7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation

1/20

Larry ClintonPresident

Internet Security Alliancelclinton@isalliance.org

703-907-7028

202-236-0001

7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation

2/20

ISAlliance Mission Statement

ISA seeks to integrate advancedtechnology with business economics

and effective public policy to create a

sustainable system of cyber security.

7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation

3/20

ISA Board of Directors

Ty Sagalow, Esq. ChairPresident, Innovation Division, ZurichTim McKnight Second V Chair,CSO, Northrop Grumman

Ken Silva, Immediate Past Chair, CSO VeriSignLt. Gen. Charlie Croom (Ret.) VP Cyber Security, Lockheed MartinJeff Brown, CISO/Director IT Infrastructure, RaytheonEric Guerrino, SVP/CIO, Bank of New York/Mellon FinancialPradeep Khosla, Dean Carnegie Mellon School of Computer SciencesJoe Buonomo, President, Direct Computer ResourcesBruno Mahlmann, VP Cyber Security, DellLinda Meeks, VP CISO Boeing CorporationJustin Somaini, CIO, SymantecGary McAlum, Sr. VP & CSO, USAAAndy Purdy, Chief Cyber Security Strategist CSC Corp.

J. Michael Hickey, 1st Vice ChairVP Homeland Security, VerizonMarc-Anthony Signorino, TreasureNational Association of Manufacturers

7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation

4/20

Roles and Responsibilites

The private sector owns 95% of the cyberinfrastructure

Government must provide for thecommon defense

The private sector must, by law, operate---not in the public interest---but to maximizeshareholder value

Economics must be at the core of thepublic private partnership

7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation

5/20

Cyber Security Economicsare Skewed

Responsibility, costs, harms andincentives are misaligned

Individual and Corporate Financial loss National Defense Core investment is undermined by edge

insecurity Enterprises are not structured to properly

analyze cyber risk

7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation

6/20

CURRENT ECONOMIC INCENTIVES

FAVOR ATTACKERS

Attacks are cheap and easy Vulnerabilities are almost infinite Profits from attacks are enormous

($ 1 TRILLION in 08)

Defense is costly (Usually no ROI) Defense is often futile Costs of Attacks are distributed

7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation

7/20

Historic Role of Insurance inCyber Security Policy

2002 The National Strategy to SecureCyber Space---market approach but noneed for incentives---policy makers think

insurance not ready for prime time

2004 Congress Creates CorporateInformation Security Working Group w/

Subgroup on incentives---cyber insuranceis advocated

7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation

8/20

Cyber Insurance in NationalPolicy

2006 ISA issues White Paper on the publicpolicy benefits of cyber insurancetestifies before Commerce and HLS

2007 ISA to Department of CommerceEconomic Security Working Group

2007 ANSI & ISA Publish 50 QuestionsCFOs Should Ask @ Cyber Security w/ Chon insurance & financial risk mangement

7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation

9/20

Public Policy & CyberInsurance History

2008 ISA Social Contract advocates useof cyber insurance

2009 President Obamas Cyber SpacePolicy Review advicates use of marketincentives

2009 Dept. of Homeland Security CrossSector Cyber Security Working Group (allcritical sectors) advocates incentivesincluding cyber insurance

7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation

10/20

History of Public Policy &Cyber Insurance

2010 White House holds spring conferececall w/industry academics and govt. on theuse of cyber insurance

FDIC holds conference on economics ofcyber security

Dept. of Commerce issues Notice ofInquiry on economics of cyber securityincluding use of cyber insurace

7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation

11/20

Legislation

Over 40 bills introduced covering Organizational ResponsibilitiesCompliance and Accountability

PII /data theft Cyber Security Education & R & D Critical Infrastructure/Vulnerability Analysis International Cooperation and Cyber crime Procurement Acquisition & Supply Chain

7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation

12/20

Some Major Bills

S 139 & HR 2221 Data Breach S 1438 & HR 4692 Internat Cyber CrimeS 921 FISMA Reform

HR 2071 Intel Reauthoriztion S 773 Comprehenseive (Commerce

Committee) S 3480 Comprehensive (Homeland

Security Committee)

HR 5026 Grid Reliability & Infrastructure

7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation

13/20

What (we think) is in the bill

Establish Private Sector Responsibility forCritical Infrastructure Protection

Govt. Role is oversight and assurecompliance (not fund)

Legislatively establish the cyber czarCreate mandatory technical standards forthe most critical infrastructure

Require bi-annual cyber security audits w/heavy civil fines for non-compliance

7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation

14/20

State of Play---Legislative

Majority Leader Reid has asked foragreement on a cyber security package

Combined Commerce/HLS bill circulatingamong other Senate Committies

New Draft expected shortlyHouse has not weighed in

White House has not weighed in Industry is fairly concerned

7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation

15/20

We need a total riskmanagement approach

The security discipline has so far beenskewed toward technologyfirewalls, ID

management, intrusion detectioninsteadof risk analysis andproactive intelligencegathering.

PWC Global Cyber Security Survey

7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation

16/20

Senior Exec do ARE NOT analyzing

Cyber Risk adequately

There is still a gap between IT andenterprise risk management. Surveyresults confirm the belief among IT

security professionals that Boards andsenior executives are not adequatelyinvolved in key areas related to the

governance of enterprise security.2010 Carnegie Mellon University CyLab Governance of

Enterprise Security Survey

7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation

17/20

Financial Management of

Cyber Risk

It is not enough for the information technologyworkforce to understand the importance ofcybersecurity; leaders at all levels of

government and industry need to be able tomake business and investment decisionsbased on knowledge of risks and potential

impacts.Presidents Cyber Space Policy Review May 30, 2009

page 15

7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation

18/20

White House Meeting onCyber Security July 14

President Obama, Sec Locke, Sec.Napolitano, Howard Schmidt (others)

Commerce speaks before DHS Schmidt: need to up costs for attackers Obama: interconnected nature of the

internet will make it difficult to regulate forsecurity

Legislation moving in different direction

7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation

19/20

Obamas Report on Cyber

Security (May 30, 2009)

The government, working with State and localpartners, should identify procurement strategies thatwill incentivize the market to make more secure

products and services available to the public.Additional incentive mechanisms that thegovernment should explore include adjustments toliability considerations (reduced liability in exchangefor improved security or increased liability for theconsequences of poor security), indemnification, tax

incentives, and new regulatory requirements andcompliance mechanisms.Presidents Cyber Space Policy Review May 30,2009 page vs.

Quoting Internet Security Alliance Cyber SecuritySocial Contract: Recommendations to the Obama

th

7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation

20/20

Larry ClintonPresident

Internet Security Alliancelclinton@isalliance.org

703-907-7028

202-236-0001