The Coming Financial Insurance Infosec Polar Vortex Storm Cloud

Twitter (NYSE: TWTR) is such an amazing tool for communicating and sharing ideas.   @Wh1t3Rabbit   @_sw17ch and I had some discussions regarding a topic that I have been discussing with @chriscarpinello for some time.  The great topic of Cyberinsurance!  The most recent article to kick off a lively discussion was published by ZDNet: Police can’t stop cybercriminals, but maybe insurers can.  Which led to some great commentary by @_sw17ch at Misguided Security and @DIFR_Janitor at CyberGuardians had some great commentary about the content of the article and where it’s going.

The general consensus from the infosec crowd is that this is going the wrong way if government is powerless to fight cybercrime, but insurers (part of the financial industry) can. This is absolutely no surprise to me at all. @alessiorastani told us this fact in 2011 when he went on BBC and said “Governments don’t rule the world. Goldman Sachs rules the world.”

Now that we know who is really in charge that should tell everyone to put down the Metasploit, and become Bankers.

I have been saying for a long time that the future of Infosec is in insurance. There have been many events in the past year where large companies experience an incident and the brunt of the impact is taken away by insurance. If JPMorgan (NYSE: JPM) can’t stop bad things from happening with 1000 people and an operating budget of $250M, what chance does a small business have?

@schunk says it well here

That is a great point as @scmunk goes on to say insurance has been around longer so people understand it more. How many people have elderly relatives who don’t know how to operate the DVR (or VCR when they had one)? For infosec professionals this stuff is very simple, but we all have to consider that we are from different backgrounds. We are the DVR stuck on repeat while the people around us are more concerned with how to operate the remote than watch what’s on the screen! This is a lot like patent law. The obviousness test is dependent on who is looking at the subject.

At the end of the day everybody’s job is help their business remain profitable. That goes for commercial and not-for-profit entities. The first objective everyone should have is to defend the balance sheet and income statement. When Something Bad Happens (TM), insurance is a tool that can help you with with your defense.

Let’s look at an incident, and it doesn’t matter if it’s a lawsuit for food poisoning, a factory burning down, or a group of APT Hackers. This is just like day trading stock. You don’t need to know what the company does, its financial situation, or its outlook for the future. There is some set of information that lets you move on to the next step without consideration for what else is happening.

You have some probability that something will happen and the cost of when it does. Sound anything like your CISSP exam? Let’s focus on the cost. When something breaks you have to pay to fix it. This adds to your Operating Expenses on the Income Statement, resulting in lower Earnings Before Interest and Taxes (EBIT).  Insurance covers your out of pocket expenses and restores those assets. Yes, but it doesn’t replace lost revenue you say? It can if you buy the right product. You can get additions to your business continuity policy that not only replace your factory, but also will pay you revenue based on your last quarter’s earnings until your factory is rebuilt.  It’s like the Servco slogan, as if it never happened.

If we take a high level view of All The Bad Things That Could Happen(TM), management will first be concerned with what happens to the Income Statement and Balance Sheet. There will be lots of insurance policies for different events in place. Do we need to get caught up in the details of the probability of a forest fire this year or the odds of “Peggy” having a side job at USA Prime Credit stealing your data? Not really. Someone else is going to pay. All you need to do is make sure all of the policies cover every possible scenario. Then you can go spend money on those fancy Palo Alto (NYSE: PANW) NGFWs and some FireEye (NASDAQ: FEYE) to keep “Peggy” out.

That’s assuming that you ever get to spend money on….those wonderful toys. Remember how we discussed EBIT earlier? There’s another reason that is important. Most companies have debt. One thing that is important to the investors is the Debt-to-EBITDA (Earnings Before Interest Taxes Depreciation and Amortization) ratio.  In simple terms this is expressed as your debt divided by the sum of the last four quarters EBITDA, evaluated on a quarterly basis. The desired ratio varies but usually anything over 4 is bad. In some cases if your Debt/EBITDA ratio exceeds a certain number you are considered in default which is bad. Even though everything at the company appears normal, your investors will consider exceeding the ratio spelled out in the Covenants the same as skipping out on the loan entirely.  The entire balance comes due at once, credit ratings drop because you skipped out on the loan and continue not to pay the full balance, the CFO gets fired for letting it happen, and people get laid off. The other complication with Covenants is that your investors can dictate what you spend your money on by limiting your CapEx and OpEx expenditures. They may not see the value in those Palo Alto firewalls or something to keep Peggy in line. If you thought arguing your case with the C-Suite was hard, just try talking to some investors representatives that are interested in making sure you keep your Debt/EBITDA low by controlling CapEx and OpEx, so they have assurance you’ll have enough money to keep paying them back. Their only risk is credit risk and you answer to them first. Your operational risks are not their concern. Besides, they bought insurance on the loans in case you go out of business so they can get their loan principal back.

Now let’s look at the effect on EBIT.  If you spend $250M on security equipment and 1000 people, you could still have a cyberincident which means you’re paying out in investigative fees, regulatory penalties, notification letters, etc.  Spending that $250M increased your operating expenses, thereby reducing your EBIT, potentially getting you into trouble with your investors.  Now you have an incident, which drives up expenses even more, reducing your EBIT, which gets you into trouble with your investors. What we learned from the JPM breach is that even if you spend that kind of money, something will happen eventually, whether it’s Peggy or a forest fire. If you’re really short on cash, buy breach notification insurance. Having that can make or break o small business or non-profit.  Buy a mid-size insurance policy for more protection. You might be like Target and have most of your cyber incident covered. Buy a huge policy that covers everything including replacement of revenue and it will be as if it never happened. Then you can balance the CapEx cost of security equipment and the OpEx cost of people to operate that equipment vs. any savings in insurance premium you get for having a security program. Juggling this is all can do if you’re a small business. Even if you’re a large business it might pay off to cut your security expenditures a bit and increase your insurance coverage.

Where do we take it from here? If you read into what I have written there are many learning and career opportunities here that will add to your marketability or you may decided, as I have, to move on to something other than technology based infosec. Here are some quick takeaways.

Learn to speak the language of the CFO and their team. My Finance I professor said, personal finance and corporate finance are exactly the same. The only difference is the number of 0’s. You can put the same concepts to use in your personal life in addition to work.

Take a free online course in Management Accounting. That’s not Quickbooks. It’s using accounting information and relating it to business decisions. If Bob sells a burger meal for $10 and his cost is $9, and he needs to sell 300 meals a day should he run a 5% off coupon? No because if he has trouble selling 300 meals, he’s going have even bigger problems selling 600 to make the same money for a measly .50 off. Think of how demanding discounts from your suppliers or purchasing alternative equipment affects the financial outcome of what you do (EBIT). Your CFO will thank you.

Take some free courses in LEAN or go for a LEAN Six-Sigma Black Belt. If you have Covenants that restrict your spending, the best way to remedy that is to help cut costs, reengineer processes, eliminate waste.  Convince your CFO to let your department keep a portion of the savings you “find” (in other people’s departments of course).  At the very least improving EBIT reduces your credit risk, and improves the company’s general survival rate.  At best you end up with more budget. In all cases, if you’re known as “the cutter” to the finance department, you’re not likely to end up on the layoff list when things do go south.

Talk to your corporate Treasurer. Treasury manages daily cash flows. When Bad Things Happen(TM) Treasury has compensate for expenses such as those PCI auditors who are going to give you a beating. Treasury also usually handles all of the company’s insurance policies since that protects the cash they manage from Bad Things (TM).  That Management Accounting class you took will come in handy when both of you sit down and play with the variables on the insurance company’s questionnaire. Do we buy that control? How much of a premium discount do we get? Nope, we spend more on the control than we get back on the premium.

Consider taking your state’s insurance licensing exam. In my state Errors & Omissions (aka E&O or Professional Liability) is covered by the Property & Casualty License. Cyberinsurance, business continuity, and injury should be part of this license. If you’re at a small or medium sized company more than likely you’ll be the only one who knows this topic inside and out. Your Compliance Department’s Conflict of Interest (COI) policy might prohibit you from selling to your company, but you will get experience with the language by selling to other companies as a side hustle. You’ll be an asset by learning to read the fine print and pointing out where your agent/broker left loopholes in the coverage. If you take on the insurance role at your company, guess what? You’re now performing a Treasury role and you’re a Financial Professional! After a few years of handling insurance you can take the Certified Treasury Professional exam. How many people have a CISSP, CTP, and an insurance license? That’s exclusivity you can charge extra for! There are also a lot of great nonprofits out there that could use an insurance agent/broker who will give up a little in commission to help them get a good deal on a policy.

Talk to Compliance and Legal to find the minimum spend on regulatory and legislative matters so your organization doesn’t appear negligent. Assisting with the paralegal research will help you understand all the different regulations, the associated penalties, and the highlights of cases such as FTC v. EVERYBODY. This builds on your Management Accounting class. Work with Treasury to come up with a properly sized policy for regulatory fines (yes there is a policy specifically for that), and balancing the outcome to arrive at EBIT your CFO will appreciate.  Who knows, after hanging out with Compliance for a while you might pick up an interest in what we do outside of infosec, such as Anti-Bribery Anti-Corruption (ABAC), Child Labor, Ethics, Sustainability, and Conflict Minerals. Truth be told, those things are why I switched to Compliance because they mess up our world and who we are more than Peggy ever could.  You can find more about becoming a Compliance & Ethics Professional here.

Keep an open mind in your journey. As we learned early in our technical careers, you use the right tool for the job. We also learned when we were young, when you have a hammer everything looks like a nail. Information Security doesn’t have to be accomplished with IT Security because Peggy is using a computer to hack you. We can use many different skills and resources to make it as if Peggy never happened.

Correlation Between Hackers and Target Stock Performance

Every retail CEO is blaming the weather for the poor sales.  We all know that Target (NYSE:TGT) had a bad holiday because of hackers and not the weather, right?  Well now Wal-Mart (NYSE:WMT) blew up their numbers and they’re saying it was the weather too.  How is this possible?  Obviously the hackers must have scared everyone away from Wal-Mart as well.  There is absolutely no way it could be the Polar Vortex, right?

What if there is some connection between hackers and the weather?  If we look at recent happenings in San Francisco, we can see that the street signs have been hacked saying San Francisco is closed because it’s too damn hot.  It is obvious that hackers like cold weather. We should have seen this before since they invaded Target through a HVAC company. This is all the proof we need to know that the hackers were behind the poor earnings at Target because they made off with the credit card numbers and created the Polar Vortex.   This blows up our previous study of data because we weren’t counting on hackers being able to control the weather.

We have absolutely tied hackers to the destruction of the entire retail sector.  If hackers aren’t behind the Polar Vortex and poor retail performance then there is only one other possibility.

Aliens-Meme

Target Data Breach Not A Disaster

Everybody loves a good hacking because it spells doom for the target in question.  In this case the target in question is Target.  We’re going to delve into the financials and see that once again a hacking is no big deal.

First we will compare Target (NYSE:TGT) (green line) to the SPDR Retail Sector ETF (NYSE:XRT) (blue line) so we can see the huge divergence between the retail sector as a whole and how poorly TGT has done since the hack.  The first thing we notice is that TGT has under performed the bucket of other stocks that make up the retail sector.  When picking single stocks vs. a broad ETF that is bound to happen.  Next we notice that the ups and downs are about the same.  This tells us that there’s no major comparative difference to the stock price during the time period when the breach was announced in September.

2014-03-26-XRT-TGT-COMPARISON-PROPHET

Next we’ll take a look at TGT during the December shopping season.  Everyone in the infosec community jumped on the bandwagon that their sales were off because of the breach.  Just look at that drop!  It was obviously caused by the hackers, right?

2014-03-26-TGT-TOS_CHARTS

Wal-Mart (NYSE:WMT) must have the same problem if we look at December – January.

2014-03-26-WMT-TOS_CHARTS

When we dig into XRT for the same time period we see an almost identical wave pattern.   What this suggests is that everybody in retail had a rough winter, not just TGT.

2014-03-26-XRT-TOS_CHARTS

The weather is why the entire retail sector is down.  Well, every sector is down because of the weather.  That’s the trendy thing that CEOs are blaming the bad Q4 and Q1 results on.  Unless the hackers have a bot net that can control the weather we can attribute TGT and everyone else’s ills to the Polar Vortex.

The other thing that we need to consider that huge gap up when TGT announced earnings.  That’s a 7% move in a single day.  They posted 81 cents per share profit vs. 79 cents consensus.  Revenue came in at $21.5B vs. consensus of $21.45B.  In other words, Wall St. already accounted for the potential downside and priced it in.    The impact was rather minor considering that they had incurred $61M in expenses but were covered by a $44M insurance policy for a net loss due to the breach of $17M.  Yes, the impact is minor.  We can tell this since the IV% in TGT is currently 25% while the IV% of XRT is 51%.  There is a lot more concern over downside in the retail sector as a whole than there is in TGT.

Will consumer behavior change as a result of incidents like this?  Unlikely.  TGT made a brilliant move by having the We’re Sorry Save 10% This Saturday Sale the week of the breach.  Many savvy consumers went shopping, your Dearest Leader included.  Who can say no to a 10% off sale?  Everyone I know walked away with a deal and no stolen numbers.  Taking a gamble to get a deal is what you have to do.  You have to buy in before they do.  You have to buy the dip.

The thing security professionals and the writers at all the trade publications need to understand about consumer behavior is a sale is something that everyone in a bad economy will chase after.  Most people have more than one credit card.  They can always use a different card until a replacement arrives if the numbers are compromised. Consumers are not legally responsible for the bill if fraud does occur.  That makes it the bank’s problem, and most people don’t care about the banks since that mess some of them caused with the housing market.   What exactly is the tragedy that all of the industry publications are writing about?  Either way the breach is the least of the bank’s worries, especially if your name is Citi.

Once again we have another data breach that causes a company to beat EPS, while life for everyone goes on.  There is some economic impact, but it’s spread among insurance companies, card processors, issuing banks and retailers.  The risk is shared among the sellers and the buyers have no risk at all.  Everyone on Wall St. knows that these kind of incidents are nothing compared to disasters such as the Polar Vortex or a large oil spill in the Gulf of Mexico.  Until the magnitude gets to be that large these events will be a nuisance rather than a disaster.

Where Does EMC Go After NSA Revelations

EMC seems to have quite a problem on its hands now that rumors have circulated that their RSA division has been accepting payoff from the NSA.  We have seen shareholder lawsuits against IBM for not disclosing business risks involved with losing business internationally as a result of working with the NSA.  Related risks for EMC include failure to disclose NSA involvement to shareholders in their regular SEC filings, loss of business internationally and domestically from the customer backlash, and regular reaming from the security community at conferences and other venues.

The weekly chart of EMC shows support/resistance below 26.  A play in the direction of the break down/out could be available.   This is a wait and see trade where we need confirmation before entering.

2013-12-24-EMC-TOS_CHARTS

TGT Loses Payment Card Info Resulting In A Dip

After the breaking news over at KrebsOnSecurity that Target (NYSE:TGT) has been impacted by a payment card breach it is time once again to look for a dip to buy.  The low point at approximately $61 matches up with some decent support and resistance levels from 1Q13.  TGT is riskier than other sectors due to the retail environment at this time of year.  Any attempt to buy the dip should be done close to $61 with a very tight stop.  Any general bad news from the retail sector could blow this trade up.  Low trading volumes from the financial industry taking vacation could also cause large price swings in either direction. Short Put Verticals are not the best for this, though an ATM Long Call Vertical will give about 50/50 odds over the next week.

2013-12-20-TGT-TOS_CHARTS

 

Update: We decided to go with a weekly 62/63 Long Call Vertical.  Closing out one day before expiration gets about a net 18.00 per contract.

Emoji May Be The Language Of The Future In Business

Business Insider is covering the use of Emoji in communication.  This is something that is sure to outrage Grammar Nazis and those who are proper language traditionalists. Rather than panic and wonder how the youth are going to make it, we should step back and think outside the box. We already have situations in business where proper English is not spoken. Go into any warehouse or assembly line staffed by immigrants and you will find less than perfect written and spoken English. Chinglish is also a term applied to products that have had poorly written translation software applied to make the translation from Mandarin to English. The translation may not be perfect, but we understand what the general meaning is.

A well known SciFi writer has created a world in the future where English and Mandarin are the official languages of the human race. What if that isn’t the case? What if a new abbreviated language such as the one teenagers use for texting is the unified language of the world? What if we become like the Ancient Egyptians and move to a hieroglyphic language to be all inclusive? This is where emoji may fit in. The old view of business is dying out as the Baby Boomers retire from the workforce. There are many VP’s today who don’t perform drug testing because it’s outdated and it takes away from the bottom line. There are also many people in GenX and GenY who will hire subject matter experts, no matter what their fluency in English is. If we can communicate in the made up language of Chinglish, why not communicate using other ways? The only thing holding us back is an outdated mentality of thinking something has to be done a certain way, rather than something has to be done.

 

Refusing To Hire Black Hats May Be Risky And Costly

The topic of hiring reformed Black Hats continues to be a matter of debate.  Some believe that ‘You’re shooting yourself in the foot if you’re not willing to hire a hacker’ while others believe such an idea is preposterous because it is not possible to reform any person who has been convicted.  Others may believe it simply doesn’t look good to hire convicted felons and dismiss the thought.  Unfortunately it isn’t possible to do that in the US and the continuing attitude toward convicted felons must change.

On April 25, 2012 the Equal Employment Opportunity Commission (EEOC) released new enforcement guidance regarding the Consideration of Arrest and Conviction Records In Employment Decisions.  In summary the enforcement guidance prohibits blanket policies that prohibit hiring convicted felons.    Security professionals should speak to HR, Legal, and other stakeholders to determine the proper processes for applicants.  If two candidates with similar qualifications apply, an employer can not simply choose to not hire the felon.

Employers must now take a variety of factors into consideration such as age at time of conviction, employment history, number of offenses for which there is a conviction, rehabilitation efforts, and other criteria.  This creates a layer of complexity in screening applicants. Businesses are starting to reconsider the importance, and more importantly, the liability associated with pre-employment background screening.  Risk averse organizations may choose to forego criminal background screening since one defense against a discrimination claim is that the applicant’s background was never checked.  The risk of an applicant alleging discrimination is also why many legal and compliance professionals recommend against social media reviews.  If you do not know an applicant’s religious or other affiliation, it is easier to defend against a discrimination claim.

One aspect to consider is whether or not the candidate is a good fit for the organization.  Personality and demonstrable skills are becoming more important than degrees and other factors.  Should we consider arrest and conviction history among those other factors?  Security professionals are conditioned to believe that everyone must be squeaky clean.  In terms of stakeholder management this attitude does not always bring shareholder value and may be at odds with the strategic direction of the business.

The organization’s Corporate Social Responsibility (CSR) policy or Compliance & Ethics Program may require that the organization hire convicted felons as a means of helping them rejoin society.  Such policies can also help reduce recidivism.  The CFO may also become involved in the discussion as well.  The US Department Of Labor  Work Opportunity Tax Credit can save the company $1600-$9600 depending on the employee hired.  Maximizing tax efficiency is one thing that finance and accounting professionals do.  There can be a financial case for hiring convicted felons, especially in the information security discipline.

The topic of hiring reformed Black Hats is controversial, but when the complex legal requirements are considered the possibility of government sanctions make the idea of hiring Black Hats worth considering.  Information Security professionals can take part in the strategic direction of an organization by working with HR, Compliance & Ethics, and Finance to enhance the organization’s overall goals.  We have attempted to end discrimination based on a person’s skin color.  The color of the hat they wear is something we should also add to the list.

“It doesn’t matter whether it’s a white cat or a black, I think; a cat that catches mice is a good cat.” — Comrade Deng Xiaoping