The last several months has seen a frightening jump in the fines and judgments against companies over cyber breaches. Uber settled on a $148M fine for their handling of their 2016 breach, Yahoo was hit with an SEC fine of $35M for their disclosure of the breach of their email accountsand Anthem settled for $115M for litigation around their 2015 breach. It was not that long ago that an $8M fine was considered severe. Additionally, these figures are what was settled with the companies, not what the original fine or judgment was going into the negotiations.
In addition to these recent fines, there is a flurry of legislation and regulatory action being passed and implemented from all corners of the globe. Everyone is familiar with the activation of the General Data Protection Regulation (GDPR) last May that carries up to 4% of company revenue as a fine. Congress has numerous bills in consideration and California is passing cyber laws faster than Keebler is making cookies.
Chip Block leads the Washington, DC, chapter of the FAIR Institute and is VP at Evolver, a Converged Security Solutions Company, based in Reston, VA, that runs large scale security operations centers for government and financial organizations and provides full cyber assessment and technology services for corporations, including FAIR risk analysis.
Obviously, we have entered into the punishment phase of the cyber world. Needless to say, I would recommend you have your general and outside counsel closely involved in your cyber program because they may become a key factor in your decision making. Having said that, I want to point out that looking at these fines as just top level risk numbers is both incorrect and can lead to bad decisions.
Updating Risk Numbers to Keep Up with Fines
Based on the dramatic increase in fines, our team at Evolver has gone back to some of our past FAIR analyses and updated the risk numbers .When doing these updates, the value of FAIR, and the danger of not using FAIR, became evident to us. If the fines are looked at from just a top level increase of risk numbers, then the risk to all companies would go up. For example, if risk is calculated by the number of records/accounts compromised as used in the IBM/Ponemon approach, then every company’s risk just went up with these increasing fines. If you take a deeper look into the fines and judgments, however, then you see that there is more to these fines than just big numbers, and the details are important.
Within the FAIR model, an element of the Loss Magnitude calculation is for Fines and judgments. Obviously, the cases mentioned above fit within this element of the model. A critical element in doing the FAIR analysis is why the fine was levied. In both Yahoo and Uber, the companies were not fined for being breached. They were fined for how they responded to the breach. So when calculating the risk, the likelihood of this fine applies based on the actions of the company after the breach. If a company has strong incident response and decision making, the risk of this type of fine drops dramatically.
The value of FAIR, and danger of not using a model of this type, becomes very apparent when looking at this situation. Instead of running to the board like Chicken Little as if the big fines are being levied on all breached companies, the reality of the situation becomes much clearer and, most importantly, actions to address the risk can be taken. As an example, we were able to run analyses calculating the risk to the company if they responded properly to a breach and then, using these new fine numbers, what that risk would be if they did not respond properly. Needless to say, the monetary risk number of poorly responding are significantly higher.
Putting FAIR Analysis into Action
What is the outcome of an analysis of this type? Action. Not only are we able to calculate the monetary risk, we are able to provide trade off of actions versus reduced risk. The fines themselves give specificity that can be used in the analysis. Take Yahoo: Their fine by the SEC was for not informing shareholders. If the company under evaluation is not a public company, this risk obviously is pretty low. In Uber’s case, their settlement was with all 50 states where they broke reporting laws. If a company is only in one state, that has an impact. If that state is California, it might be different still. For Anthem, the nature of being in the healthcare market was a major contributing factor in their case.
In a nutshell, the FAIR model provides a structured method for this type of detailed analysis. Additionally, as with our current clients, if a baseline quantification has already been performed, changes in the market, such as fines, can be recalculated in a matter of hours. The same can be applied a wide variety of factors from threats to supply chain. Most importantly, the result is actionable steps that can be planned, executed and measured.