The 2018 KNOW Identity Conference, held from March 26 to March 28 in Washington, D.C., examined issues withb identity verification and cyber security risks for organizations and sought to explore solutions for how to address issues and reduce risks. There were two sessions which specifically informed the discussion on cyber security risk and how to prevent it.
The Value of Transparency in Security
Discussions revolved around the incentives for companies to disclose (or conceal) security risks to consumers and the media. Panelists included: Denise Zheng, Vice President at Business Roundtable, Eric Mill, Senior Advisor at the General Services Administration, Eric Geller, Cybersecurity Reporter at Politico, and Michael Price, CTO at cybersecurity startup ZeroFOX.
All panelists agreed that transparency was important in getting ahead of the narrative, however there was some disagreement about whether vulnerabilities should be disclosed quickly. The discussion focused partly on a balance between having time to patch the vulnerability and the right for the public to know. Some panelists criticized companies that took too much time to patch vulnerabilities, but there was also lively discussion on how difficult it is for many enterprise companies to create stable patches that can be distributed quickly. Several panelists argued that in some cases it was damaging for the company to let hackers know there was a patched exploit.
There was also some discussion about open source code and bug bounties, in which companies pay researchers who discover vulnerabilities and disclose it to the company privately. All panelists agree that companies needed to allow researchers to probe their vulnerabilities and reward those that uncovered things that needed to be patched.
Overall, the message of the panel seemed to be that companies should strive for a culture of security and openness to criticism, however they must ensure that by being transparent they are not creating a bigger problem than they are solving.
How Cyber Insurance Can Reduce Fraud and Incentivize Best Practices
Panelists for this discussion included Brooke Oppenheimer, an eDiscovery Attorney (specializing in Data, Privacy & Cyber) at Axinn, Veltrop & Harkrider LLP, Tom Marchok Sr, the Director of Corporate Development & Strategy at Cisco, Scott Stransky, Assistant Vice President & Principal Scientist at AIR Worldwide. Chip Block, Vice President at Evolver, and Greg Vernaci, Head of Cyber Insurance for the U.S. & Canada at AIG. The panelists generally agreed that there needed to be a move towards a system where companies were rewarded with cheaper insurance if they used best cyber practices to encourage this use and to prevent moral hazard.
There was concern around insurance paying out high payments to companies as this may reduce the incentive for companies to protect data. Panelists also talked about how companies needed to be very careful about what types of cyber insurance they bought, because many purchased a one-size-fits-all policy which doesn’t cover the specific types of vulnerabilities that company has.
There was also discussion around the need for insurers to gauge the risk of “aggregated incidents,” where a vulnerability leads to payouts for many different companies. For example, if there was an exploit in a printer that was used across many companies that caused the printer to catch fire.
Panelists emphasized that cyber risks are not limited to hacking, citing incidences where lightning struck data centers causing data to be lost. Panelists emphasized that companies must understand their security practices and buy the insurance that is best tailored for them. The biggest takeaway from the panel was that cyber insurance is not the same as cyber controls. They are complementary and the insurance should be priced in relation to the controls in place.