It is a well-known fact that cyber attacks pose a significant risk to businesses. Most recently, we have seen how the cyber attack on Target resulted in lower sales, higher costs, and a loss of customer trust. In addition, business partners, such as the card issuers and payment processors are also impacted financially by this breach. According to Lloyd’s Risk Index Report for 2013, only high taxation and loss of customers ranked higher than cyber security as top concerns faced by global businesses. The key difference between these top two risks and cyber risk is the availability of information.
While forecasting tax rates and revenue is not easy, there is publically available information that can be used to build predictive models, such as GDP forecasts, commodity prices, and proposed new government regulation. In contrast, very little information is available to risk managers, insurers and regulators to understand and manage cyber risk. In particular, security incident and data breach information are woefully lacking. With minimal insight into who has been attacked and the impact of the attack, it is difficult for business, consumers and policymakers to understand and manage cyber risk.
Forty-eight U.S. states have breach notification laws for incidents involving the loss of consumer data. None have notification requirements for the breach of non Personally Identifiable Information (PII), such as the loss of corporate intellectual property. The threshold, reporting requirements and breach definition varies significantly state by state. Massachusetts requires any data breach impacting a resident be reported to the state Attorney General. California requires that only breaches affecting more than 500 residents be reported to the state Attorney General. The result is that the California Attorney General reported only 131 breaches in 2012 while the Massachusetts Attorney General reported 1,118 during the same year. Assuming roughly similar business practices from state to state, it does not make sense that California, a state with more than five times the number of businesses than Massachusetts, would report only 12 percent the number of breaches as Massachusetts.
In addition to state disclosures, there are a number of other organizations that gather information on data breaches and security incidents. For example, Verizon’s 2013 Data Breach Investigations Report (DBIR) gathered data from contributors in 27 countries and found more than 47,000 security incidents and 621 cases of confirmed data disclosure in 2012. According to DataLossDB, there were 1,622 data breach incidents globally in 2012. Finally, Identity Theft Resource Center documented 470 data breaches in the U.S. 2012.
Collectively, the numbers do not add up. Each of these organizations provides great analysis and insight based on their unique vantage point. While all may be accurate from their vantage point, they do not provide, individually or collectively, ground truth into the number of security incidents and data breaches. Although some progress has been made in the availability of data, we are far away from having the transparency required for risk management.
How do we resolve these discrepancies and find clarity in this fuzzy math? These data points illustrate the need for comprehensive and consistent standards around the notification of security incidents and data breaches. Various initiatives, including the Data Security and Breach Notification Act of 2013, are helping to increase awareness of this need, but have not made sufficient progress. Without comprehensive and consistent standards, the trend we see today where companies share the least amount of information legally required will continue. A study by McAfee and the SAIC reported that only 30 percent of organizations disclose all of their breach incidents. To create a culture of transparency, we need to raise the bar for disclosure and incentivize the right behavior through clear and comprehensive national standards.
To be successful, such a national standard must include clear definitions of breach and security incident, require disclosure of all incidents that impact PII, confidential business information and compromised systems. Notification triggers, time to notify and method of notification would also be addressed in these standards, making the data consistent across geographical lines and providing us with information we can both understand and use to build meaningful and robust risk models.
These models will enable consumers, risk managers, policy makers, cyber insurers and consumers to make more educated decisions on how to manage cyber risk. As cyber risk is priced into purchasing and partnership decisions, organizations will be incentivized to improve their security and become better at notifying the relevant parties of an incident or breach. Transparency and accountability will breed improved security, which will benefit all.