• Agenda
  • Initiatives
  • Reports
  • Events
  • About
    • Our Mission
    • Leadership and Governance
    • Our Members and Partners
    • Communities
    • History
    • Klaus Schwab
    • Media
    • Contact Us
    • Careers
    • World Economic Forum USA
    • Privacy and Terms of Use
  • EN ES FR 日本語 中文
  • Login to TopLink

We use cookies to improve your experience on our website. By using our website you consent to all cookies in accordance with our updated Cookie Notice.

I accept
    Hamburger
  • World Economic Forum Logo
  • Agenda
  • Initiatives
  • Reports
  • Events
  • About
  • TopLink
  • Search Cancel

Report Home

<Previous Next>
  • Preface
  • Introduction
  • Using the Playbook for Public-Private Collaboration
  • Reference architecture for public-private collaboration
  • Zero-days
  • Vulnerability liability
  • Attribution
  • Research, data, and intelligence sharing
  • Botnet disruption
  • Monitoring
  • Assigning national information security roles
  • Encryption
  • Cross-border data flows
  • Notification requirements
  • Duty of assistance
  • Active defence
  • Liability thresholds
  • Cyberinsurance
  • The future of cyber resilience
  • Appendix: Normative trade-offs framework
  • Acknowledgements
Cyber Resilience   Liability thresholds
Home Previous Next
Cyber Resilience   Liability thresholds
Home Previous Next
Cyber Resilience Home Previous Next
  • Report Home
  • Preface
  • Introduction
  • Using the Playbook for Public-Private Collaboration
  • Reference architecture for public-private collaboration
  • Zero-days
  • Vulnerability liability
  • Attribution
  • Research, data, and intelligence sharing
  • Botnet disruption
  • Monitoring
  • Assigning national information security roles
  • Encryption
  • Cross-border data flows
  • Notification requirements
  • Duty of assistance
  • Active defence
  • Liability thresholds
  • Cyberinsurance
  • The future of cyber resilience
  • Appendix: Normative trade-offs framework
  • Acknowledgements

    Liability thresholds

    Share

    Policy model

    Private-sector organizations are increasingly subject to attacks of greater sophistication and persistence. The consequences of attacks are also becoming increasingly damaging; a digitally transformed business has more digital assets at risk. One increasingly difficult question confronting policy-makers is understanding how much risk should be borne by the public sector vs the private sector. Put differently: what is the reasonable duty of care that an organization should have? When does the public sector’s obligation begin?

    • The greater the duty of care an organization in the private sector needs to have, the more risk it needs to manage through investing in security technology, expertise, insurance (when possible) or adequate provisions (e.g. self-insurance). Given the increasing importance of insurance in managing risk, defining an organization’s duty of care has consequences for cyber-risk bearing and the development of the adjacent insurance industry.
    • A greater duty of care also has associated costs and, at some point, the incremental cost of additional security will fundamentally pervert an organization’s business model. On the other hand, a more limited duty of care also has associated costs, potentially resulting in negligence that can be externalized.

    No matter the duty of care an organization is expected to have, inevitably an attack will occur whose novelty and sophistication exceed established security controls, resulting in damages beyond the organization’s prepared incident response abilities. Another key question is: what entity (if any) will bear the resultant residual damages occurring as a result of a successful intrusion?

    • If those damages are borne by the targeted organizations, then the de facto impact will be to prompt that organization to review whether the resilience capabilities it has invested in are sufficient and, after quantifying its risk appetite, evaluate whether increased investment would be justified by diminished risks and costs.
    • Alternatively, if those damages are borne by the public sector, downward pressure may be put on the resilience and robustness capabilities an organization develops. In practice, the fact that damages are being borne by the public sector does not necessarily imply that it will compensate those impacted by a successful incident, but may establish some minimum guarantee of protection to ensure trust (e.g. depositary insurance in the financial sector).

    An important ancillary consideration is that no matter what duty is established, responsibility for assuring a predetermined level of robustness and resilience should be borne by the same entity. For example, for a given attack, if a business is wholly responsible for robustness and the public sector wholly responsible for resilience, then a business will be under-incentivized to invest in robustness. After all, it does not have to “clean up” the damage from an attack. Similarly, if an attack triggers the public sector’s responsibility for robustness, the public sector should also be responsible for resilience (rather than distributing damages to businesses and their customers). Put simply, the entity empowered to act against a particular cyberattack should internalize the costs of its failure to thwart an attack.

    Policy model: Liability thresholds

    Key values trade-offs created by liability threshold policy choices


    Case study: Publicly provided flood insurance

    One analogue to separating robustness and resilience capabilities in cybersecurity is publicly subsidized flood insurance. In the United States, the government has extended subsidized insurance to homeowners in flood prone areas. Insurance is subsidized with the decidedly benevolent aim to help people recover from floods more quickly. However, one unintended consequence of that provision is that people are less incentivized to live outside of flood zones. After all, the costs of flooding are externalized from private individuals to the collective public. Consequently, damages caused by floods are higher than they would otherwise be.

    Connecting policy to values

    The core value most affected by the articulation of a duty of care is security:

    • The greater the duty of care is expected of an organization, the more that organization will invest in both resilience and robustness capabilities. Furthermore, the assumption of residual damages from successful cyberattacks may drive improvements in security as organizations invest in measures to minimize those residual damages.
    • To the extent the duty of care expected of organizations results in diminished cyberincident damages, it will also be economically beneficial. The benefits of a greater duty of care should become more apparent over longer periods of time as organizations work with insurers to develop a better understanding of how to manage a portfolio of cyber-risks through a combination of security controls and financial instruments.
    • Policy Models
    Back to Top
    Subscribe for updates
    A weekly update of what’s on the Global Agenda
    Follow Us
    About
    Our Mission
    Leadership and Governance
    Our Members and Partners
    The Fourth Industrial Revolution
    Centre for the Fourth Industrial Revolution
    Communities
    History
    Klaus Schwab
    Our Impact
    Media
    Pictures
    A Global Platform for Geostrategic Collaboration
    Careers
    Open Forum
    Contact Us
    Mapping Global Transformations
    Code of Conduct
    World Economic Forum LLC
    Sustainability
    World Economic Forum Privacy Policy
    Media
    News
    Accreditation
    Subscribe to our news
    Members & Partners
    Member login to TopLink
    Strategic Partners' area
    Partner Institutes' area
    Global sites
    Centre for the Fourth Industrial Revolution
    Open Forum
    Global Shapers
    Schwab Foundation for Social Entrepreneurship
    EN ES FR 日本語 中文
    © 2022 World Economic Forum
    Privacy Policy & Terms of Service