Liability can change attitudes to corporate cybersecurity by John Smith

16/01/2016 07:27

Throughout the past century we’ve witnessed how liability, regulation and legislation have been instrumental in improving security and safety. As Britain marks 50 years since the first seatbelt law was introduced this month, we celebrate how driver liability changed norms and saved thousands of lives.


This massive potential is not limited to personal safety. In any market, the key drivers for change have largely been regulation and incentive, whether through legal liability or insurance cover.


However, these agents of change are still immature in the cybersecurity market, and we’re seeing serious and unnecessary breaches as a result. This was highlighted last year by GCHQ director Robert Hannigan’s astute reflection that the free market is failing cybersecurity.


With 90% of large organisations reporting to have suffered from a breach in 2015, and with a plethora of high profile breaches splashed across our headlines, it is clear that corporate cybersecurity standards are still not yet where they need to be.


While it is clear that no network is impenetrable, high profile breaches are constantly demonstrating the rather lacklustre approach that many companies are taking to mitigating well-known threats. For example, both Talk Talk and VTech were breached using attack vectors which the companies could and should have mitigated.


Both breaches were achieved by exploiting SQL Injection; a common application vulnerability which for over a decade has been listed on the industry standard OWASP Top 10. When breaches are achieved with well-known and avoidable methods as in the aforementioned cases, important questions arise regarding accountability.


Support from all sides

While it may sound counterintuitive, cyber liability is well supported by the business community.  A recent survey that Veracode carried out with the New York Stock Exchange found that nine out of ten board director think regulators should hold businesses to account if they don’t make reasonable efforts to secure data.


Yet, with this support for greater corporate liability for breaches, businesses are also desperate for cybersecurity benchmarks and clarity on what a reasonable and responsible level of security is. Such concerns have been stoked in light of recent cases where companies were found to be sufficiently below this yet-undefined benchmark.


The case of Wyndham Hotels in the US highlighted the need for clarification on corporate accountability for breaches earlier this year, when the Federal Trade Commission (FTC) successfully sued the company for having “unreasonably and unnecessarily exposed consumers’ personal data to unauthorised access and theft”, after three breaches in two years.


The appeals court ruling affirmed the FTC’s authority to hold companies to account for failing to securely store customer data. Yet the measure of a sufficient security level remains entirely subjective, with little clarity over the circumstances where a company may be held liable for a breach.


Cyber Insurance setting Secure Foundations


While legislation may still be too far off to drive any immediate cultural changes, cyber-insurance will play an important role in setting benchmarks across the industry. Cybersecurity insurance is growing in popularity as companies endeavour to mitigate the financial losses associated with a breach. This growing market is expected to triple to $7.5 billion in five years.


Beyond mitigating financial penalties following a breach, cyber-insurance policies will play a significant role in changing corporate attitudes to cybersecurity. Companies paying into cyber-insurance will need to ensure that their cybersecurity programmes meet the required standards for their policy to pay out after suffering a breach.


Just as holding drivers liable for not using seatbelts positively changed norms around unsafe behaviour, so cyber- liability has the potential to change a culture of companies taking risks with their customers’ data.


By clearly outlining what constitutes a reasonable level of cybersecurity to meet an insurance policy or legislation, companies will be motivated to fully address the cybersecurity basics and ultimately reduce avoidable breaches.


We’ve seen from past physical security cases that regulation and liability can successfully encourage safer behaviour. Now it’s time to hold organisations to account over preventable cyber-attacks to encourage similarly secure cyber-behaviour.