VIEW 20
Peacock’s feathers
Beautiful as they are, a peacock’s feathers serve a very practical purpose. They have evolved over millennia as a visible sign of mating fitness. A peahen, simply by looking at the splendor of the peacock’s tail, can gauge the health and desirability of that individual as a potential mate. A simple visual clue that provides a reliable measure of underlying soundness.
Blow into this, please In almost all countries, drunk driving is an offense, enforced through a breathalyzer test. There is a set blood alcohol limit that defines criminal activity. This limit has gradually been getting lower over time. It was originally set at 0.15% in the USA in the 1940s—equivalent to an astonishing eight pints of beer. It’s now far lower—typically 0.05%, for example, in most of Europe. Below that level, a driver may be impaired but not to an extent that is held to be irresponsible. Criminality is a question of degree.
Other areas of driving have a similar dividing line between criminal and non-criminal activity; think of speeding and parking fines. There are clear definitions of what is allowed. What constitutes reckless driving is defined by a speed limit, and the duration for which parking is permitted is clearly stated. We need to drive and park in the normal course of business. As with driving, using computers is completely integral to the normal functioning of an economy. Everyone does it. But, unlike driving, there are no clearly defined lines yet between prudence and recklessness. Rules that might establish precedent have yet to be tested in a court of law.
So, the question for cyber is, “Where are the peacock’s feathers?” What are the simple, visible, and universally accepted indicators of cyber security fitness?
What are the simple, visible, and universally accepted indicators of cyber security fitness? The answer is that they are still evolving. There are some published technical standards, such as the NIST Cyber Security Framework, the ISO 27000 series standards, and the UK Government’s Cyber Essentials certification, which set out sensible guidelines. It is not difficult to make the case that compliance with these guidelines can substantially reduce cyber risk. But at the same time, the very best companies still get hacked, and even the National Security Agency itself has suffered breaches (e.g. Snowden).
The fortuitous loss The central issue here is the concept of the “fortuitous” loss; a loss that is beyond the control of the insured.
Government regulators in the USA and Europe impose fines for data breaches. But if the insured has followed best industry practice in terms of cyber security, is it fair to be penalized in this way? What is needed is a widely accepted set of indicators—some peacock feathers—that can be used as a fortuity test to absolve insured corporates of blame. This is the equivalent of driving inside the speed limit. Defining these limits with close cooperation between cyber security vendors, the insurance sector, and the regulatory bodies could lead to very fruitful results for all parties.
