SlideShare a Scribd company logo

Understanding Cyber Risk Challenges

Download as PPTX, PDF
Jay Kesan
Jay Kesan

This document discusses challenges in managing cyber risk for businesses. It notes that while cybersecurity is important for the economy, many businesses underestimate cyber risks. The author's work focuses on improving private sector cybersecurity through market solutions and risk assessment. Some key challenges include a lack of sound risk assessment data and understanding gaps between businesses and insurers. The author's approach involves gathering extensive cyber incident data to better understand and predict risks. Solutions proposed include the CRIDA tool for financial risk assessment and the CLAD database for analyzing insurance litigation. The document also discusses needs for reforming laws around data breaches, computer crimes, and identity theft.

Law
1 of 27
UNDERSTANDING CYBER RISK: Challenges in the Business and Law of Cybersecurity Jay P. Kesan, Ph.D., J.D. Professor and H. Ross & Helen Workman Research Scholar University of Illinois at Urbana-Champaign All recent work is on the Social Science Research Network, http://www.ssrn.com Thanks to my students and colleagues, Linfeng Zhang, Carol M. Hayes, and the Critical Infrastructure Resilience Institute (CIRI), a DHS COE at the University of Illinois
Cybersecurity Concern • Cybersecurity is tied to the health of the U.S. economy. Malicious cyberattacks could throw the financial industry into chaos. • The World Economic Forum estimates that ineffective cybersecurity may cost the world’s economy as much as $3 trillion by 2020. • Cybersecurity is also national security. Critical infrastructure systems, from transportation to nuclear power, are vulnerable to cyberattacks. • Hospitals and police departments have been targeted with ransomware that severs access to vital information. • The primary focus of my work is the private sector and on improving cyber security in the private sector through market-oriented solutions. • Proper risk assessment and management can improve companies’ resilience against cyber risks through market-based solutions
Cyber Risk Definition • “Operational risks to information and technology assets that have consequences affecting the confidentiality, availability, or integrity of information or information systems”. • Encompasses various types of cyber incidents caused by different perils 1. Cyber Extortion 9. IT - Configuration/Implementation Errors 2. Data - Malicious Breach 10. IT - Processing Errors 3. Data - Physically Lost or Stolen 11. Network/Website Disruption 4. Data - Unintentional Disclosure 12. Phishing, Spoofing, Social Engineering 5. Denial of Service (DDOS)/System Disruption 13. Privacy - Unauthorized Contact or Disclosure 6. Digital Breach/Identity Theft 14. Privacy - Unauthorized Data Collection 7. Identity - Fraudulent Use/Account Access 15. Skimming, Physical Tampering 8. Industrial Controls & Operations
Cyber Risk in Private Sector • The general awareness of cybersecurity is low • Businesses and individuals often underestimate the risk they are facing • Cognitive biases that may lead to unpreparedness (Meyer & Kunreuther): • Myopia: Lack of long-term planning for cyber risk • Amnesia: Not learning from past experiences • Optimism: Underestimating the probability of cyber incidents • Inertia: Hesitating to make changes and invest in cybersecurity • Simplification: Overlooking cyber risks all together • Herding: Lack of a cyber risk management culture
Managing Cyber Risk • Different ways to manage cyber risk • Avoidance (e.g., not use cyber systems at all) • Mitigation (enhance cybersecurity and reduce exposure) • Self-insurance • Transfer to third-party (cyber insurance) • Cyber insurance is a risk transfer vehicle • Complement to cybersecurity enhancement • Helps insured businesses quickly recover from cyber incidents
Status of Cyber Insurance • The market is still in its infancy • U.S. penetration level of insureds is < 15% (< 1% in other countries and regions) • Less than 5% of small and medium-sized businesses purchase cyber insurance in the U.S. • The market is growing • $2 billion written premium in 2018 • Annual growth rate in terms of written premiums is slowing down • 12% growth in 2018, 30% in 2016 and 2017 (Data Source: A.M. Best) • The market has a lot of uncertainty and lacks insights • Warren Buffett’s comments on cyber insurance: “We don’t want to be a pioneer on this. I don’t think we or anybody else really knows what they’re doing when writing cyber.”
Issues with Cyber Insurance Market • Lack of sound cyber risk assessment – data, analyses, and metrics • Large understanding gaps between directors and managers within organizations and between insured and insurers regarding cyber risk • Difficult for organizations to create optimal risk management plans or consider cyber insurance as a feasible risk management solution • Organizations are often underprepared for cyber incidents
Questions We Try to Answer • Financial Risk: • Businesses face all kinds of financial risks: • Property damage • Shareholder value • Reputational risk • Notification costs (obligation to authorities, customers) • Business interruption costs • What is the financial risk associated with the most likely breach? • How likely is such a breach? • How much financial risk should we transfer (through insurance)? • Legal Risk: • What is our exposure to third-party liability claims? • Will my insurance cover my losses?
Our Approach to Estimating Cyber Risk • Gathering extensive public and private data regarding known cyber incidents from multiple sources coding/tracking multiple variables • Performing extensive analyses on every important aspect of cyber risk, such as economic, financial, reputational and legal impact, to get more insights into cyber risk • Uniqueness: Comprehensiveness of the multiple datasets we are building. Allows us to carry out research on important topics such as the financial impact of cyber incidents that no prior studies have covered.
Our Solutions • Financial Risk Solution: Cyber Risk Impact–Data and Analytics (CRIDA) • Identify financial risks and predict future risks based on empirical and event analysis of: • Historical and real-time cyber incident databases • Historical and real-time financial and capital losses • Legal Risk Solution: Cyberinsurance Litigation Analytics Database (CLAD) • Affordable, accessible SaaS that allows businesses to identify legal risks based on: • Historical court rulings on cyber-relevant insurance litigations • Our interpretations and analyses of these litigations
CRIDA (Cyber Risk Impact–Data and Analytics) • CRIDA utilizes cyber incident data and our predictive models to perform cyber risk assessment and forecast future cyber risk based on users’ input. • Helping businesses understand the causes and outcomes of cyber incidents, so they can take appropriate measures to avoid or mitigate cyber risk • Identifying major trends in cyber risk to help businesses prioritize risk management tasks • Estimating the frequency and severity of cyber incidents, which gives insights into the financial aspect of cyber risk • Helping insurers distinguish companies with different risk levels
CRIDA - Identify Trends • CRIDA helps businesses identify major trends in cyber risk • Example 1: For a large financial institution (i.e., in the Finance and Insurance industry with more than 500 employees), this plot shows how the expected number of incidents it experiences in a year changes over time.
CRIDA - Comparison between Risks For example: Malicious Data Breaches and Unintentional Data Disclosure are similar (both represent breach of confidentiality of information), but: • Malicious Data Breach (red) has a higher probability of causing losses (left figure) • Unintentional Data Disclosure (blue) has a higher severity in general (right figure, higher mean, larger right tail)
CRIDA - Estimate Cyber Loss • Based on our predictive models, CRIDA forecasts the incident frequency and severity in a future year, say 2020, and provides intuitive summary statistics. • For example, CRIDA provides an estimation that in 2020, a large financial institution has a 79.27% probability of suffering a loss from cyber incidents, and there is a 5% probability that the loss will exceed $148.79 million.
CRIDA – Distinguish Risks • CRIDA makes it easier for insurers to compare the cyber risk of different companies. • Comparison between companies of the same size in different sectors • A financial institution with more than 500 employees • A manufacturing company with more than 500 employees
CRIDA - Distinguish risks (cont’d) • CRIDA makes it easier for insurers to compare the cyber risk of different companies. • Comparison between companies of different sizes in the same sector • A large financial institution with more than 500 employees • A small financial institution with fewer than 10 employees
CLAD - Insurance Litigation • Cyberinsurance Litigation Analytics Database (CLAD) • Granularly coded and extensively analyzed every lawsuit (170+) at the federal and state level involving cyber losses and insurance coverage • Analysis of Litigated Policies Identifies the Sources of Legal Risk in Policy Coverage • Understand the sources of legal uncertainty that aggravate an already uncertain cyber insurance market • Propose policy recommendations 18
CLAD - Insurance Litigation • Most of the Policies Were Not Cyber Policies • A lot of the insurance litigation involved applying Commercial General Liability policies to digital harms. • Many cases involved multiple policies. • “Technology” policies included cyber insurance policies as well as technology errors and omissions. 19 60 8 118 1 3 28 4 16 2 6 29 Policies in 176 cases CGL CGL and Technology Crime and Technology Crime policy D&O D&O and Technology First party First party and Technology Multiple
Incentivizing Reduction of Cyber Risk Through Legal Reform
Liability for “Data-Related Injuries” • Data insecurity affects all of us to a significant degree • Law needs to step forward and cope with the challenges posed by data breaches, data misuse, and data injuries • To create an analytical framework for data breach cases, we need to address: • The Duty and Injury to shape the contours of liability for data injuries
Liability for “Data-Related Injuries” (contd.) • Courts should recognize a legal duty to secure data • This duty is made necessary by the pervasive cognitive biases that result in systematic underestimation of cyber risk by firms and individuals • This underestimation interferes with the risk management process • Recognizing a legal duty encourages engagement in a risk- management process: mitigate; self-insure; or third-party insures
Liability for “Data-Related Injuries” (contd.) • Courts struggling with fitting data insecurity injuries within existing legal models • Part of the reason for is the preoccupation with economic harm, which is a poor method for quantifying privacy injuries. • The erosion of privacy through neglect of security is troubling, the legal system must shift away from traditional economic measurements of injury and focus instead on the fact that data insecurity is a social harm. • Data insecurity is both a privacy injury and an injury to autonomy that interferes with self-determination, and it should be analyzed as such.
CFAA Needs Revisiting/Reform • Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030 • Congress enacted a version of the CFAA in 1984 and substantially amended it in 1986. Between 1986 and 2017, CFAA amended nine times, with the most recent amendments in 2008 • The CFAA broadly prohibits unauthorized activity on a protected computer, and a few other offenses • There is considerable disagreement on the meaning of “Authorization,” “Damage,” “Loss,” and the application of the CFAA to active defense (i.e., hackback) and cloud computing
Need for Federal Data Breach Legislation • No general federal data breach law • Some sector-specific federal information privacy statutes include requirements to follow in the event of a breach • Today, data breach statutes are state laws • The adoption of state data breach laws was spread out over a decade. As of 2018, all fifty states have a data breach statute • Large state-by-state variations in: • What information must be protected under the law • When must breached entities provide notification and to whom • Providing for private cause of action
Federal and State Identity Theft Laws • Identity theft laws in the U.S. have wide variation across all fifty states and at the federal level. • The federal law, 18 U.S.C. § 1028, covers eight different scenarios, using various requisite intents and acts. • All these crimes are classified as “fraud and related activity in connection with identification documents.”
South Dakota Cyber Security Laws • Computer Crime, S.D. Cod. Laws §§ 43-43B-1 to 43-43B-8 • Identity Theft, S.D. Cod. Laws §§ 22-40-8 to 22-40-18 • False Personation, S.D. Cod. Laws §§ 22-40-1 • Data Breaches, §§ 22-40-19 to 22-40-26
UNDERSTANDING CYBER RISK: Challenges in the Business and Law of Cybersecurity Jay P. Kesan, Ph.D., J.D. Professor and H. Ross & Helen Workman Research Scholar University of Illinois at Urbana-Champaign All recent work is on the Social Science Research Network, http://www.ssrn.com Thanks to my students and colleagues, Linfeng Zhang, Carol M. Hayes, and the Critical Infrastructure Resilience Institute (CIRI), a DHS COE at the University of Illinois

Recommended

Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsAbdul-Hakeem Ajijola
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The BoardPaul Melson
 
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSCybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSRandall Chase
 
In the news
In the newsIn the news
In the newsRob Wilson
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterPatricia M Watson
 
Corporate Treasurers Focus on Cyber Security
Corporate Treasurers Focus on Cyber SecurityCorporate Treasurers Focus on Cyber Security
Corporate Treasurers Focus on Cyber SecurityJoan Weber
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
 
Cyber Insurance CLE
Cyber Insurance CLE Cyber Insurance CLE
Cyber Insurance CLE Sarah Stogner
 

Recommended

Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsAbdul-Hakeem Ajijola
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The BoardPaul Melson
 
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSCybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSRandall Chase
 
In the news
In the newsIn the news
In the newsRob Wilson
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterPatricia M Watson
 
Corporate Treasurers Focus on Cyber Security
Corporate Treasurers Focus on Cyber SecurityCorporate Treasurers Focus on Cyber Security
Corporate Treasurers Focus on Cyber SecurityJoan Weber
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
 
Cyber Insurance CLE
Cyber Insurance CLE Cyber Insurance CLE
Cyber Insurance CLE Sarah Stogner
 
Chief Audit Execs speak out: Cybersecurity & risk management
Chief Audit Execs speak out: Cybersecurity & risk managementChief Audit Execs speak out: Cybersecurity & risk management
Chief Audit Execs speak out: Cybersecurity & risk managementGrant Thornton LLP
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber InsuranceHB Litigation Conferences
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age padler01
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceCyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceStatewide Insurance Brokers
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousEthan S. Burger
 
IBM Security Services
IBM Security ServicesIBM Security Services
IBM Security ServicesRainer Mueller
 
A Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for BusinessesA Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for BusinessesAdvanced Imaging Solutions & Pinnacle
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Shawn Tuma
 
11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 a11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 aIT Strategy Group
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionThe Economist Media Businesses
 
Understanding the black hat hacker eco system
Understanding the black hat hacker eco systemUnderstanding the black hat hacker eco system
Understanding the black hat hacker eco systemDavid Sweigert
 
Co3 rsc r5
Co3 rsc r5Co3 rsc r5
Co3 rsc r5Patrick Florer
 
Data Breach Guide 2013
Data Breach Guide 2013Data Breach Guide 2013
Data Breach Guide 2013- Mark - Fullbright
 
August 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber AttackerAugust 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber Attackerseadeloitte
 
Cost of a Data Breach
Cost of a Data BreachCost of a Data Breach
Cost of a Data BreachSymantec
 
How to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRHow to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRCharlie Pownall
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksThis account is closed
 
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...TraintechTde
 

More Related Content

What's hot

Chief Audit Execs speak out: Cybersecurity & risk management
Chief Audit Execs speak out: Cybersecurity & risk managementChief Audit Execs speak out: Cybersecurity & risk management
Chief Audit Execs speak out: Cybersecurity & risk managementGrant Thornton LLP
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age padler01
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceCyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceStatewide Insurance Brokers
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousEthan S. Burger
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Shawn Tuma
 
11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 a11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 aIT Strategy Group
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionThe Economist Media Businesses
 
Understanding the black hat hacker eco system
Understanding the black hat hacker eco systemUnderstanding the black hat hacker eco system
Understanding the black hat hacker eco systemDavid Sweigert
 
August 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber AttackerAugust 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber Attackerseadeloitte
 
Cost of a Data Breach
Cost of a Data BreachCost of a Data Breach
Cost of a Data BreachSymantec
 
How to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRHow to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRCharlie Pownall
 

What's hot (20)

Chief Audit Execs speak out: Cybersecurity & risk management
Chief Audit Execs speak out: Cybersecurity & risk managementChief Audit Execs speak out: Cybersecurity & risk management
Chief Audit Execs speak out: Cybersecurity & risk management
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber Insurance
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...
 
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceCyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firm
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
 
IBM Security Services
IBM Security ServicesIBM Security Services
IBM Security Services
 
A Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for BusinessesA Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for Businesses
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
 
11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 a11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 a
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimension
 
Understanding the black hat hacker eco system
Understanding the black hat hacker eco systemUnderstanding the black hat hacker eco system
Understanding the black hat hacker eco system
 
Co3 rsc r5
Co3 rsc r5Co3 rsc r5
Co3 rsc r5
 
Data Breach Guide 2013
Data Breach Guide 2013Data Breach Guide 2013
Data Breach Guide 2013
 
August 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber AttackerAugust 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber Attacker
 
Cost of a Data Breach
Cost of a Data BreachCost of a Data Breach
Cost of a Data Breach
 
How to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRHow to handle data breach incidents under GDPR
How to handle data breach incidents under GDPR
 

Similar to Understanding Cyber Risk Challenges

Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksThis account is closed
 
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...TraintechTde
 
4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon BradyStarttech Ventures
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
A holistic approach to risk management 20210210 w acfe france &amp; cyber rea...
A holistic approach to risk management 20210210 w acfe france &amp; cyber rea...A holistic approach to risk management 20210210 w acfe france &amp; cyber rea...
A holistic approach to risk management 20210210 w acfe france &amp; cyber rea...Judith Beckhard Cardoso
 
Cyber Liability - Insurance Risk Management and Preparation
Cyber Liability - Insurance Risk Management and PreparationCyber Liability - Insurance Risk Management and Preparation
Cyber Liability - Insurance Risk Management and PreparationEric Reehl
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeErnst & Young
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeNishantSisodiya
 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveDawn Yankeelov
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
 
Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?CBIZ, Inc.
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovEric Vanderburg
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Don Grauel
 
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...James Fisher
 
BIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionBIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionCBIZ, Inc.
 
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...Levi Shapiro
 
Quantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal DataQuantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal DataSteven Schwartz
 

Similar to Understanding Cyber Risk Challenges (20)

Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber Risks
 
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
 
4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
A holistic approach to risk management 20210210 w acfe france &amp; cyber rea...
A holistic approach to risk management 20210210 w acfe france &amp; cyber rea...A holistic approach to risk management 20210210 w acfe france &amp; cyber rea...
A holistic approach to risk management 20210210 w acfe france &amp; cyber rea...
 
Cyber Liability - Insurance Risk Management and Preparation
Cyber Liability - Insurance Risk Management and PreparationCyber Liability - Insurance Risk Management and Preparation
Cyber Liability - Insurance Risk Management and Preparation
 
IT & Network Security Awareness
IT & Network Security AwarenessIT & Network Security Awareness
IT & Network Security Awareness
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate Perspective
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...
 
Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
 
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
protectingyourbusinessfromcyberrisks-pptforseminarnov122014-141120120959-conv...
 
BIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionBIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special Edition
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
 
The Rise of Data Breaches in Small Businesses
The Rise of Data Breaches in Small Businesses The Rise of Data Breaches in Small Businesses
The Rise of Data Breaches in Small Businesses
 
Quantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal DataQuantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal Data
 

Recently uploaded

Group 2 Marlaw Definition of Bill of Lading .pptx
Group 2 Marlaw Definition of Bill of Lading .pptxGroup 2 Marlaw Definition of Bill of Lading .pptx
Group 2 Marlaw Definition of Bill of Lading .pptxjohnpazperpetua10
 
John Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A HistoryJohn Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A HistoryJohn Hustaix
 
定制(BU文凭证书)美国波士顿大学毕业证成绩单原版一比一
定制(BU文凭证书)美国波士顿大学毕业证成绩单原版一比一定制(BU文凭证书)美国波士顿大学毕业证成绩单原版一比一
定制(BU文凭证书)美国波士顿大学毕业证成绩单原版一比一st Las
 
Alexis O'Connell Alexis Lee mugshot Lexileeyogi 512-840-8791
Alexis O'Connell Alexis Lee mugshot Lexileeyogi 512-840-8791Alexis O'Connell Alexis Lee mugshot Lexileeyogi 512-840-8791
Alexis O'Connell Alexis Lee mugshot Lexileeyogi 512-840-8791BlayneRush1
 
POLICE ACT, 1861 the details about police system.pptx
POLICE ACT, 1861 the details about police system.pptxPOLICE ACT, 1861 the details about police system.pptx
POLICE ACT, 1861 the details about police system.pptxAbhishekchatterjee248859
 
Test Identification Parade & Dying Declaration.pptx
Test Identification Parade & Dying Declaration.pptxTest Identification Parade & Dying Declaration.pptx
Test Identification Parade & Dying Declaration.pptxsrikarna235
 
Comparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesComparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesritwikv20
 
如何办理纽约州立大学石溪分校毕业证学位证书
如何办理纽约州立大学石溪分校毕业证学位证书 如何办理纽约州立大学石溪分校毕业证学位证书
如何办理纽约州立大学石溪分校毕业证学位证书Fir sss
 
The Patents Act 1970 Notes For College .pptx
The Patents Act 1970 Notes For College .pptxThe Patents Act 1970 Notes For College .pptx
The Patents Act 1970 Notes For College .pptxAdityasinhRana4
 
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一jr6r07mb
 
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书SD DS
 
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书1k98h0e1
 
如何办理威斯康星大学密尔沃基分校毕业证学位证书
如何办理威斯康星大学密尔沃基分校毕业证学位证书 如何办理威斯康星大学密尔沃基分校毕业证学位证书
如何办理威斯康星大学密尔沃基分校毕业证学位证书Fir sss
 
如何办理(GWU毕业证书)乔治华盛顿大学毕业证学位证书
如何办理(GWU毕业证书)乔治华盛顿大学毕业证学位证书如何办理(GWU毕业证书)乔治华盛顿大学毕业证学位证书
如何办理(GWU毕业证书)乔治华盛顿大学毕业证学位证书SD DS
 
如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书 如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书Fir sss
 
SecuritiesContracts(Regulation)Act,1956.pdf
SecuritiesContracts(Regulation)Act,1956.pdfSecuritiesContracts(Regulation)Act,1956.pdf
SecuritiesContracts(Regulation)Act,1956.pdfDrNiteshSaraswat
 
如何办理(Rice毕业证书)莱斯大学毕业证学位证书
如何办理(Rice毕业证书)莱斯大学毕业证学位证书如何办理(Rice毕业证书)莱斯大学毕业证学位证书
如何办理(Rice毕业证书)莱斯大学毕业证学位证书SD DS
 
Key Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax RatesKey Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax RatesHome Tax Saver
 
如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书
如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书
如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书srst S
 
Role and Responsibilities of Mediator and Approach
Role and Responsibilities of Mediator and ApproachRole and Responsibilities of Mediator and Approach
Role and Responsibilities of Mediator and Approach2020000445musaib
 

Recently uploaded (20)

Group 2 Marlaw Definition of Bill of Lading .pptx
Group 2 Marlaw Definition of Bill of Lading .pptxGroup 2 Marlaw Definition of Bill of Lading .pptx
Group 2 Marlaw Definition of Bill of Lading .pptx
 
John Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A HistoryJohn Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A History
 
定制(BU文凭证书)美国波士顿大学毕业证成绩单原版一比一
定制(BU文凭证书)美国波士顿大学毕业证成绩单原版一比一定制(BU文凭证书)美国波士顿大学毕业证成绩单原版一比一
定制(BU文凭证书)美国波士顿大学毕业证成绩单原版一比一
 
Alexis O'Connell Alexis Lee mugshot Lexileeyogi 512-840-8791
Alexis O'Connell Alexis Lee mugshot Lexileeyogi 512-840-8791Alexis O'Connell Alexis Lee mugshot Lexileeyogi 512-840-8791
Alexis O'Connell Alexis Lee mugshot Lexileeyogi 512-840-8791
 
POLICE ACT, 1861 the details about police system.pptx
POLICE ACT, 1861 the details about police system.pptxPOLICE ACT, 1861 the details about police system.pptx
POLICE ACT, 1861 the details about police system.pptx
 
Test Identification Parade & Dying Declaration.pptx
Test Identification Parade & Dying Declaration.pptxTest Identification Parade & Dying Declaration.pptx
Test Identification Parade & Dying Declaration.pptx
 
Comparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use casesComparison of GenAI benchmarking models for legal use cases
Comparison of GenAI benchmarking models for legal use cases
 
如何办理纽约州立大学石溪分校毕业证学位证书
如何办理纽约州立大学石溪分校毕业证学位证书 如何办理纽约州立大学石溪分校毕业证学位证书
如何办理纽约州立大学石溪分校毕业证学位证书
 
The Patents Act 1970 Notes For College .pptx
The Patents Act 1970 Notes For College .pptxThe Patents Act 1970 Notes For College .pptx
The Patents Act 1970 Notes For College .pptx
 
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
 
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
如何办理(UNK毕业证书)内布拉斯加大学卡尼尔分校毕业证学位证书
 
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
 
如何办理威斯康星大学密尔沃基分校毕业证学位证书
如何办理威斯康星大学密尔沃基分校毕业证学位证书 如何办理威斯康星大学密尔沃基分校毕业证学位证书
如何办理威斯康星大学密尔沃基分校毕业证学位证书
 
如何办理(GWU毕业证书)乔治华盛顿大学毕业证学位证书
如何办理(GWU毕业证书)乔治华盛顿大学毕业证学位证书如何办理(GWU毕业证书)乔治华盛顿大学毕业证学位证书
如何办理(GWU毕业证书)乔治华盛顿大学毕业证学位证书
 
如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书 如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书
 
SecuritiesContracts(Regulation)Act,1956.pdf
SecuritiesContracts(Regulation)Act,1956.pdfSecuritiesContracts(Regulation)Act,1956.pdf
SecuritiesContracts(Regulation)Act,1956.pdf
 
如何办理(Rice毕业证书)莱斯大学毕业证学位证书
如何办理(Rice毕业证书)莱斯大学毕业证学位证书如何办理(Rice毕业证书)莱斯大学毕业证学位证书
如何办理(Rice毕业证书)莱斯大学毕业证学位证书
 
Key Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax RatesKey Factors That Influence Property Tax Rates
Key Factors That Influence Property Tax Rates
 
如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书
如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书
如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书
 
Role and Responsibilities of Mediator and Approach
Role and Responsibilities of Mediator and ApproachRole and Responsibilities of Mediator and Approach
Role and Responsibilities of Mediator and Approach
 

Understanding Cyber Risk Challenges

  • 1. UNDERSTANDING CYBER RISK: Challenges in the Business and Law of Cybersecurity Jay P. Kesan, Ph.D., J.D. Professor and H. Ross & Helen Workman Research Scholar University of Illinois at Urbana-Champaign All recent work is on the Social Science Research Network, http://www.ssrn.com Thanks to my students and colleagues, Linfeng Zhang, Carol M. Hayes, and the Critical Infrastructure Resilience Institute (CIRI), a DHS COE at the University of Illinois
  • 2. Cybersecurity Concern • Cybersecurity is tied to the health of the U.S. economy. Malicious cyberattacks could throw the financial industry into chaos. • The World Economic Forum estimates that ineffective cybersecurity may cost the world’s economy as much as $3 trillion by 2020. • Cybersecurity is also national security. Critical infrastructure systems, from transportation to nuclear power, are vulnerable to cyberattacks. • Hospitals and police departments have been targeted with ransomware that severs access to vital information. • The primary focus of my work is the private sector and on improving cyber security in the private sector through market-oriented solutions. • Proper risk assessment and management can improve companies’ resilience against cyber risks through market-based solutions
  • 3. Cyber Risk Definition • “Operational risks to information and technology assets that have consequences affecting the confidentiality, availability, or integrity of information or information systems”. • Encompasses various types of cyber incidents caused by different perils 1. Cyber Extortion 9. IT - Configuration/Implementation Errors 2. Data - Malicious Breach 10. IT - Processing Errors 3. Data - Physically Lost or Stolen 11. Network/Website Disruption 4. Data - Unintentional Disclosure 12. Phishing, Spoofing, Social Engineering 5. Denial of Service (DDOS)/System Disruption 13. Privacy - Unauthorized Contact or Disclosure 6. Digital Breach/Identity Theft 14. Privacy - Unauthorized Data Collection 7. Identity - Fraudulent Use/Account Access 15. Skimming, Physical Tampering 8. Industrial Controls & Operations
  • 4. Cyber Risk in Private Sector • The general awareness of cybersecurity is low • Businesses and individuals often underestimate the risk they are facing • Cognitive biases that may lead to unpreparedness (Meyer & Kunreuther): • Myopia: Lack of long-term planning for cyber risk • Amnesia: Not learning from past experiences • Optimism: Underestimating the probability of cyber incidents • Inertia: Hesitating to make changes and invest in cybersecurity • Simplification: Overlooking cyber risks all together • Herding: Lack of a cyber risk management culture
  • 5. Managing Cyber Risk • Different ways to manage cyber risk • Avoidance (e.g., not use cyber systems at all) • Mitigation (enhance cybersecurity and reduce exposure) • Self-insurance • Transfer to third-party (cyber insurance) • Cyber insurance is a risk transfer vehicle • Complement to cybersecurity enhancement • Helps insured businesses quickly recover from cyber incidents
  • 6. Status of Cyber Insurance • The market is still in its infancy • U.S. penetration level of insureds is < 15% (< 1% in other countries and regions) • Less than 5% of small and medium-sized businesses purchase cyber insurance in the U.S. • The market is growing • $2 billion written premium in 2018 • Annual growth rate in terms of written premiums is slowing down • 12% growth in 2018, 30% in 2016 and 2017 (Data Source: A.M. Best) • The market has a lot of uncertainty and lacks insights • Warren Buffett’s comments on cyber insurance: “We don’t want to be a pioneer on this. I don’t think we or anybody else really knows what they’re doing when writing cyber.”
  • 7. Issues with Cyber Insurance Market • Lack of sound cyber risk assessment – data, analyses, and metrics • Large understanding gaps between directors and managers within organizations and between insured and insurers regarding cyber risk • Difficult for organizations to create optimal risk management plans or consider cyber insurance as a feasible risk management solution • Organizations are often underprepared for cyber incidents
  • 8. Questions We Try to Answer • Financial Risk: • Businesses face all kinds of financial risks: • Property damage • Shareholder value • Reputational risk • Notification costs (obligation to authorities, customers) • Business interruption costs • What is the financial risk associated with the most likely breach? • How likely is such a breach? • How much financial risk should we transfer (through insurance)? • Legal Risk: • What is our exposure to third-party liability claims? • Will my insurance cover my losses?
  • 9. Our Approach to Estimating Cyber Risk • Gathering extensive public and private data regarding known cyber incidents from multiple sources coding/tracking multiple variables • Performing extensive analyses on every important aspect of cyber risk, such as economic, financial, reputational and legal impact, to get more insights into cyber risk • Uniqueness: Comprehensiveness of the multiple datasets we are building. Allows us to carry out research on important topics such as the financial impact of cyber incidents that no prior studies have covered.
  • 10. Our Solutions • Financial Risk Solution: Cyber Risk Impact–Data and Analytics (CRIDA) • Identify financial risks and predict future risks based on empirical and event analysis of: • Historical and real-time cyber incident databases • Historical and real-time financial and capital losses • Legal Risk Solution: Cyberinsurance Litigation Analytics Database (CLAD) • Affordable, accessible SaaS that allows businesses to identify legal risks based on: • Historical court rulings on cyber-relevant insurance litigations • Our interpretations and analyses of these litigations
  • 11. CRIDA (Cyber Risk Impact–Data and Analytics) • CRIDA utilizes cyber incident data and our predictive models to perform cyber risk assessment and forecast future cyber risk based on users’ input. • Helping businesses understand the causes and outcomes of cyber incidents, so they can take appropriate measures to avoid or mitigate cyber risk • Identifying major trends in cyber risk to help businesses prioritize risk management tasks • Estimating the frequency and severity of cyber incidents, which gives insights into the financial aspect of cyber risk • Helping insurers distinguish companies with different risk levels
  • 12. CRIDA - Identify Trends • CRIDA helps businesses identify major trends in cyber risk • Example 1: For a large financial institution (i.e., in the Finance and Insurance industry with more than 500 employees), this plot shows how the expected number of incidents it experiences in a year changes over time.
  • 13. CRIDA - Comparison between Risks For example: Malicious Data Breaches and Unintentional Data Disclosure are similar (both represent breach of confidentiality of information), but: • Malicious Data Breach (red) has a higher probability of causing losses (left figure) • Unintentional Data Disclosure (blue) has a higher severity in general (right figure, higher mean, larger right tail)
  • 14. CRIDA - Estimate Cyber Loss • Based on our predictive models, CRIDA forecasts the incident frequency and severity in a future year, say 2020, and provides intuitive summary statistics. • For example, CRIDA provides an estimation that in 2020, a large financial institution has a 79.27% probability of suffering a loss from cyber incidents, and there is a 5% probability that the loss will exceed $148.79 million.
  • 15. CRIDA – Distinguish Risks • CRIDA makes it easier for insurers to compare the cyber risk of different companies. • Comparison between companies of the same size in different sectors • A financial institution with more than 500 employees • A manufacturing company with more than 500 employees
  • 16. CRIDA - Distinguish risks (cont’d) • CRIDA makes it easier for insurers to compare the cyber risk of different companies. • Comparison between companies of different sizes in the same sector • A large financial institution with more than 500 employees • A small financial institution with fewer than 10 employees
  • 17. CLAD - Insurance Litigation • Cyberinsurance Litigation Analytics Database (CLAD) • Granularly coded and extensively analyzed every lawsuit (170+) at the federal and state level involving cyber losses and insurance coverage • Analysis of Litigated Policies Identifies the Sources of Legal Risk in Policy Coverage • Understand the sources of legal uncertainty that aggravate an already uncertain cyber insurance market • Propose policy recommendations 18
  • 18. CLAD - Insurance Litigation • Most of the Policies Were Not Cyber Policies • A lot of the insurance litigation involved applying Commercial General Liability policies to digital harms. • Many cases involved multiple policies. • “Technology” policies included cyber insurance policies as well as technology errors and omissions. 19 60 8 118 1 3 28 4 16 2 6 29 Policies in 176 cases CGL CGL and Technology Crime and Technology Crime policy D&O D&O and Technology First party First party and Technology Multiple
  • 19. Incentivizing Reduction of Cyber Risk Through Legal Reform
  • 20. Liability for “Data-Related Injuries” • Data insecurity affects all of us to a significant degree • Law needs to step forward and cope with the challenges posed by data breaches, data misuse, and data injuries • To create an analytical framework for data breach cases, we need to address: • The Duty and Injury to shape the contours of liability for data injuries
  • 21. Liability for “Data-Related Injuries” (contd.) • Courts should recognize a legal duty to secure data • This duty is made necessary by the pervasive cognitive biases that result in systematic underestimation of cyber risk by firms and individuals • This underestimation interferes with the risk management process • Recognizing a legal duty encourages engagement in a risk- management process: mitigate; self-insure; or third-party insures
  • 22. Liability for “Data-Related Injuries” (contd.) • Courts struggling with fitting data insecurity injuries within existing legal models • Part of the reason for is the preoccupation with economic harm, which is a poor method for quantifying privacy injuries. • The erosion of privacy through neglect of security is troubling, the legal system must shift away from traditional economic measurements of injury and focus instead on the fact that data insecurity is a social harm. • Data insecurity is both a privacy injury and an injury to autonomy that interferes with self-determination, and it should be analyzed as such.
  • 23. CFAA Needs Revisiting/Reform • Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030 • Congress enacted a version of the CFAA in 1984 and substantially amended it in 1986. Between 1986 and 2017, CFAA amended nine times, with the most recent amendments in 2008 • The CFAA broadly prohibits unauthorized activity on a protected computer, and a few other offenses • There is considerable disagreement on the meaning of “Authorization,” “Damage,” “Loss,” and the application of the CFAA to active defense (i.e., hackback) and cloud computing
  • 24. Need for Federal Data Breach Legislation • No general federal data breach law • Some sector-specific federal information privacy statutes include requirements to follow in the event of a breach • Today, data breach statutes are state laws • The adoption of state data breach laws was spread out over a decade. As of 2018, all fifty states have a data breach statute • Large state-by-state variations in: • What information must be protected under the law • When must breached entities provide notification and to whom • Providing for private cause of action
  • 25. Federal and State Identity Theft Laws • Identity theft laws in the U.S. have wide variation across all fifty states and at the federal level. • The federal law, 18 U.S.C. § 1028, covers eight different scenarios, using various requisite intents and acts. • All these crimes are classified as “fraud and related activity in connection with identification documents.”
  • 26. South Dakota Cyber Security Laws • Computer Crime, S.D. Cod. Laws §§ 43-43B-1 to 43-43B-8 • Identity Theft, S.D. Cod. Laws §§ 22-40-8 to 22-40-18 • False Personation, S.D. Cod. Laws §§ 22-40-1 • Data Breaches, §§ 22-40-19 to 22-40-26
  • 27. UNDERSTANDING CYBER RISK: Challenges in the Business and Law of Cybersecurity Jay P. Kesan, Ph.D., J.D. Professor and H. Ross & Helen Workman Research Scholar University of Illinois at Urbana-Champaign All recent work is on the Social Science Research Network, http://www.ssrn.com Thanks to my students and colleagues, Linfeng Zhang, Carol M. Hayes, and the Critical Infrastructure Resilience Institute (CIRI), a DHS COE at the University of Illinois

Editor's Notes

  1. Vicious circle in cyber insurance market
  2. Identified and analyzed litigation relevant to cyber insurance policies to evaluate legal needs in this area.