 Please give a warm, open group welcome to Larry Clinton and Dan Reddy. Hi, hi, Dan. So there's an odd, so... So, we do have slides. Is somebody forwarding those for us? There's another... Very good, thank you. Technology stuff always gets to me. Good morning. And it is a real pleasure to be here. I want to start picking up really where Bruce left off. And that is with the notion that one of the things that we have come to realize in the space of cybersecurity is that our...this is a 21st century problem and we are mostly operating with 19th and 20th century mechanisms to deal with it and we need to evolve some management mechanisms that are dynamic enough to keep up with the ever-evolving threats and of course the ever-evolving technologies. I think that's kind of the backdrop from which Dan and I are approaching this. We want to start by taking a step back and looking at what is it really we are talking about. One of the things that we have noticed is that there's a lot of activity in the cybersecurity space. There hasn't been really a lot of thought about organizing that activity. We have noticed the problems so quickly. We need to respond so quickly. We're kind of running around. I mean, if you talk to IT professionals, they use phrases like their hair is on fire all the time. They can't stop to think about why they're doing things because they're so busy doing things. So we want to start this morning by taking a little bit of step back, looking at what the problem is and seeing if we can contextualize it before we move on to the particular strategy that Dan and I are going to go into in a little bit of depth, which is the use of cyber insurance, which may be one of those mechanisms that might be dynamic enough to keep up with the sort of threats that we're talking about. And we begin with a realization that contrary to popular thought, cybersecurity is not an IT issue. Obviously, it has an enormous IT component to it, but the number one threat that we have, frankly, isn't technical at all. It's people. There's an old saying in automotive safety that the biggest safety feature in any car has always been the nut behind the wheel. It's the same thing with respect to cyber systems. It is the people who are our biggest vulnerability, managing those people. And the interconnectedness of the system, which we'll talk about in a minute, also complicates things. But it is not fundamentally an IT problem. It is not so much that the IT is bad. It is that the IT is under attack. That's a very different sort of problem. And it's important for us to realize that at this stage, we're really not talking about hackers. I mean, we use that term all the time, but I think it's really an outdated term. It calls up notions of Ferris Bueller in his basement changing his grades and stuff like that. That is not really what we're dealing with today. We are dealing with the A team. These guys are professionals. This is their day job. They're really, really good at it. For a while, we have used the term APT. Anybody know what APT stands for? Yes, sir? No, but thank you for playing. Anybody else? I love the look on the face when I tell people. Actually, it used to stand for APT, Advanced Persistent Threat. It is now the average persistent threat, by which I mean that the sort of advanced and elite mechanisms that we saw being practiced nation-state to nation-state and some of the defense contractors five or six years ago, we are now seeing throughout the economy. This is typical sort of stuff. We are dealing with very sophisticated attackers and they are attacking a system that is constantly getting weaker. I say virtually everybody in the room has at least one or two mobile devices, some of which you're playing with while I'm speaking. That's okay. Been there, done that. But we are now moving from a world where we have currently 15 billion mobile devices. In five years, we're going to have 50 billion mobile devices. It is virtually impossible to secure these. And by the way, all these new technologies, these new apps, these new softwares as you guys know, generally they are built on top of an insecure system. The core protocols that the internet based on are open, they are not secure, and the bad guys now are going back and looking at those old protocols and finding even new vulnerabilities in them that we didn't know before. So the system is bad, the system is getting weaker, and we are about to move into the internet of things. So we have, the victims are in an extremely vulnerable position. And we think that it is probably a good point for us to take a step back and stop blaming the victims of these attacks. For example, Sony. Sony, by the way, is not a member of the internet security lines. I have no brief for Sony. I have no reasons to defend Sony. And they didn't do that creative job with their information security. But they were attacked by a nation state. In fact, lots of people are being attacked now by nation states. Private companies really don't have the wherewithal to put up with attacks, persistent attacks, that are nation state or nation state affiliated. But that is the end of what we are seeing. We realize now that we can't mandate security. Security is not purely a standards issue. Standards are important. We need to work on having good standards. But we can't mandate simply applying with a standard and coming up with security in order for us to move from insurance to assurance so that we have some confidence in these sorts of systems. We are going to need to include the economics of cyber security. A couple of things about the economics of cyber security. First of all, many of the assumptions that we make about the economics of cyber security are faulty. For example, Bruce is left now, but he would have been familiar with a document that DHS put out several years ago called the Cyber Security Ecosystem, which was very similar to an earlier document DHS put out called the National Strategy to Secure Cyber Space. All of these documents said, well, corporations are going to adequately fund for cyber security. We don't need to do anything to affect them because that's good business. Actually, the opposite is the case. Most of the enhancements that build corporate growth, profitability, innovation, etc. from a technological point of view tend to undermine security. Bring your own device to work, long international supply chains, cloud computing, voiceover in a protocol. All of these things dramatically add to the productivity of a business, but tend to increase your security problems. The security and the economics are kind of out of balance and we need to understand that. So here's your basic security balance beam. Cyber attacks are cheap, easy to access. You can get them for a couple hundred bucks on the Internet. They're really profitable, terrific business model. If you're going to go into the cyber crime business, use the same stuff over and over again on a worldwide basis. Defense, on the other hand, is hard, almost inherently a generation after the attack. It's hard to show return on investment to things that you've prevented. And by the way, we don't have any law enforcement at all. We capture maybe one, two percent of cyber criminals. So this is our balance. This is the economic balance with respect to cybersecurity. It kind of doesn't make any difference what standards you have. If you have that imbalanced system promoting cyber attacks, we're going to continue to have these attacks. And some of the assumptions that we have about attacks are faulty. For example, one of the most common ones as well, these companies, they got attacked. Their stock value, they're going to get penalized in the stock market. And that'll teach them and they'll redouble their efforts on cybersecurity. Anybody believe that? Anybody want to... All right, so here's a quick multiple choice question for you. Since the attacks on target, their stock is down 20 percent, about the same, or up 20 percent. How many votes for down 20 percent? You guys have target stock, I say about the same. Target stock is up about 20 percent since the attack. Sony stock, same basic thing. So the assumptions that we're making, that there are going to be these natural economic moderators, really is not the case. So what we want to do is we want to move to see how we can change some of those balances. And in this regard, we want to be flattering to our government policy makers because they have been here in the United States really visionaries in this space. Originally, I already mentioned the National Strategy to Secure Cyber space, but originally, even the Obama administration, of course President Obama was the most pro-regulatory member of the United States Senate when he was in the Senate. And they came out in 2012 with the Lieberman-Cullins bill, strongly advocated, strongly supported. And this would have empowered the Department of Homeland Security to set mandates across the private sector, broadly defined critical infrastructure for cybersecurity. It failed miserably. And it didn't fail miserably just because the Republicans wouldn't back it. The liberal Democrats in the northeast, and I'm talking about White House and Coons and those people, they wouldn't support it because it was a bad idea. Because we can't set cybersecurity mandates and still maintain the sort of innovation and growth that we need. And if we set those things, it would be quickly out of date. As a result, by 2013, President Obama had completely reversed course. And instead of promoting a system of mandates for cybersecurity, his executive order in 2013 basically adopted a social contract model. Wherein they said, what we're going to do is we are going to work with industry. And together, we're going to come up with a set of standards and practices that we jointly believe are worthy of promotion. And we are going to urge voluntary adoption of these standards and practices by the use of market incentives. This, by the way, is very consistent with the position that industry had been taken, the ISA as well as the Chamber of Commerce and Tech America Center for Democracy and Technology had already taken a number of years earlier. And is consistent with the House Republican Task Force report on cybersecurity. So cybersecurity is perhaps the only really substantive issue on Congress's agenda where the Republican leadership and the Obama administration are in the same space on a substantive basis. So NIST developed their framework. And their framework has been widely praised. It was an excellent process. Now we have to do the hard part. And that is we have to get people to do the framework. We have to find some of those market incentives that are going to drive voluntary adoption of this because if we can make security at least affordable, if not profitable for our company, then they are going to do it on a voluntary basis. We've proposed a number of these sorts of incentives. The one we're going to focus on today is insurance. Brief history of insurance. Traditional insurance policies covering business loss came into place in the early days. By the 70s, we had moved to develop specialized policies for crime insurance, et cetera. By 1988, we saw the first anti-hacker insurance policies. And by 2000, we were seeing some of the early forms of cyber insurance. Now it's important that we understand what we mean when we use the term cyber insurance because it's used really loosely and generally people mean very, very different things. So you have first party cyber insurance policies that generally cover the loss or destruction of information assets, business interruption, extortion, losses from DOS attacks, public relations, reimbursement, et cetera. And then you have third party policies which cover claims that come from internet content, tech errors, omissions, as well as some of defense costs. It is that first party policy which we're seeing the most growth. A little bit more on the history of cyber insurance. By 2003, we were seeing the first data breach notification laws in California. What is important about these laws is that for the first time since there were requirements in the instance of a breach, companies knew that they would have certain costs. So if you had a breach, you knew you were going to have to offer some coverage for the affected people. You were going to have to set up a call center. You were going to have to notify employees, et cetera, et cetera. So all these costs were identifiable, and that made it possible for people to buy and get insurance cover because their risk, at least their financial risk, was pretty easily identifiable. By 2009, we had Suxnet 2013. We had the target data breach, and it was the target data breach that really brought the corporate executives into the mix. After Target and all the publicity about Target, the corporate CEOs and the boards of directors became much, much more interested in cybersecurity. By now, by up to 2015, we have about a $2 billion insurance market. 40% of the Fortune 500 companies have some form of cyber insurance, and we have up to 60 brokers now offering this product. So this is kind of a graph that shows you how the market has grown. The important thing to realize, however, is that this is mostly those breach notification policies, not the sorts of things that our government is really concerned with, which is how do we cover critical infrastructure in case there's some sort of catastrophic attack? Those sorts of policies have been much slower to move, largely because it's very, very difficult to assess the risk, to assess the financial risk. Organizations, companies are very, very concerned that if there's a major attack, there'll be all this downstream risk, there'll be all sorts of claims on the policies, and the effectiveness would be to simply wipe them out. So if you look at what sort of coverage we currently have, really you can dump it into these four different areas. First you can buy security and privacy and liability insurance, you can buy event management insurance, you can buy network interruption insurance, and you can buy, to a limited degree, some cyber extortion experience, and we are seeing a tremendous increase in extortion attacks, where people say, you know, we've got your data, and unless you pay us some money or do something else, we're going to do something to your data. Now I know that there's nobody in this room that the following example applies to, but as I was driving in this morning, I heard of a particularly interesting cyber extortion case. It's not Dolly Madison, the website for people who want to have affairs, something Madison, they were hacked last night apparently, and they're being extorted. So unless they turn off their system completely, they're going to let everybody's data out for everybody who signed up with them to have affairs. I just thought that's a sexy insurance extortion thing to bring before you today, so I wouldn't want to leave you without that. Okay, so what are the benefits of cyber insurance? Well there are all sorts of benefits for cyber insurance if we can find ways to promote it. One of them is ecosystem benefits, so they're benefits to the nation. If we can invest our nation with a cyber insurance model, insurance is one of the best motivators of good practices. People give up smoking because of the insurance costs. My daughter studies harder because she wants to lower her car insurance. We have constantly used insurance for good, for the adoption on a voluntary basis for standards and practices. If we can get people to buy enough insurance, we may be able to use this as a motivator. Also, it's a good way to evolve the standards, harkening back to the comment that Bruce made about we need a really dynamic motivator. The attack methods and the technologies change so quickly that we know that our traditional mechanisms, government regulation, et cetera, just move too slow to keep up. You can't write the regulations fast enough and then have notice and comment and final notice and implementation, et cetera. By that, it takes you several years and the attackers have moved on. But if the insurance companies have their own money and their own skin in their game, they can evolve their standards really, really quickly to deal with upcoming threats. And also, there is a sort of smoothing mechanism. This is a funding mechanism that we can implement so that people can get their money back fairly quickly. So there are some benefits here also to the policy holder, but I'm going to skip over them because I think I'm running a little bit low on time and I want to move over to Dan's elements here. There's one more issue that I will deal with as I move up to this, and that has to do with the first of these models that we have that Dan is going to go through. What we want to look at is, are there ways in order to promote this insurance market? And the first of these scenarios that we would put on the table is kind of the largest scenario, and that is government becoming the insurer of last resort. Now, the interesting thing about this is that the government is de facto the insurer of last resort. If we have a cyber hurricane, a cyber trainer, whatever, we think that the government is going to come in and take over everybody's policies. Unfortunately, they don't recognize that. And as a result, the government really hasn't stepped up and because the government hasn't backed up the insurance industry, they're unwilling to sell these policies at a reasonable rate. And what we really ought to do is something similar to what we did with crop insurance and flood insurance in a previous generation, we established a revolving fund and the government says, any exposure beyond a certain rate, we will pick that up. And as a result, the insurance companies then can monetize their risk in a secure fashion and they sell policies and some of that money into this revolving fund that eventually it has taken over the money in the fund, the public money in the fund is replaced by private money. There's little prospect of that actually happening, but this is at least one scenario that we think would solve the problem. Dan, let me turn it over to you to move on to the other issues. Thanks, Larry. So I'm just, in the interest of time, I'm going to jump to this current scenario that we see. And this goes back to what Larry was saying about the insurance today is mostly covering the breaches. So this seems to be a moneymaker right now, but if you look at the chart that Larry had about where insurance is going by 2025, I don't think that this model is sufficient because it is just focused on something that's actually predictable. There is good actuarial data because the costs are well known. If there's a disclosure of identities, personal information, et cetera, insurance companies know how to pay for that sort of remediation. So it's kind of canned and they are doing reasonably well with this market, but I don't think they know what's in their future and I think too many of them are kind of hanging onto it. So let's see what some of the other models are. So this is something that I understand is going on in the UK where you have a group like a red team that comes to your enterprise, does an assessment, they get to know all the players and they are ready to respond should you be attacked. But it's an expensive model and it doesn't really scale for companies large and small, but it may work for some. I'm sort of intrigued by it, but I think it's very much of a heavy lift. The survey approach can vary from a really detailed assessment where you send out hundreds of questions. The thing about that is the insurer must understand what are the right questions, they must have the right people analyze all those results and if I am an enterprise and I get the survey, I probably have to distribute that to all of my experts, get it all back and then you have to have a rating system and the rating from folks in the industry is they are, for those that have tried this approach they are going to, they're looking for simpler approaches. You may get the same result by asking five questions or 20 questions rather than 100 or more than 100. So I don't think this is going to be popular but think what you do in your enterprise when you look at your suppliers you're asking a lot of questions and you're doing it all manually and it doesn't scale. This is a really intriguing model and there are some private companies that offer a service where they will do a security assessment without your knowledge or permission. How do they do that? They go after your public facing internet infrastructure and they look for security configurations, security events and they have their own private algorithm and they come up with a score like a credit score and insurers are intrigued by this because hey, we don't have to do the work we just look at the score and we get to see the relative value compared to others. The problem is that I'm sure there's a lot of fine tuning that has to be done and my guess is a lot of companies will want to defend themselves saying wait a minute, that's not really what the profile is like. Maybe I use a third party but still, if your third party has configuration issues that impact against you and your IP range then that could be an issue. So you could use and Larry mentioned this and Bruce mentioned it as well, this idea of having standards be involved. The trick with standards is they are a good benchmark but you have to have a good way to assess how someone is going to stack up against someone else using this standard. So let's kind of dive into it. So on the left you have, everyone knows 27,001 and 2 series lots of practice, security practices but 114 controls in 12 groups yes you can get an audit but are we really going to have insurance companies go through all of that and be able to compare apples to apples. NIST framework cybersecurity framework, great document lots of value in talking about risk, etc. But again, 5 functions 22 categories 98 subcategories and no standard way of measuring compliance against it. DHS had something but not everyone has adopted that but great. SANS top 20, you would think hey if we could only agree on 20 things those 20 things are hard and there are no standard ways of evaluating them. Tying back to what Larry said about the economics, if you look at some work done in Australia they found 4 controls that are actually cost effective. You can make money by doing these in your enterprise so why wouldn't everyone start doing that as a base? And then what you can do is say, you know what I'll do those 4 because I make money there but what is the incentive for me to stretch beyond that and maybe do the next 4 or 5 or go against some of the standards so that's I think the place where incentives can come into play as Larry said to get everyone to increase the practices that they're doing but if you're going to make it measurable you got to figure out exactly what you're going to do and again just going back here you know can everyone in this room do those 4 have you already done them? Do you have a white list of all your applications so you know exactly which ones should be running in your infrastructure? That's a hard thing to do but you can make money if you actually do that and then what would you be willing to do beyond that in order to you know to get to an insurance model? So insurance companies are really looking to qualify people and possibly give you back in your premiums that's really the angles that they're trying to address so really I think what it comes down to is depending on your use case and your perspective think about these models which one feels right to you I'm actually interested in what Bruce had said earlier about lots of people or lots of insurers are starting to look at the NIST Cyber Security Framework I'd want to know how they measure them but I think carriers have to figure out where are we going if there is that big business out in 2025 what will be necessary for us to get there and from a government point of view you want to offer incentives I've been a fan of incentives for a long time but they should be economically based so you get people doing things that make economic sense to them so I think with that we will open it up to questions Alan so Jim Highteller again you've got the questions Jim I do so let's see first one can you discuss or talk about cyber reinsurance identifying concentrated risk in cyber policies for pricing in secondary markets are we there yet or is this premature you want to take that it's we're on the way there it is probably premature it gets back to the conversation that I concluded which is how do we how do we properly assess what the risk is and the problem with the reinsurers is they can't define the risk particularly and I'm talking here about these catastrophic instances let me step back if we're talking about these breach notification policies the reinsurance market is there the market is booming policies are being sold great but if you're talking about what the government cares about the government cares about a massive attack on the electric grid and the east coast goes dark for three months in the winter and that kind of stuff that kind of catastrophic issue very difficult to assess that amount of risk and until we get a better handle on that I don't think we're really going to see the reinsurance market get in there and without the reinsurance market obviously the prime market is truncated that being said we are seeing movement in this direction this is a hot topic everybody's talking about cyber a lot of people are talking about insurance so I think that there's more interest but until we get until we can really do the economics on the risk calculation we're going to have it in their full-blown is that possible on the catastrophic event? well, you know I think that it is possible if the government would step in to their role as I alluded to briefly we had a similar sort of situation with crop insurance back in the Dust Bowl days and flood insurance this is all history dust and those places either and so the government said okay, we'll cap your risk anything above X government will pick up and then they said we're going to do that by virtue of trust fund and the idea was then okay now this makes it practical for the private sector to sell policies and then a percentage of each of the policy payments would go into the trust fund and eventually the public money was pushed out and the trust fund is all funding and that would be the way that you do it now there are massive problems with both the crop and the flood insurance programs when you get into the details we would have to learn from those I'm talking about in terms of the model that's the only way I can see it be done and the ironic part of that is as I said the government already has this risk I mean, you know after 9-11, after Sandy I mean whenever there's these massive events the politics are that the government does have to step in but they are not recognizing this for political reasons and as a result from a risk management point of view they're not transferring any of their risk so it would be a really smart policy if the government were to engage cooperatively with the private sector on this I think eventually something like that will happen but that's well down the line in my very early days I did some work with Lloyd's Underwriters Insurance and you have a definable risk and each name each insurer takes a fraction of that risk and then they reinsure it on but the problem for the insurance underwriters is that it's not the risk is not definable exactly, yes and uncertainty results in higher prices, higher prices result in fewer policies being purchased fewer policies being purchased in lack of competition in the market etc. whereas if you get the policies starting to be sold by defining that risk as you say then you can start a virtuous a virtuous cycle where when the risk is set then more people will get into the market, more people will get into the market more people buy the insurance, the competition drives the prices down and we get more insurance I just wonder whether we would be best served by starting with an area of risk rather than boiling the ocean and saying okay let's deal with all catastrophic events and all these big things but you know there's some low hanging fruit somewhere Jim So a couple of questions around economics first can you comment on whether security is primarily a technical or economic problem and then how do we change the economics is there a economic market failure to be considered I think our premise is that it should be an economic issue and it's largely been seen as a security issue Yeah I think well there's been a whole bunch of research on that issue you know and if you go to Pricewaterhouse, you go to CSIS you go to McPhee, they've all done study surveys and the number one problem is economic there are technical issues obviously but the problem really is that you know we don't want to pay for security and I mean all of us how many people in the room asked about security on your cell phone when you bought it I suspect it's a small number and that includes our government and one of my member companies told me a story about how they were doing with supply chain issues some of the open groups are very familiar with and they went to the Pentagon and said we can sell you secure laptops it cost you two dollars more a laptop and the Pentagon said no thank you you know I mean we are focused on utility and cost savings and so long as that remains our primary focus as opposed to security we are not going to have the investment the federal government spends about 13 billion dollars a year on cyber security about half that goes to DOD so those are kind of offensive means we're spending 6 or 7 billion dollars on what we could call cyber defense and this is a problem that is a multiple hundred billion dollar a year problem whatever estimate you want to have they go up to a trillion dollars a year that we're losing in lost value due to cyber attacks we're spending a couple billion the reason that the breach coverage is so popular today is because boards are saying to their CISOs what are you doing so that we don't wind up in the newspaper and CISOs obviously know it's a heavy lift but they also like to be able to say you know what for X amount of money I can get us coverage so you don't have to worry about that as much and it fits into that scenario number two and it's a win-win for today's world but so to really get beyond just you know insuring against a breach the insurers are going to need much more much better visibility into the actual risk posture that the company has and many companies are struggling just to understand what the risk posture is much less making it transparent to the insurers so it seems to me that that's the big opportunity for the insurance market is to use one of your other scenarios that you talked about and come up with something that gives better visibility into what the risk really is and what the company is doing to mitigate it and some of the companies are doing that I mean AIG has just come out with a series of products you know to move in that direction where they're selling security with the policy itself I think Zurich is doing some similar things Lloyd is doing some similar things pardon me the problem is that by the way that they are being certainly if you talk to them anyway they say that they're being undercut by cut rate insurance providers you know who are not asking these questions check the boxes and we'll show you policy because the policies are so hot it's Dan just articulated that people want to get into the market and so that that benefit of having them better assess the risk and help you become more secure is being undermined by some of the market economics I recently asked the vice president of operations who told me he had cyber security insurance and I asked him what was in it he had no idea but he had presented it to the board and he knew they had coverage or at least he thought he knew he had coverage I mean there's a lot of this there was a policy that someone signed on right so we're talking about insurance for companies not government agencies right not government agencies as such we're talking about companies so we're talking about companies in motor insurance insurance is legislated in health and safety and a lot of it's legislated is there any prospective legislation that you must have some level of cyber insurance no if you're asking are there any bills out there I know of none I have heard of none being written I think the there was a watershed event with respect to overall cyber slash regulatory policy with the failure of the Lieberman Collins bill I mean it was a disastrous failure I mean the democrats at that point held the senate they controlled the senate senator reid was big backer of the bill he couldn't even get his bill on the floor it was and I think that after that the administration much walked away from any sort of regulatory mandates for cyber security as perhaps bad policy and perhaps politically unsellable and so they have moved instead to this voluntary model the executive order of the NIST framework finding various incentives and they are frankly struggling with finding what those incentives are largely for these economic reasons and from my point of view we're a big proponent of these incentives there's a certain timidry you know within the government they just are not willing to act quickly enough in this space the reality is we have all sorts of incentives we use throughout our economy agriculture aviation environment we've got all sorts of really clever incentive policies they simply haven't been applied to cyber security yet but I don't think we're going to see any legislative mandates so if you extend the target analogy and the motor vehicle you expect to at least ensure for third party loss but in the target case target covered all the third party loss so the only beneficiary from insurance would have been target wouldn't it? a lot of the coverage is focused on the first party and not the third party yeah and for the motor vehicle insurance the legislation for third party insurance is governed by the fact that the person causing the accident probably doesn't have a sufficient funds to be able to reimburse but target does I was interested in watching the Sony situation unfold here you have the president getting up and saying to the nation it was a nation state attack of North Korea and yet it was handled as a private matter I'm sure behind the scenes the government is working with Sony but especially given the political climate that we're sort of anti bailout I wonder where the line is going to be in the future how big of a disaster would there have to be for the government to jump in we could ask Bruce Jim next question I'll pick up on the Sony one just to amplify that because it seems to me that was a watershed one in terms of what the impact can be of when a breach happens it's not just we lost a million records and it's going to cost us a million times whatever the credit monitoring is they shut down our business largely for weeks on end there were significant business impacts and I think that's one of the members brought this to my attention that's probably what's got boards and CEOs really staying up at night is how do we avoid that one where they really get in they wipe servers they cause massive consequences to the company it's a hard problem to get the security right for the insurance industry to wrap their head around how to get the price of policy for something like that even internally within those enterprises the remediation is an economic issue that's going to be played up against all the other business initiatives that are on the table right so the CISO comes and says we need to do all of this and here's the cost and when you trade it off against all the other business things it's like okay you can get half of that for now also I mean when you and there was a really interesting article I think it was in the Harvard business review a month or so ago that went through the actual costs of some of these high profile breaches and when you actually go through everything including the insurance and the tax write offs etc the amount that target lost from the big target breach that everybody you know is like the equivalent of their summer sales easily made up targets fine people went back sharp target the stock is up so some of these assumptions that we have we see something in the news we think you know this is terrible and the company is going to go out of business you know actually we're really not seeing that and we're also by the way not seeing the lawsuits that have been filed seeing those mostly get dismissed so this is a more subtle difficult problem than it appears to be and that's why I think we need you know some of the things you know that Dan was just alluding to as to where the government and industry need to be working together Kevin Mandea says that 90% of the attacks that he's working on now are nation state related these are private companies being attacked by a nation state I don't know what the role of the federal government is in those sorts of things I think we really need to figure that out I don't know what the policy is with regard to that but that's a problem so a good lead into this question do you see the government stepping in in the near future around critical infrastructure threats that citizens all depend on you know whichever are the critical infrastructure sectors you talk about water electricity transportation I think that the I think that there is broad consensus within the Beltway Republicans and Democrats about how to do that I think they are stepping in from my point of view they are on the right path but not moving nearly fast enough but I think that the notion of a partnership between industry and government that is voluntary and supported by a set of market incentives that's where the administration is that's where the Republicans in the Congress are that's pretty much where the Democrats in Congress are so I think that's the path that they're going to go down and I happen to think that that's the right way to make a sustainable model if we can work it out but we are we are not investing nearly enough on either the private or the government side we are not moving quickly enough to develop these incentives we're really not even doing the work that we think needs to be done with the NIST framework I think Dan used the term adopt the NIST framework and you know how dare you I mean you're not allowed to say adopt you're not allowed to say comply with it's use the NIST framework and nobody has any idea what use the NIST framework it's used as doorstop you're reddit use the NIST framework there's no there's no definition and that's the signature program so I think we have to get a lot more serious about this so I think we will but we're moving far too slowly yeah I was very excited when insurance came out as a defined incentive after the president's announcement but again you know here it is years later there's nothing clear nothing concrete in terms of how to do that I know DHS is working to get people to bring in their experience from industry to create sort of this database so that actuarial information might be available to insurers but that's a heavy lift if they're going to do something they have to make it clear and simple and move quickly so next question do you think CEOs and boards are irrationally managing risk in their companies you know IE it can't happen to me so we do a lot of work with the National Association of Corporate Directors and they are you know they are sold corporate right now this year in the research they do on these kind of things cyber security is the number one issue for corporate boards this year it surpassed the second of compensation which was the number one issue last year so you know what it's more important than that it's something they really do care about it's now the number one issue I think we have passed I think we can spike the football on cyber security awareness we don't have cyber security understanding and I think the boards are really struggling with that but they are certainly interested it comes up at every board meeting from what I hear virtually every board meeting how to do it and that's I think what we are all struggling with I agree I think it's a matter of what sort of confidence do they have with their CSOs and others that are charged with protecting them I think they know that it's coming but they may have some confidence maybe because they bought insurance to give some sort of coverage but that's really where it's at Insurance only covers the financial loss it doesn't cover the impact on the brand or the image of the organization but as you say with Target it hasn't had much effect is it? Target's probably more secure now than their competitors right well they say there's no such thing as bad publicity right so and the reality is if you look at virtually all the high profile breaches those companies have done pretty well I mean there you know corporations are experienced with how to handle bad publicity going back to the Tylenol cases and you know Bishi cases well BP I haven't looked into BP I mean I would have guessed that BP would be accepted but everybody check BP stock everybody look I mean I can still buy gas from BP but my point is you can manage corporate bad publicity etc and I think the point that Dan made is really important you know we come to these conferences you know and we talk to ourselves you know so you come to a security conference you talk to security people and it's all top of the top of the agenda to us but if you go to a board meeting you know I mean they're they've got to talk about the mergers they've got to talk about the acquisitions the new product launch what's the competitors doing cyber is just one of the things we have it in there with natural disasters and other things and we have to understand that our issue is just one of the issues and we have to find the appropriate place for it you know within the corporate ecosystem and get it resolved so I think the real work we have to do is figure out how to do this and again I applaud the administration and the congress they're on the right path different by the way so I don't think they're on the right path with respect to this but I can't emphasize enough we're just not fast enough let's go faster let's go faster I also mentioned in closing the security forum has a project around communicating to boards on cyber security and risk where we're looking at helping facilitate that conversation in maybe a quantified way so that boards know the right questions to be asking and the management teams are equipped to present information in the right way to really help foster an understanding of the cyber security risk situation I'd be very interested in anybody who's working on that project because we're doing a lot of work in that space too and I'd be happy to collaborate with you and on the subject to the perimeter mentioned earlier we've got a lot of documents from the Jericho forum work on deprimiturization and the advice organizations on that yeah that's I mean they were talking about that topic 12 years ago and it certainly played out that way that perimeter only security is you can't rely on that model anymore good well thank you very much that's much to think about