My client complained that while they knew what was happening on their networks, they didn’t really know what was happening elsewhere. They had bought threat intelligence services that scrub the darknet looking for compromised data. They had signed up for government- and industry-run information-sharing partnerships in the jurisdictions where they operate. But still they felt uneasy about what they didn’t know.
As they should: The position is likely worse than they understand. What they know is what their existing controls illuminate—what might be termed the “known ambient threat.” The chance of those controls being ahead of emerging threats and malicious insiders is quite small. Board members typically look for external tests of their internal controls, and cite what happened in company X or what security service provider Y is saying. They are especially influenced by public reporting of major data and cyber events (and the increasingly large regulatory fines).
But this approach falls short; not all incidents are reported or become public. A quick scrub of the many major cyber incidents that Brunswick has handled for clients this year reveals that in the UK and Europe, fewer than 50 percent voluntarily went public with the breach, while 60 percent ended up being made public. In the US, roughly 30 percent wanted to go public but 80 percent became public eventually.
In the UK and Europe, around 75 percent of clients had to report the incident to some regulatory body, while roughly a third claimed against insurance policies. In the US, roughly 60 percent reported to a regulator (including state attorney generals), and more than 80 percent claimed against insurance policies. In other words, the picture painted by regulators, the media and insurers is incomplete.
Even when an incident becomes public, the full nature of what happens is rarely revealed, either because of investigatory or legal constraints or simple corporate diffidence. This may change if mandatory breach reporting is required by law or if cross-sectoral data sharing at machine speed becomes standard—but that’s nowhere near the case today.
And notice the strikingly different insurance claim figures between the US and Europe. The European market is less developed, with the consequence that there are too few claims in Europe for there to be a reliable actuarial risk model. We just don’t know how great the risk is.
Where does this leave my client? My advice was to work on the assumption of compromise, either technical or human, and build up organizational resilience against the potential fallout—to be prepared and expectant without being fearful. This gap between the reality of the cyber risk and what is planned for will close eventually, just not any time soon.