For more than a century, liability, regulation, and legislation have been instrumental forces in improving our safety and security: from health and safety regulations at work, to holding drivers responsible for ensuring that passengers wear their seatbelts.
Regulation and incentivisation act as key drivers for change in any market, whether through legal liability or insurance cover. But while these agents of change have been thoroughly explored to help guarantee our physical safety, it so far hasn’t mirrored regarding our digital security.
Cyberattacks are on the rise
With the number and severity of cyberattacks constantly on the up, questions have arisen around whether the free market alone is competent to mitigate this threat. And these free market 'failings' are frequently being brought into the limelight, with many organisations still falling victim to common and avoidable cyberattacks.
Just last year, for instance, two high profile breaches of TalkTalk and VTech were achieved by exploiting SQL Injection: a common vulnerability which for more than a decade has featured on the industry standard OWASP Top 10 – a ranking for critical web application vulnerabilities that ought to be remediated as a matter of priority. When a company’s lacklustre approach to cybersecurity is exposed after being breached from an avoidable attack vector, corporate responsibility must be brought into question.
This is especially true as it is often still clients and consumers who are most gravely impacted by a breach, as they are left to change their details or deal with fraudulent payments. There have already been cases of social engineering attacks since the TalkTalk breach, where scammers equipped with customers’ personal details trick them into handing over their bank details.
The business case for cyber liability
One might expect the business world to be largely resistant to introducing more legislation that might land them with hefty fines or compensation payments. However, recent research carried out by Veracode and the New York Stock Exchange found that nine out of 10 board directors believe regulators ought to hold businesses liable if they don’t make reasonable efforts to secure data.
While this may initially seem counterintuitive, it shows how businesses are desperate for benchmarks and clarity regarding what a reasonable and responsible level of cybersecurity is. The Wyndham Hotels case in the US helps explain this sentiment, since the Federal Trade Commission (FTC) successfully sued the chain for having 'unreasonably and unnecessarily exposed consumers’ personal data to unauthorised access and theft', after three breaches occurred in just two years.
Since the appeals court ruling affirmed the FTC’s authority to hold companies to account when they have failed to adequately secure customer data, American companies know they can be held liable for a breach without a constructive criteria explaining when and why.
And accountability is not only an American trend. Following the breach, the British government launched an inquiry into TalkTalk, and the Hong Kong Privacy Commissioner recently also initiated a compliance check to see if the firm had adhered to its data privacy principles.
The insurance catalyst
But while legislation is still a long way off, cyber insurance is proving to be a key driver in setting corporate standards of a responsible level of cybersecurity. The cybersecurity insurance market has grown exponentially over the past year as companies become more fearful of the cost of cybercrime, and it is set to triple to about $7.5 billion in the next five years.
Companies paying into cyber insurance policies want to ensure their cybersecurity processes meet the required level for it to pay out if they are breached. While the primary incentive for most companies buying this insurance is often to offset the financial losses of a breach, the impact it will have on changing corporate approaches to cybersecurity will be far more important for the business community in the long run.
Fire insurance was an essential driver in both creating and enforcing minimum standards for building construction and fire safety procedures, and similarly cyber insurance will help establish a new baseline for cybersecurity best practice.
While government regulations and cyber insurance policies will never be the solution to cybercrime, clearly outlining a reasonable level of cybersecurity will help companies ensure they are doing enough to adequately protect their customer data. While no network is impenetrable, this will be an important step in weeding out avoidable breaches,
The ongoing stream of high profile breaches has shown that we cannot assume that organisations are taking sufficient measures to protect customer data. That’s why we must look to cyber liability and insurance to act as a catalyst in charging norms and promoting better corporate cyber health.
Chris Wysopal, co-founder and CTO at Veracode