There are four legitimate
ways to treat risk: avoid it, accept it, mitigate it, and transfer it. If “transferring risk” is thought of at all
in cyber security, it is usually about buying an insurance policy. And in fact cyber insurance is a rapidly
growing market, although one with teething problems. Exactly what losses will be covered, and how
will the extent of loss be determined?
Will there be favorable pricing for firms that have a good security
program in place, and if so who will determine the effectiveness of the program
a firm claims to have? What about the
moral hazard problem: will insured
parties have incentive to be lax about or misrepresent their security programs? How will rates be determined, given the
carriers’ relative lack of loss data, compared to other insured hazards?
Nevertheless,
insurance carriers are keen to the opportunity and are developing packages of
services that bundle legal advice and incident response with traditional
insurance.
There are
other ways to transfer risk, some of which look like “buying insurance” in a
different guise, and some that look totally different. Financial institutions and other investors
can hedge their investment positions by buying options or other derivative
instruments. Credit default swaps (CDS) can
insure a lender against default by a borrower – assuming the seller of the swap
has the financial capacity to cover the default. (Overuse and underestimating
the risk of CDS’s contributed significantly to the 2008 financial crisis.)
A firm can
also transfer risk, either partially or totally, to other firms through normal commercial
contracts – other than insurance policies.
Many business-to-business contracts include service level agreements or
other assurances of a minimum level of quality, sometimes with financial penalties
for non-performance. The seller may have
some ability to negotiate service level terms, depending on its market power relative
to the buyer. I will likely not be
successful in demanding a 99% on-time delivery guarantee from Amazon, but Amazon
may get one with UPS.
Commercial
contracts commonly have disclaimers, representations and warranties that
protect suppliers from claims by customers. Whether such clauses can be used to
protect a firm from cyber security risks depends on who has the market power, but
also what is customary and reasonable. A
service provider may get a customer to agree that it is responsible to protect
its users’ passwords and network connection points. More generally, SSAE16 audit reports contain
a section on the controls that the service provider relies on the customer to
implement. In other words, “don’t blame
me if the controls fail because of something you did.”
Transferring
risk using contracts has its limits. The
extent of risk transfer is often limited, either in scope (kind of risk or
conditions) or in amount (amount of loss, number of occurrences). Even if the risk is legally transferred, it may not be practically transferred. The
other party may not have the capacity, financial or otherwise, to absorb the
risk. And even if it does, your firm may
experience some degree of loss. We may
agree that you are responsible to protect your passwords, but if an attacker
penetrates my network due to your negligence, I still have an incident to
manage. Finally, recognize the
difference between the probability
that a loss may occur, and the amount
of loss if it does occur. A conventional
insurance policy protects the holder against some portion of the loss amount,
whereas a supplier’s commitment to a robust security program should reduce the
likelihood that a loss will occur at all.
Among the
four recognized types of risk treatment, transferring the risk to a counterparty
is one that is often overlooked as a management option. Transferring risk is the sibling of avoiding
risk, and a strategy well worth considering.
It is easy to fall into the trap of ignoring these two options if
cybersecurity is over-delegated to IT engineers.