The New Social Contract in Cybersecurity: It’s Just Around the Corner
By Steve Soble
The Eighteenth Century was marked by two revolutions that destroyed the power of the leader to legislate—The French Revolution and The American Revolution. The Twenty-First Century is comfortably home to The Digital Revolution, which seems to be changing everything—self-driving vehicles, AI that calls up your favorite song, even robotic sex toys—but the issue of who exercises what power is still unsettled, according to many observers. While it is fascinating to discuss the Eighteenth Century political theory of Jean-Jacques Rousseau in his book, The Social Contract, a more practical and timely question is:
What does the Social Contract Mean for the Insurance Industry Today and Tomorrow?
The Social Contract
Recognized by his contemporary, Voltaire, as a clear, sensible thinker about the relationship between the monarchy and the people of France or any other country, Rousseau advocated the concept that normative law, to be legitimate, must emanate from the people or their representatives, not the monarch or the executive. We have come to take this idea for granted. It informs our notion of the rule of law and the role of law in our societies. It sparked the ideas behind our own Declaration of Independence. And it underpins the concept of separation of powers, most forcefully articulated by the US Constitution.
Cybersecurity and Insurance
There is no more important slice of reality today than Cybersecurity. It (or its absence) is everywhere—from interference in our elections, to regulatory requirements from New York Department of Financial Services (NY DFS), to the EU’s General Data Protection Regulation (GDPR) and more. Nothing causes the world of insurance and finance to lose sleep like cybersecurity. Those who argue that “being hacked” is a given are actually the enemies of the insurance industry. Insurance should be available to cover defined risks, which cannot be reasonably addressed by the client.
However, the grey area is enormous: Should a D&O policy be voidable if management failed to take all commercially reasonable steps to avoid a data breach? What if the Board of Directors chose to only review cybersecurity issues within the company once a year, which is the norm with a surprising percentage of boards? If a data breach occurred because of a known vulnerability in software (the most common occurrence) and the software manufacturer failed to push out a patch in a timely manner, has the software company assumed the risk of loss? How does the warranty of merchantability (a common law implied warranty which was alive and well with Rousseau and Voltaire) apply to legal rights, subrogation and claims settlement? And, we could list dozens more questions.
No doubt, the Insurance Industry must now rise to the challenge of the Cybersecurity Age with sound actuarial solutions, which drive commercially viable underwriting. At the same time, the jury is still out with regard to who will regulate what. In the US, we are seeing the NY DFS cybersecurity regulations stimulate a move at the National Association of Insurance Commissioners to adopt some form of similar multi-jurisdictional, if not nation- wide, standards. With state and umbrella organizations like these grabbing the initiative, one wonders what the role of the US government in the realm of cybersecurity is to be. In the meantime, the EU, through its sweeping GDPR initiative, is about to upend all of our comfort and expectations. Just think of this: Hilton International just settled a data breach case with the NYS Attorney General for about $700,000. The same set of facts under GDPR would have triggered a minimum fine of about $420 Million. And because Hilton holds vast amounts of PII belonging to EU citizens, they are undoubtedly in the crosshairs for an early review by the EU authorities, once GDPR takes effect next May.
Without a Digital Age-sensitive, redefined social contract in the field of insurance, unpredictable enforcement risks abound. Will the Federal Trade Commission (FTC) use its Article 5 powers to investigate an insurance company that says, in interstate commerce, that a customer’s data is safe with them, when, objectively, the insurance company has failed to protect the flow of data among and between its agents and brokers? This question is not far-fetched. Last year, the FTC entered into a consent decree with a major US law firm over their “false and misleading advertising” in interstate commerce. In that case, the law firm simply held out its quality legal team, expert in handling cyber-related legal issues. No client of the firm was injured. Yet, a disgruntled former client who knew something about cybersecurity also knew that the law firm’s systems, controls and high level of cyber risk were substantially outside the norm. Hence, the law firm by touting its cyber-expertise, made false and misleading statements to its clients and potential clients. Can every insurance company in the US, today, meet the requisite standard to avoid an FTC action?
What the Social Contract Means for the Insurance Industry
Today, one can argue that the law concerning cybersecurity liabilities is in flux. Certainly, much is in flux. Yet, it is clear that common law standards are alive and well and that a patchwork quilt of old laws, like the Federal Trade Commission Act, and new laws, like the NY DFS cybersecurity regulations, actually work together to define a new norm in required conduct for insurance companies and their insureds. New laws may be in the offing—think what Congress might do about regulating social media in response to the Russian placement of advertisements on social media. Let’s not forget the looming liability for many arising from the leak of The Panama Papers and now The Paradise Papers. What common law new lessons will arise from these debacles? Will the representatives of the people, at the US state or federal level or in a foreign jurisdiction, contrive a new set of rules to try to ameliorate the adverse consequences arising from the under- lying untoward actions—whether launching political propaganda or creating a system of offshore business transactions which might or might not give rise to legal liability today?
New laws may be in the offing—think what Congress might do about regulating social media in response to the Russian placement of advertisements on social media.
Here is What to Consider:
- Secure an Insightful Cybersecurity Risk Assessment. The best in breed provide a clear statement regarding what your organization is doing correctly and what commercially reasonable recommendations to reduce risk are appropriate for your organization. Canned, off-the-shelf assessments, and those conducted without a foundation of solid cybersecurity engineering prowess may be nothing more than a waste of money or, at best, an exercise in throwing money at the problem, not targeting investment to reduce risk.
- Make Sure the Risk Assessment Addresses Policies and Procedures. We often hear that cyber risk is people risk or that we all need to spend enormous sums on cyber training. Well, a higher truth is that cyber risk is infused in an organization from the board on down, and a thoughtful examination of policies, procedures, hiring, training and other practices and operations in the company is essential to an understanding of overall risk.
- Use Vulnerability Assessment to Mitigate Risk. As dis- cussed in a previous article, not all vulnerabilities are created equal. The most serious vulnerabilities are Known Vulnerabilities in the software resident on your networks today, because that is where the hackers thrive. Some companies will tout other needs or claim that they can read libraries, but not all of the binaries, when the higher truth is that hundreds of Known Vulnerabilities are discovered each week, but few can Detect Known Vulnerabilities buried in the executables, DLLs and libraries which make up the majority of the software code, but which are often packed, bundled or compressed, thereby rendering the binaries undetectable to most scanners. NY DFS requires a vulnerability scanning assessment twice a year, and a deep software scanner, capable of Detecting Known Vulnerabilities and providing the remediation instructions, is warranted.
- There is a New World of Encryption. The need for reduced cybersecurity risk, creates a need for encryption. NY DFS requires the use of encryption by its covered entities. There are three questions to address right away: What level of encryption do I need? How do I manage the trust levels of access to the encryption system? What do I do to ensure that my own encryption can’t be turned against me by a disgruntled employee or a hacker seeking a ransom? Any serious provider of encryption must be able to answer all three questions to your satisfaction.
- Learn Whether You Have an Ongoing Penetration and Reduce the Time of Detection of a New Breach. A new breed of products addressing these issues have entered the market. In our view, the best products quickly (a) scout out the existence of an ongoing breach (Today it can take up to 200 days on average to discover that a breach has occurred. Think about how long it took Equifax to find their breach.) and (b) daily search for a new breach through continuous monitoring. The very best systems will also have the ability to function like a Rosetta Stone, taking in dozens of different data feeds, in different languages and protocols, and then orchestrating the cacophony into a comfortable concerto.
Remediate, Take Actions to Reduce Your Risk and Measure Again. Today, everyone has a need to see clearly what cyber risks they carry. Once seeing the risk, a plan of attack must be defined. There is a key need to secure the participation and support of the Board of Directors. Risk mitigation requires informed leadership. And a tool is needed to measure what needs to be done, when and by whom, within an approved budget. Risk reduction plans may be multi-year plans, subject to periodic review and refinement.- Comply with Applicable Regulatory and Best Practices Requirements. A comprehensive plan, often coordinated with outside counsel and your outside cybersecurity engineers, is essential to insure cost-efficient and complete resolution of all of the regulatory, compliance and best practices standards that apply to your company. One-stop shopping can be the most cost-efficient means of achieving this. Remember, GDPR applies worldwide.
- Consider a Managed Security Service Provider. A few companies offer state-of-the-art assessments, services and products, with a mindset to providing ongoing support as needed. There are many who profess to work in this field, but it is not a matter of the name brand or longevity of the provider. It is all about quality, insight, persistence and dedication. Providing managed security services is not easy.
- Define Your Risk and Insure Against It. For an insurance company, suggesting the need for insurance is sometimes like advising a lawyer to seek legal counsel and representation. Defined risks are the province of specialized insurance companies and the best in breed are able to provide tailored, even substantial, policies backed by the strongest reinsures.
- Celebrate the Digital Age. It is important, after successfully managing so much hard work, to reflect on the advent of The Digital Age in which we live and to think about appropriate changes in the Social Contract. Then, it is critical to have a party, so that the lawyers, cybersecurity engineers, senior management, IT teams, boards and others can remind themselves that we are all human. We do have a need to succeed and to mitigate risk, but it is always the conclave of human players involved in a complex, common task who define the evolving social compact.
This article was originally printed in the Insurance Advocate in November 2017.
Stephen M. Soble is Chairman and CEO of Assured Enterprises, Inc. He is a graduate of Harvard Law School, is a member of the NYS bar. Nothing stated herein is intended to be and should not be construed to serve as legal advice. Please consult your legal counsel. Assured Enterprises is a premier Cyber Risk Assessment, Measurement and Mitigation company, inventor of innovative products and solutions for the US Government and private sector.