Private-sector organizations are increasingly subject to attacks of greater sophistication and persistence. The consequences of attacks are also becoming increasingly damaging; a digitally transformed business has more digital assets at risk. One increasingly difficult question confronting policy-makers is understanding how much risk should be borne by the public sector vs the private sector. Put differently: what is the reasonable duty of care that an organization should have? When does the public sector’s obligation begin?
- The greater the duty of care an organization in the private sector needs to have, the more risk it needs to manage through investing in security technology, expertise, insurance (when possible) or adequate provisions (e.g. self-insurance). Given the increasing importance of insurance in managing risk, defining an organization’s duty of care has consequences for cyber-risk bearing and the development of the adjacent insurance industry.
- A greater duty of care also has associated costs and, at some point, the incremental cost of additional security will fundamentally pervert an organization’s business model. On the other hand, a more limited duty of care also has associated costs, potentially resulting in negligence that can be externalized.
No matter the duty of care an organization is expected to have, inevitably an attack will occur whose novelty and sophistication exceed established security controls, resulting in damages beyond the organization’s prepared incident response abilities. Another key question is: what entity (if any) will bear the resultant residual damages occurring as a result of a successful intrusion?
- If those damages are borne by the targeted organizations, then the de facto impact will be to prompt that organization to review whether the resilience capabilities it has invested in are sufficient and, after quantifying its risk appetite, evaluate whether increased investment would be justified by diminished risks and costs.
- Alternatively, if those damages are borne by the public sector, downward pressure may be put on the resilience and robustness capabilities an organization develops. In practice, the fact that damages are being borne by the public sector does not necessarily imply that it will compensate those impacted by a successful incident, but may establish some minimum guarantee of protection to ensure trust (e.g. depositary insurance in the financial sector).
An important ancillary consideration is that no matter what duty is established, responsibility for assuring a predetermined level of robustness and resilience should be borne by the same entity. For example, for a given attack, if a business is wholly responsible for robustness and the public sector wholly responsible for resilience, then a business will be under-incentivized to invest in robustness. After all, it does not have to “clean up” the damage from an attack. Similarly, if an attack triggers the public sector’s responsibility for robustness, the public sector should also be responsible for resilience (rather than distributing damages to businesses and their customers). Put simply, the entity empowered to act against a particular cyberattack should internalize the costs of its failure to thwart an attack.
Policy model: Liability thresholds
Key values trade-offs created by liability threshold policy choices
Case study: Publicly provided flood insurance
One analogue to separating robustness and resilience capabilities in cybersecurity is publicly subsidized flood insurance. In the United States, the government has extended subsidized insurance to homeowners in flood prone areas. Insurance is subsidized with the decidedly benevolent aim to help people recover from floods more quickly. However, one unintended consequence of that provision is that people are less incentivized to live outside of flood zones. After all, the costs of flooding are externalized from private individuals to the collective public. Consequently, damages caused by floods are higher than they would otherwise be.
Connecting policy to values
The core value most affected by the articulation of a duty of care is security:
- The greater the duty of care is expected of an organization, the more that organization will invest in both resilience and robustness capabilities. Furthermore, the assumption of residual damages from successful cyberattacks may drive improvements in security as organizations invest in measures to minimize those residual damages.
- To the extent the duty of care expected of organizations results in diminished cyberincident damages, it will also be economically beneficial. The benefits of a greater duty of care should become more apparent over longer periods of time as organizations work with insurers to develop a better understanding of how to manage a portfolio of cyber-risks through a combination of security controls and financial instruments.