NetDiligence Cyber Risk Summit: What is Reasonable Cyber Security?

The panel provided an overview of the risk-based analysis process that substantiates the method, and presented the legal, regulatory, and security best-practice history that informs the method. Each participant presented why the method successfully substantiates the term “reasonable” in their work and provided anecdotes that illustrate how it has been used on their experience. The panel described a practical method that organizations can use for defining how the term “reasonable” applies to them, all attendees received an immediately applicable, and tangible benefit from the session.

HALOCK partner, Chris Cronin, participated in the panel discussing reasonable security. The webinar provides a full perspective from legal, security, insurance, and regulatory views. The recording is now available at the NetDiligence website.

TOPICS:

 

  • Terms and Definitions
  • Various Standards of Reasonableness and Duty of Care
  • Risk-Based Analysis and Best Practices
  • Communicating to and Working with the Policyholder.

 

Duty of Care Reasonable Security

 

PANELISTS:

  • Andrew Maher (M), AXIS
  • Chris Cronin, HALOCK Security Labs
  • Doug Meal, Orrick LLP
  • Timothy Murphy, Office of Attorney General for the Commonwealth of Pennsylvania

 

A few key slides from the webinar:

Demonstrate reasonable security through risk engineering/risk-based approach to reduce liability costs.

 

Duty of Care Reasonable Security

 

 

Reasonable Security Concensus

 

 

Reasonable Security Risk Modeling

 

View the recording.

A few key Q&As from the webinar:

Are there any risk frameworks which quantify risk in the way you’re describing?

CIS RAM by Center for Internet Security provides explicit instructions for how to do risk analysis to demonstrate balance and reasonableness. ISO 27005, NIST 800-30 imply or state that risk analysis should consider risk to self, interested parties, and mission (what courts may think of as “utility”).

Various carriers offer complementary risk engineering services, but insured’s rarely use the opportunity. If carrier’ make their terms subject to, there is push back saying that other markets are not requiring it. Do you think that carriers as a whole should push harder on requiring risk engineering to be completed?

Yes! As an information security practitioner I see regulators and customers respond very well when they see a focused effort on risk reduction over time. The NetDiligence report shows the majority of claims payouts going to liabilities. One of the things I love about insurance is that when it manages risk, everyone wins.

Does PA recognize CIS controls for assessment ?

Yes, PA listed CIS controls by name in a recent settlement along with other industry-appropriate control standards such as NIST and ISO 27001.

Are there cases I can review to better understand Reasonable security?

Pennsylvania’s settlement with Orbitz and Expedia,  https://www.attorneygeneral.gov/wp-content/uploads/2019/12/19-12-12-Orbitz-AVC-EFILING.pdf

I am in Medical Technology Cybersecurity. We follow NIST and CIS Controls within the hospitals risk appetite and budget. Less funds available due to Covid19 and reduced revenue.

It would be highly questionable whether “less funds available” would be considered a valid reason for not employing data security measure that would otherwise be considered “reasonable” under industry standards, applicable statutes/regulations, or cost-benefit analysis.

Additionally from Chris:

If you use CIS Controls, then also look at CIS RAM the risk assessment method. They show you how to do this risk analysis.

SOURCE: NetDiligence® Cyber Risk Summit