI), a DHS COE at the University of Illinois
2. Cybersecurity Concern
• Cybersecurity is tied to the health of the U.S. economy. Malicious cyberattacks
could throw the financial industry into chaos.
• The World Economic Forum estimates that ineffective cybersecurity may cost the world’s
economy as much as $3 trillion by 2020.
• Cybersecurity is also national security. Critical infrastructure systems, from
transportation to nuclear power, are vulnerable to cyberattacks.
• Hospitals and police departments have been targeted with ransomware that severs access to
vital information.
• The primary focus of my work is the private sector and on improving cyber
security in the private sector through market-oriented solutions.
• Proper risk assessment and management can improve companies’ resilience
against cyber risks through market-based solutions
3. Cyber Risk Definition
• “Operational risks to information and technology assets that have consequences
affecting the confidentiality, availability, or integrity of information or information
systems”.
• Encompasses various types of cyber incidents caused by different perils
1. Cyber Extortion 9. IT - Configuration/Implementation Errors
2. Data - Malicious Breach 10. IT - Processing Errors
3. Data - Physically Lost or Stolen 11. Network/Website Disruption
4. Data - Unintentional Disclosure 12. Phishing, Spoofing, Social Engineering
5. Denial of Service (DDOS)/System Disruption 13. Privacy - Unauthorized Contact or Disclosure
6. Digital Breach/Identity Theft 14. Privacy - Unauthorized Data Collection
7. Identity - Fraudulent Use/Account Access 15. Skimming, Physical Tampering
8. Industrial Controls & Operations
4. Cyber Risk in Private Sector
• The general awareness of cybersecurity is low
• Businesses and individuals often underestimate the risk they are
facing
• Cognitive biases that may lead to unpreparedness (Meyer &
Kunreuther):
• Myopia: Lack of long-term planning for cyber risk
• Amnesia: Not learning from past experiences
• Optimism: Underestimating the probability of cyber incidents
• Inertia: Hesitating to make changes and invest in cybersecurity
• Simplification: Overlooking cyber risks all together
• Herding: Lack of a cyber risk management culture
5. Managing Cyber Risk
• Different ways to manage cyber risk
• Avoidance (e.g., not use cyber systems at all)
• Mitigation (enhance cybersecurity and reduce exposure)
• Self-insurance
• Transfer to third-party (cyber insurance)
• Cyber insurance is a risk transfer vehicle
• Complement to cybersecurity enhancement
• Helps insured businesses quickly recover from cyber incidents
6. Status of Cyber Insurance
• The market is still in its infancy
• U.S. penetration level of insureds is < 15% (< 1% in other countries and
regions)
• Less than 5% of small and medium-sized businesses purchase cyber insurance
in the U.S.
• The market is growing
• $2 billion written premium in 2018
• Annual growth rate in terms of written premiums is slowing down
• 12% growth in 2018, 30% in 2016 and 2017 (Data Source: A.M. Best)
• The market has a lot of uncertainty and lacks insights
• Warren Buffett’s comments on cyber insurance: “We don’t want to be a
pioneer on this. I don’t think we or anybody else really knows what they’re
doing when writing cyber.”
7. Issues with Cyber Insurance Market
• Lack of sound cyber risk
assessment – data, analyses, and
metrics
• Large understanding gaps between
directors and managers within
organizations and between insured
and insurers regarding cyber risk
• Difficult for organizations to create
optimal risk management plans or
consider cyber insurance as a feasible
risk management solution
• Organizations are often
underprepared for cyber incidents
8. Questions We Try to Answer
• Financial Risk:
• Businesses face all kinds of financial risks:
• Property damage
• Shareholder value
• Reputational risk
• Notification costs (obligation to authorities, customers)
• Business interruption costs
• What is the financial risk associated with the most likely breach?
• How likely is such a breach?
• How much financial risk should we transfer (through insurance)?
• Legal Risk:
• What is our exposure to third-party liability claims?
• Will my insurance cover my losses?
9. Our Approach to Estimating Cyber Risk
• Gathering extensive public and private data regarding known cyber
incidents from multiple sources coding/tracking multiple variables
• Performing extensive analyses on every important aspect of cyber
risk, such as economic, financial, reputational and legal impact, to get
more insights into cyber risk
• Uniqueness: Comprehensiveness of the multiple datasets we are
building. Allows us to carry out research on important topics such as
the financial impact of cyber incidents that no prior studies have
covered.
10. Our Solutions
• Financial Risk Solution: Cyber Risk Impact–Data and Analytics (CRIDA)
• Identify financial risks and predict future risks based on empirical and event
analysis of:
• Historical and real-time cyber incident databases
• Historical and real-time financial and capital losses
• Legal Risk Solution: Cyberinsurance Litigation Analytics Database
(CLAD)
• Affordable, accessible SaaS that allows businesses to identify legal risks based
on:
• Historical court rulings on cyber-relevant insurance litigations
• Our interpretations and analyses of these litigations
11. CRIDA (Cyber Risk Impact–Data and Analytics)
• CRIDA utilizes cyber incident data and our predictive models to
perform cyber risk assessment and forecast future cyber risk based
on users’ input.
• Helping businesses understand the causes and outcomes of cyber incidents,
so they can take appropriate measures to avoid or mitigate cyber risk
• Identifying major trends in cyber risk to help businesses prioritize risk
management tasks
• Estimating the frequency and severity of cyber incidents, which gives insights
into the financial aspect of cyber risk
• Helping insurers distinguish companies with different risk levels
12. CRIDA - Identify Trends
• CRIDA helps businesses identify major
trends in cyber risk
• Example 1:
For a large financial institution (i.e.,
in the Finance and Insurance
industry with more than 500
employees), this plot shows how the
expected number of incidents it
experiences in a year changes over
time.
13. CRIDA - Comparison between Risks
For example: Malicious Data Breaches and Unintentional Data Disclosure are similar (both represent breach of
confidentiality of information), but:
• Malicious Data Breach (red) has a higher probability of causing losses (left figure)
• Unintentional Data Disclosure (blue) has a higher severity in general (right figure, higher mean, larger right
tail)
14. CRIDA - Estimate Cyber Loss
• Based on our predictive models, CRIDA forecasts the incident frequency and
severity in a future year, say 2020, and provides intuitive summary statistics.
• For example, CRIDA provides an estimation that in 2020, a large financial
institution has a 79.27% probability of suffering a loss from cyber incidents, and
there is a 5% probability that the loss will exceed $148.79 million.
15. CRIDA – Distinguish Risks
• CRIDA makes it easier for insurers to compare the cyber risk of
different companies.
• Comparison between companies of the same size in different sectors
• A financial
institution with
more than 500
employees
• A manufacturing
company with
more than 500
employees
16. CRIDA - Distinguish risks (cont’d)
• CRIDA makes it easier for insurers to compare the cyber risk of
different companies.
• Comparison between companies of different sizes in the same sector
• A large financial
institution with
more than 500
employees
• A small financial
institution with
fewer than 10
employees
17. CLAD - Insurance Litigation
• Cyberinsurance Litigation Analytics
Database (CLAD)
• Granularly coded and extensively
analyzed every lawsuit (170+) at the
federal and state level involving
cyber losses and insurance
coverage
• Analysis of Litigated Policies
Identifies the Sources of Legal Risk in
Policy Coverage
• Understand the sources of legal
uncertainty that aggravate an
already uncertain cyber insurance
market
• Propose policy recommendations
18
18. CLAD - Insurance Litigation
• Most of the Policies Were Not
Cyber Policies
• A lot of the insurance litigation
involved applying Commercial
General Liability policies to digital
harms.
• Many cases involved multiple
policies.
• “Technology” policies included
cyber insurance policies as well as
technology errors and omissions.
19
60
8
118
1
3
28
4
16
2 6
29
Policies in 176 cases
CGL
CGL and Technology
Crime and Technology
Crime policy
D&O
D&O and Technology
First party
First party and
Technology
Multiple
20. Liability for “Data-Related Injuries”
• Data insecurity affects all of us to a significant degree
• Law needs to step forward and cope with the challenges
posed by data breaches, data misuse, and data injuries
• To create an analytical framework for data breach cases, we
need to address:
• The Duty and Injury to shape the contours of liability for
data injuries
21. Liability for “Data-Related Injuries” (contd.)
• Courts should recognize a legal duty to secure data
• This duty is made necessary by the pervasive cognitive biases
that result in systematic underestimation of cyber risk by
firms and individuals
• This underestimation interferes with the risk management
process
• Recognizing a legal duty encourages engagement in a risk-
management process: mitigate; self-insure; or third-party
insures
22. Liability for “Data-Related Injuries” (contd.)
• Courts struggling with fitting data insecurity injuries within
existing legal models
• Part of the reason for is the preoccupation with economic harm,
which is a poor method for quantifying privacy injuries.
• The erosion of privacy through neglect of security is troubling,
the legal system must shift away from traditional economic
measurements of injury and focus instead on the fact that data
insecurity is a social harm.
• Data insecurity is both a privacy injury and an injury to autonomy
that interferes with self-determination, and it should be analyzed
as such.
23. CFAA Needs Revisiting/Reform
• Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030
• Congress enacted a version of the CFAA in 1984 and substantially
amended it in 1986. Between 1986 and 2017, CFAA amended nine
times, with the most recent amendments in 2008
• The CFAA broadly prohibits unauthorized activity on a protected
computer, and a few other offenses
• There is considerable disagreement on the meaning of
“Authorization,” “Damage,” “Loss,” and the application of the CFAA to
active defense (i.e., hackback) and cloud computing
24. Need for Federal Data Breach Legislation
• No general federal data breach law
• Some sector-specific federal information privacy statutes include
requirements to follow in the event of a breach
• Today, data breach statutes are state laws
• The adoption of state data breach laws was spread out over a decade.
As of 2018, all fifty states have a data breach statute
• Large state-by-state variations in:
• What information must be protected under the law
• When must breached entities provide notification and to whom
• Providing for private cause of action
25. Federal and State Identity Theft Laws
• Identity theft laws in the U.S. have wide variation across all fifty states
and at the federal level.
• The federal law, 18 U.S.C. § 1028, covers eight different scenarios,
using various requisite intents and acts.
• All these crimes are classified as “fraud and related activity in
connection with identification documents.”
26. South Dakota Cyber Security Laws
• Computer Crime, S.D. Cod. Laws §§ 43-43B-1 to 43-43B-8
• Identity Theft, S.D. Cod. Laws §§ 22-40-8 to 22-40-18
• False Personation, S.D. Cod. Laws §§ 22-40-1
• Data Breaches, §§ 22-40-19 to 22-40-26
27. UNDERSTANDING CYBER RISK:
Challenges in the Business and
Law of Cybersecurity
Jay P. Kesan, Ph.D., J.D.
Professor and H. Ross & Helen Workman Research Scholar
University of Illinois at Urbana-Champaign
All recent work is on the Social Science Research Network, http://www.ssrn.com
Thanks to my students and colleagues, Linfeng Zhang, Carol M. Hayes, and the Critical
Infrastructure Resilience Institute (CIRI), a DHS COE at the University of Illinois
Editor's Notes
Vicious circle in cyber insurance market
Identified and analyzed litigation relevant to cyber insurance policies to evaluate legal needs in this area.