In today's modern frictionless economy, the principal requisite for growth and order is the free flow of sensitive information, banking transactions and private data on a global scale. With this shift brought on by the unrelenting growth of ecommerce and mobile platforms comes the nagging reality that cyber risk is here to stay. It is the sort of drag on the market that needs to be priced into the system rather than treated like something that can be eliminated or perfectly controlled.
Market and consumer expectations need to be adjusted accordingly and in the age of hyper transparency, people would be wise to remember that anything can be exposed to sunlight. Much like bank's zero-liability policies largely defanged identity theft and the risk that consumers would be saddled with thousands in losses due to phishing scams and fraud, so too cyber risk needs to be neutralized by a broad consensus on how to shift risk and respond appropriately. Perhaps it is time for a cyber FDIC to shore up confidence and risk-bearing in the system.
While the fallout from Sony's breach is still unfolding, especially as litigation is being drawn up by past and current employees, it is likely that Sony's besmirched reputation and consumer confidence will be the true victims of this attack. Although Sony's cyber attackers have threatened even more havoc following the release of The Interview, experts estimate the economic cost of this attack to be between 1% and 2% of Sony's $22.5 billion market capitalization - hardly a death blow to this massive enterprise. Yet, Sony's attack raises the specter of state-sponsored cyber terrorism, against which no private firm can marshal a strong countervailing system.
Coping with this risk requires new standards of practice to emerge around an early warning system, destigmatizing the advent of breaches and capping liabilities when they occur. All of this can be achieved through cross-sector collaboration between the government and the private sector, much like the conditions that gave rise to the FDIC following the Great Depression. In short, cyber risk should not be treated like a discrete risk for individual firms to deal with on their own. Cyber risk needs to be treated like a threat to national security requiring a strong collective response and measures to shore up the system.
The FDIC is regarded as one of the most effective and enduring Federal agencies and its services, much like a centralized cyber risk pool, are not free. Banks pay risk premia based on their balance sheet, solvency and other factors. These funds are then used to shore up the broad system against bank failures and protect consumer accounts up to $250,000. Following the Great Depression and the wave of bank runs/failures, the FDIC provided a vital safety net and restored confidence in the system. In addition to the powers of restoring trust and capping exposures, a cyber FDIC must also carry strong deterrent powers in coordination with other U.S. government agencies. In short, speak softly and carry a big stick is an apt description and cyber ne'er-do-wells should face proportionate applications of U.S. power for their misdeeds.
When the Terrorism Risk Insurance Act (TRIA) was drawn up following 9/11, cyber risk was in its infancy and, as a result, was not contemplated in the Act, which was designed to shore up mature property and casualty insurance markets and transfer catastrophic losses to the Federal Government. The fact that Sony's business model was successfully held for ransom by Guardians of the Peace, as their attackers call themselves, shows that this risk category has come of age and our national response needs to keep pace.
Ironically most firms go it alone when they learn of a breach - if they learn about this silent menace at all. This omerta is a byproduct for fear of a public and employee backlash over the exposure of private data and trade secrets - a silence that makes the overall system weaker, under the guise of risk and crisis management. It is a simple, if painful truth, that holding on to bad news does not dissipate its impact, it makes it worse. Therefore, the final aspect of a cyber FDIC would be to run a central risk reporting clearinghouse that would collect system-wide information on breaches, near misses and comparative data across time. This last function would not only help mitigate cyber risk, it would also help improve private sector risk pricing and appetite as the industry still labors under limited historical data for this relatively new risk domain.