The Coming Financial Insurance Infosec Polar Vortex Storm Cloud

Twitter (NYSE: TWTR) is such an amazing tool for communicating and sharing ideas.   @Wh1t3Rabbit   @_sw17ch and I had some discussions regarding a topic that I have been discussing with @chriscarpinello for some time.  The great topic of Cyberinsurance!  The most recent article to kick off a lively discussion was published by ZDNet: Police can’t stop cybercriminals, but maybe insurers can.  Which led to some great commentary by @_sw17ch at Misguided Security and @DIFR_Janitor at CyberGuardians had some great commentary about the content of the article and where it’s going.

The general consensus from the infosec crowd is that this is going the wrong way if government is powerless to fight cybercrime, but insurers (part of the financial industry) can. This is absolutely no surprise to me at all. @alessiorastani told us this fact in 2011 when he went on BBC and said “Governments don’t rule the world. Goldman Sachs rules the world.”

Now that we know who is really in charge that should tell everyone to put down the Metasploit, and become Bankers.

I have been saying for a long time that the future of Infosec is in insurance. There have been many events in the past year where large companies experience an incident and the brunt of the impact is taken away by insurance. If JPMorgan (NYSE: JPM) can’t stop bad things from happening with 1000 people and an operating budget of $250M, what chance does a small business have?

@schunk says it well here

That is a great point as @scmunk goes on to say insurance has been around longer so people understand it more. How many people have elderly relatives who don’t know how to operate the DVR (or VCR when they had one)? For infosec professionals this stuff is very simple, but we all have to consider that we are from different backgrounds. We are the DVR stuck on repeat while the people around us are more concerned with how to operate the remote than watch what’s on the screen! This is a lot like patent law. The obviousness test is dependent on who is looking at the subject.

At the end of the day everybody’s job is help their business remain profitable. That goes for commercial and not-for-profit entities. The first objective everyone should have is to defend the balance sheet and income statement. When Something Bad Happens (TM), insurance is a tool that can help you with with your defense.

Let’s look at an incident, and it doesn’t matter if it’s a lawsuit for food poisoning, a factory burning down, or a group of APT Hackers. This is just like day trading stock. You don’t need to know what the company does, its financial situation, or its outlook for the future. There is some set of information that lets you move on to the next step without consideration for what else is happening.

You have some probability that something will happen and the cost of when it does. Sound anything like your CISSP exam? Let’s focus on the cost. When something breaks you have to pay to fix it. This adds to your Operating Expenses on the Income Statement, resulting in lower Earnings Before Interest and Taxes (EBIT).  Insurance covers your out of pocket expenses and restores those assets. Yes, but it doesn’t replace lost revenue you say? It can if you buy the right product. You can get additions to your business continuity policy that not only replace your factory, but also will pay you revenue based on your last quarter’s earnings until your factory is rebuilt.  It’s like the Servco slogan, as if it never happened.

If we take a high level view of All The Bad Things That Could Happen(TM), management will first be concerned with what happens to the Income Statement and Balance Sheet. There will be lots of insurance policies for different events in place. Do we need to get caught up in the details of the probability of a forest fire this year or the odds of “Peggy” having a side job at USA Prime Credit stealing your data? Not really. Someone else is going to pay. All you need to do is make sure all of the policies cover every possible scenario. Then you can go spend money on those fancy Palo Alto (NYSE: PANW) NGFWs and some FireEye (NASDAQ: FEYE) to keep “Peggy” out.

That’s assuming that you ever get to spend money on….those wonderful toys. Remember how we discussed EBIT earlier? There’s another reason that is important. Most companies have debt. One thing that is important to the investors is the Debt-to-EBITDA (Earnings Before Interest Taxes Depreciation and Amortization) ratio.  In simple terms this is expressed as your debt divided by the sum of the last four quarters EBITDA, evaluated on a quarterly basis. The desired ratio varies but usually anything over 4 is bad. In some cases if your Debt/EBITDA ratio exceeds a certain number you are considered in default which is bad. Even though everything at the company appears normal, your investors will consider exceeding the ratio spelled out in the Covenants the same as skipping out on the loan entirely.  The entire balance comes due at once, credit ratings drop because you skipped out on the loan and continue not to pay the full balance, the CFO gets fired for letting it happen, and people get laid off. The other complication with Covenants is that your investors can dictate what you spend your money on by limiting your CapEx and OpEx expenditures. They may not see the value in those Palo Alto firewalls or something to keep Peggy in line. If you thought arguing your case with the C-Suite was hard, just try talking to some investors representatives that are interested in making sure you keep your Debt/EBITDA low by controlling CapEx and OpEx, so they have assurance you’ll have enough money to keep paying them back. Their only risk is credit risk and you answer to them first. Your operational risks are not their concern. Besides, they bought insurance on the loans in case you go out of business so they can get their loan principal back.

Now let’s look at the effect on EBIT.  If you spend $250M on security equipment and 1000 people, you could still have a cyberincident which means you’re paying out in investigative fees, regulatory penalties, notification letters, etc.  Spending that $250M increased your operating expenses, thereby reducing your EBIT, potentially getting you into trouble with your investors.  Now you have an incident, which drives up expenses even more, reducing your EBIT, which gets you into trouble with your investors. What we learned from the JPM breach is that even if you spend that kind of money, something will happen eventually, whether it’s Peggy or a forest fire. If you’re really short on cash, buy breach notification insurance. Having that can make or break o small business or non-profit.  Buy a mid-size insurance policy for more protection. You might be like Target and have most of your cyber incident covered. Buy a huge policy that covers everything including replacement of revenue and it will be as if it never happened. Then you can balance the CapEx cost of security equipment and the OpEx cost of people to operate that equipment vs. any savings in insurance premium you get for having a security program. Juggling this is all can do if you’re a small business. Even if you’re a large business it might pay off to cut your security expenditures a bit and increase your insurance coverage.

Where do we take it from here? If you read into what I have written there are many learning and career opportunities here that will add to your marketability or you may decided, as I have, to move on to something other than technology based infosec. Here are some quick takeaways.

Learn to speak the language of the CFO and their team. My Finance I professor said, personal finance and corporate finance are exactly the same. The only difference is the number of 0’s. You can put the same concepts to use in your personal life in addition to work.

Take a free online course in Management Accounting. That’s not Quickbooks. It’s using accounting information and relating it to business decisions. If Bob sells a burger meal for $10 and his cost is $9, and he needs to sell 300 meals a day should he run a 5% off coupon? No because if he has trouble selling 300 meals, he’s going have even bigger problems selling 600 to make the same money for a measly .50 off. Think of how demanding discounts from your suppliers or purchasing alternative equipment affects the financial outcome of what you do (EBIT). Your CFO will thank you.

Take some free courses in LEAN or go for a LEAN Six-Sigma Black Belt. If you have Covenants that restrict your spending, the best way to remedy that is to help cut costs, reengineer processes, eliminate waste.  Convince your CFO to let your department keep a portion of the savings you “find” (in other people’s departments of course).  At the very least improving EBIT reduces your credit risk, and improves the company’s general survival rate.  At best you end up with more budget. In all cases, if you’re known as “the cutter” to the finance department, you’re not likely to end up on the layoff list when things do go south.

Talk to your corporate Treasurer. Treasury manages daily cash flows. When Bad Things Happen(TM) Treasury has compensate for expenses such as those PCI auditors who are going to give you a beating. Treasury also usually handles all of the company’s insurance policies since that protects the cash they manage from Bad Things (TM).  That Management Accounting class you took will come in handy when both of you sit down and play with the variables on the insurance company’s questionnaire. Do we buy that control? How much of a premium discount do we get? Nope, we spend more on the control than we get back on the premium.

Consider taking your state’s insurance licensing exam. In my state Errors & Omissions (aka E&O or Professional Liability) is covered by the Property & Casualty License. Cyberinsurance, business continuity, and injury should be part of this license. If you’re at a small or medium sized company more than likely you’ll be the only one who knows this topic inside and out. Your Compliance Department’s Conflict of Interest (COI) policy might prohibit you from selling to your company, but you will get experience with the language by selling to other companies as a side hustle. You’ll be an asset by learning to read the fine print and pointing out where your agent/broker left loopholes in the coverage. If you take on the insurance role at your company, guess what? You’re now performing a Treasury role and you’re a Financial Professional! After a few years of handling insurance you can take the Certified Treasury Professional exam. How many people have a CISSP, CTP, and an insurance license? That’s exclusivity you can charge extra for! There are also a lot of great nonprofits out there that could use an insurance agent/broker who will give up a little in commission to help them get a good deal on a policy.

Talk to Compliance and Legal to find the minimum spend on regulatory and legislative matters so your organization doesn’t appear negligent. Assisting with the paralegal research will help you understand all the different regulations, the associated penalties, and the highlights of cases such as FTC v. EVERYBODY. This builds on your Management Accounting class. Work with Treasury to come up with a properly sized policy for regulatory fines (yes there is a policy specifically for that), and balancing the outcome to arrive at EBIT your CFO will appreciate.  Who knows, after hanging out with Compliance for a while you might pick up an interest in what we do outside of infosec, such as Anti-Bribery Anti-Corruption (ABAC), Child Labor, Ethics, Sustainability, and Conflict Minerals. Truth be told, those things are why I switched to Compliance because they mess up our world and who we are more than Peggy ever could.  You can find more about becoming a Compliance & Ethics Professional here.

Keep an open mind in your journey. As we learned early in our technical careers, you use the right tool for the job. We also learned when we were young, when you have a hammer everything looks like a nail. Information Security doesn’t have to be accomplished with IT Security because Peggy is using a computer to hack you. We can use many different skills and resources to make it as if Peggy never happened.

Protecting Your Customers and Profits From Your Employees

When operating business it is important that line management understands the direction executive officers and board have set for the company.  This includes high level policies and strategy which is communicated down to middle management, who in turn oversees business process and execution of work.  In order to properly operate a business the strategic, tactical and operational policies should be communicated and have signatures from all levels of employees.  Individual line managers should not be encouraged to “do their own thing” since this can endanger the company’s reputation and subject it and the executive suite to legal liability.

Today’s case study in poor corporate governance comes from Muvico Entertainment, LLC in Fort Lauderdale, FL.  At a theatre in Rosemont, IL Samantha Tumpach was arrested and held in jail for two nights.  What was her crime?  She was filming a birthday party at one of Muvico Entertainment’s theatres which isn’t a crime.  Filming her friends while the movie was running was the crime.  According to police she had less than 4 minutes of footage total.  Management at the theatre called the police and insisted that Tumpach go to jail for a felony.  The police seemed to think the theatre manager had overreacted, but apparently their operating policies do not allow them to refuse to arrest on the scene if the officer thinks the issue is trivial.  In such cases accuser must obtain a warrant have the suspect arrested later.  The judge handling her case released her on her own recognizance, which indicates he thinks it was a minor incident.  She may be facing up to 3 years of prison for having her camera on.  I doubt she will face any prison time since crimes involve motive and intent, neither of which exist here.

I would consider this to be a corporate bail out at the expense of the taxpayers.  Rather than sue Tumpach for damages using the company’s own funds, they decided to hoist the costs off on to the taxpayers.  Muvico Entertainment just gave the government an excuse to raise taxes on the surrounding businesses and residents.  Property and sales taxes fund the judicial system and the police department.  This adds one trivial case to the court system where police and judicial time could be used to fight violent crime.  Either you cut back on police and judicial services for trivial matters, or you hire more cops and judges to deal with both trivial and serious matters.  Muvico Entertainment is not the kind of neighbor I would want to have as a business or a resident, and certainly not one I would be a patron of.

The damage done to Muvico Entertainment’s reputation has mainly been in the media and on the internet.  People have been giving them 1 star ratings on Google Maps and Yelp which is going to hurt their sales when someone reads the review and sees a ton of 1 star ratings.  If they actually read the reviews they may dismiss the ratings or they may boycott the business based on poor decisions made by management.  There is nothing Muvico Entertainment can do to make these 1 star ratings disappear from Google or Yelp.  There is also nothing they can do to silence the blogosphere or the mainstream media.  In the end this may not hurt them financially, but their executive management has a large rotten egg splattered on their faces.

How do you prevent this kind of embarrassment in your business?  Define your company policies and train your employees.  In this case a policy stating that all arrests on behalf of the company must be approved by middle or executive management could have avoided this situation. There is also a question of ethics involved here.  Executive management of any company should have a code of ethics policy which forbids employees from taking payoffs from vendors.  In most cases your company may have a policy prohibiting employees with buying authority from taking free lunch, golf games, or sports tickets from their suppliers. If you don’t have a code of ethics policy in your business, you should get one approved.  Many publicly traded companies publish their code of ethics policy.  You can use one of those as a starting point.

The MPAA is offering a $500 bounty to any movie theatre employee that calls the police on a person operating a video camera in the movie theatre.  The MPAA bounty presents an incredible opportunity for a public relations nightmare and conflict of interest.  If you have a code of ethics policy it would be a good idea to use this situation as another example of prohibited behavior.  It definitely creates a conflict of interest between your employees and your customers and in my opinion is no different than a buyer taking a bribe from a supplier to become the vendor of choice.  Businesses should place the customer at a higher value than their suppliers.  Customers provide revenue, while suppliers contribute to expenses. If one movie studio goes out of business due to bootlegging there are others to buy your content from.  If your customers organize a boycott because you value your suppliers more than them you may be the one out of business.

UPDATE: After checking some MSM sources it appears that Muvico Entertainment is encouraging its employees to screw over their customers. 

"The motion picture industry has encouraged theater owners to adopt a ‘zero-tolerance’ policy prohibiting the video or audio recording of any portion of a movie," Muvico Entertainment, which oversees the theater, told HLN’s "Prime News."

What happens now? Muvico Entertainment says it’s up to local police to determine Tumpach’s future.

Zero-tolerance equals zero-commonsense.  I guess they collected their $500 bounty and are proud of themselves for it.