By Rob Hegedus, Sera-Brynn CEO
A massive conflagration that changed the course of a great city’s history. A well-known disaster relief franchise firm. A former American president’s pet saying to a peer.
These three unrelated items are all illustrative of trends we at Sera-Brynn foresee in the cybersecurity marketplace.
In the business and nonprofit worlds, cybersecurity is a rapidly evolving industry that requires nimbleness, planning and vision. To help you understand what the cybersecurity marketplace is shaping up to be, we’ve got three illustrations to paint the picture.
Trend #1 – The Great London Fire Prototype
In the late evening of Sunday, Sept. 2, 1666, a small fire broke out at a bakery of Thomas Farynor located on Pudding Lane in central London. Fires were quite common in the 17th century and Londoners had become accustomed to them.
This fire was of a very different nature, however. Three hours later the bakery was ablaze and spreading quickly. It took three days to stop the inferno from spreading and by that time more than 13,000 homes had been destroyed along with numerous businesses, churches and historical buildings. The fire was a national catastrophe, claiming an unknown number of lives, leaving an estimated 100,000 people homeless and causing more than $1 billion in damages.
The current cybersecurity environment is similar to the London real estate market prior to September 1666. Building codes were not standardized and generally unenforced. For example, building with wood and roofing with thatch was prohibited, but these cheap materials continued to be used.
The city also did not have a unified response mechanism in place to counter large conflagrations. Soon after the great fire, London fire brigades were formed by insurance companies. Yes, insurance companies.
Data breaches today are so common they’re almost cliché. Although we can’t predict whether there will be a similar “catastrophic” event, or if the current environment lends itself to it already happening, the similarity in institutional responses is uncanny.
The insurance industry, to include the self-insurance market — Captives and Risk Retention Groups — are taking notice and are launching a more active role in managing the risk. This is happening through more stringent compliance criteria, standardized policy language and use of third-party auditors to ensure security postures are being followed.
We absolutely advocate cybersecurity insurance and cyber liability policies as a strategy for transferring the cyber risk from your business or organization. Thus the purpose of this analogy is to demonstrate that the insurance industry is getting smarter about the risk and we see the process becoming more regulated and specific. Our advice: Be ready.
Trend # 2 – The Servpro Model
To continue on the fire theme, if you experience a small fire or a busted water pipe in your home, your insurance adjuster will most likely recommend an already vetted environmental remediation company. Servpro is one of those companies.
This model is meant to protect the insurance company from unexpected costs and provide a more expedient resolution for the homeowner. A similar trend is starting to happen in the cybersecurity landscape.
As part of their increased active role in providing cyber liability products, insurance carriers are establishing pre-existing relationships with cybersecurity vendors to provide post-breach incident response and forensics. The economics align with the Servpro model – to control costs and provide expedient resolution for the policy holder.
As this trend continues, keep one thing in mind: Whose interests do the insurance carriers’ forensics vendors represent? Although we have yet to hear of any issues with this arrangement, we highly recommend businesses and organizations build a strong relationship with in-house legal or outside general counsel experienced in dealing with data breach response events.
Some policies will allow the use of a neutral third party to conduct the post-breach investigation and the inclusion of general counsel will be critical in pursuing that option. In the end, it’s about employing a comprehensive risk management strategy to protect the business or organization.
Data breach response is a big part of that.
Trend # 3 – The `Trust But Verify’ System
One final trend we’re seeing is in the legal setting: Contract language for the general exchange of goods and services, vendor relationships, partnerships and other business interactions are starting to include a clause allowing for a “Right to Audit.” Most Fortune 500 firms already employ this language in their legal documents and we’re seeing it start to trickle down to the mid-market.
This means that while most vendors continue to self-certify that they meet industry standards, best practices or actual security compliance requirements —where appropriate — the trend is toward bringing in certified third-party auditors to verify those criteria are being met.
Self-certification isn’t going away, but there will be more of a reliance on third-party verification. Already widely accepted within the financial services industry, this approach is supported and promoted by both the legal and insurance community.
As our 40th president, Ronald Reagan, was fond of saying to his Russian counterpart, “Doveryai no proveryai.” Translation: “Trust but verify.”