High-profile data breaches such as the recent successful cyber attack on Sony Pictures are reminders that cyber risks are rapidly expanding and evolving in today’s society. Proper analysis of these risks is absolutely critical for effectively managing them, which was also a key takeaway from the captivating discussion of cyber threats that brought together actuaries and U.S. federal government officials at the Centennial Meeting of the Casualty Actuarial Society (CAS) in New York last month in a special session, “A Risk Like No Other.”
Greg Touhill, deputy assistant secretary for Cybersecurity Operations and Programs, U.S. Department of Homeland Security (DHS), discussed his focus on the development and implementation of operational programs designed to protect the U.S. government networks and critical infrastructure systems; he gave examples of resources the government provides that enterprises in the private sector can use to improve their cybersecurity posture.
According to General Touhill, “Cybersecurity is a risk management issue. It should not be considered something just for the folks in the server room. Rather, it needs to be on the agenda in every board room, and part of the conversation in family rooms, lunch rooms, and class rooms. Our society’s reliance on cyber capabilities magnifies the need to look at cybersecurity as part of everyone’s overall risk management program.”
During the discussion, General Touhill described some specific elements of the DHS work in combating cyber threats. He also called the attention of the approximately 450 session attendees to the Framework for Improving Critical Infrastructure Cybersecurity that was introduced by the National Institute of Standards and Technology (NIST) this year.
Leo Taddeo, the head of the New York Cyber and Special Operations Division of the Federal Bureau of Investigation (FBI), provided a real-life example of a harmful malware tool that could be used for commercial criminal activities and violation of individual privacy. The FBI, working with other law enforcement organizations in the U.S. and abroad, conducted a successful investigation that resulted in indictments and arrests of the creators, distributors, and some users of the malware tool. Taddeo described some of the advantages of working with the FBI for companies that may have suffered a data breach.
Alex Krutov, a Fellow of the CAS and president of Navigation Advisors, addressed the topic of quantifying cyber risk, specifically in the context of cyber insurance pricing and enterprise risk management. According to Krutov, “In actuarial analysis of cyber risk, its quantitative modeling, qualitative assessment, and the development of appropriate corporate risk governance, we have to take into account the effect of government actions, industry initiatives, and public–private partnerships on the level and nature of cyber threats and their financial consequences.”
The session was sponsored by the CAS Task Force on Cyber Risk, which Krutov chairs. The Task Force’s primary goals are advancing research in cyber risk and providing related educational opportunities. Actuarial expertise is of great value in developing a solid analytical framework and properly quantifying financial and other consequences of cyber attacks and failures. The often-used unscientific ways of analyzing cyber risk can lead to mistakes and inefficiencies in risk management, as well as to cyber risk exposure potentially being much greater than anticipated.
The views expressed at the session and the continuing developments in the cyber threat landscape further validate the multidisciplinary method chosen by the CAS Cyber Risk Task Force. “We see the multidisciplinary approach as essential to gaining a more comprehensive and accurate view of cyber risk,” says Krutov. “It is necessary to bring together experts in actuarial science, information security and IT, big data analytics, law and other fields. The silo approach does not work.” Krutov emphasizes the inclusive nature of the Task Force: Other professionals are welcome to participate in this joint effort to advance research and education in the area of rapidly evolving and escalating cyber risk.