Closing The Gap: The Quest to Achieve One Hundred Percent Cyber Coverage
As I graced the down escalator at The Moscone Center in San Francisco during the 2018 RSA security conference, I noticed a digital banner advertisement for a cyber security company boasting that they are the only security vendor that can provide “100 percent complete coverage against cyber threats”. In my mind (and I hope in the minds of all serious security practitioners) that vendor just outed themselves as a company that either does not understand cybersecurity very well or has an overzealous marketing team. Achieving one hundred percent cyber coverage is practically impossible.
When I was taking a course in economics, our professor asked the class “If you could wipe out one hundred percent of the world’s diseases without any unintended consequences, would you do it?” Most of the students nodded in agreement, but being in an economics class and not a medical ethics class, there was always a twist. The professor went on to explain from an economic perspective that getting rid of one hundred percent of diseases would be so expensive (marginal cost of curing the world's last disease), that it would not be worth the time, money, and effort (marginal revenue from curing the world’s last disease). This concept, like most in economics, can apply to other real-world scenarios such as cyber security.
Achieving one hundred percent cybersecurity coverage would be so expensive and cost prohibitive that no company would ever employ it and no employee would ever want to practice it. When thinking about the world’s most (perceived) secure organizations, names like defense contractor Lockheed Martin, United States Department of Defense (DoD), and the US Power Grid come to mind (supposedly airgapped). Some readers may be laughing to themselves here because despite the heavy investment in security controls to protect all of these organizations, they have all been breached. If a state actor with limitless resources wishes to attack an organization, they will always find a way.
One of the fundamental concepts of economics and its application to cyber is the law of diminishing returns. In practice, a completely unprotected organization can purchase a NAT router and an edge firewall and solve about 50% of their cyber security problems for a efw thousand dollars. Next, that organization wishes to up-level their security so they purchase endpoint security, a web proxy, and sandbox getting them to 80% coverage for hundreds of thousands of dollars. Not happy with just 80% coverage, DLP, desktop management software, the hiring of a CISO, and an upgrade to a next generation firewall is added to next year’s cyber security budget. The organization is now approximately 95% protected, but they spent millions of dollars to get that last 15% of coverage when the initial 50% only cost a few thousand. As an organization gets closer to 100% coverage, it gets very expensive very quickly to cover the last remaining exposures.
Where there is a perceived need, there will always be a business willing to offer something to meet that need. Enter cyber security insurance, the next best thing since sliced bread! The appeal of cyber security insurance has been on the rise after high profile breaches at Equifax, Target, and Home Depot, and RBC Capital reports that cyber insurance coverage is growing at a rate of 25 percent year over year. When studying for my ISC2 CISSP certification, many available practice tests had questions that apply to real life scenarios that companies face every day.
“Acme corporation has achieved a high degree of cyber security coverage. The remaining exposure stems from a known software vulnerability that has a 10% chance of being exploited.
A successful exploit/breach will result in a $2 million loss for Acme.
A software patch can be purchased for $500,000 from the vendor.
A cyber security insurance policy can be purchased for $100,000, which will cover the full $2 million loss in the event of a breach.
Should Acme Corporation do nothing, purchase the security patch from the vendor, or purchase the cyber security insurance?”
From a purely economic standpoint, Acme should buy the cyber security insurance. In real life, these numbers are difficult if not impossible to quantify, but there is always an insurance salesman and economics professor willing to do their best. Due to the law of diminishing returns, many organizations (like Acme Corp.) chose to close the remaining cyber security gap with cyber security insurance against a possible attack/breach.
Unknown to many Americans, the terrorist attack against the United States on 9/11/2001 sparked a major debate in the field of insurance. Was the attack against the Twin Towers in New York one event or two separate events? Was the attack as a whole considered an act of war? Many insurance policies cap maximum payouts for a single event so if the attack was considered a single event, the payout would reach the maximum saving the insurance companies potentially billions of dollars. If the attack was considered an act of way, many insurance policies do not cover in the event of an act of war, potentially saving billions of dollars in payouts. Insurance companies do not stay in business by paying out the maximum amount for each claim. They have armies of employees looking for loopholes and exceptions to minimize that amount they have to pay out. (Medical insurance calls this a “utilization review”). Cyber security insurance carriers are no different.
In a recent article published in the Financial Times, covered companies filing for losses under their cyber insurance plans are unexpectedly getting declined or receiving settlements significantly less from their insurance carriers, raising questions about the value of these plans. Earlier this year, a bank in Virginia sued their insurance carrier after the bank suffered losses from cyber attacks. The bank claimed $2.4 million in losses under its cyber insurance policy, but the insurer disputed the claim and only offered $50,000. As a result of the NotPetya ransomware outbreak, multi-national food manufacturing company Mondelez suffered losses in excess of $100 million USD. They quickly filed a claim with their cyber security insurance carrier for a similar amount, but the insurance company denied their claim on the basis that the NotPetya was an "act of war", a condition not covered under Mondelez’s policy. The status of these cases is in progress, but the results are sure to send shockwaves through the cyber security insurance markets.
While there is the perception of insurance companies being greedy and looking for ways to weasel out of paying legitimate claims, there are also companies signing up for these policies without realizing what is actually covered. For example, coverage may only extend to external malicious attacks, but not for accidental user error. Business disruption is the most contentious area of coverage disputes since it is very difficult to calculate. For example, the City of Atlanta in the US paid $2.6 million to recover from an outbreak of SamSam ransomware, but actual losses were many times that as employees and citizens could not do their work, ride a bus, or apply for a building permit while their systems were down. The state of cyber security insurance is in such disarray right now, Warren Buffet, CEO of Berkshire Hathaway and Geico Insurance, refuses to sell these policies and sent a warning to investors to heavily scrutinize these types of policies.
For organizations interested in closing their security gap as much as possible to minimize the need for cyber security insurance, implementing security controls that provide a consistent security policy while minimizing attack surface, no matter where the user resides, helps to achieve a significant amount of coverage. "Good enough" security solutions are not enough to provide adequate coverage for value. If “good enough” security is implemented, sufficient compensating controls will also need to be in place, potentially negating any cost savings from the initial “good enough” security implementation.