Time for another cyber risk roundup!
A recent article in Insurance and Technology made me think about the nature of identity as it relates to information risk management. If we take a look at the list of companies from which data is being collected, I can’t help but wonder if there is enough similarity between these companies to make some basic risk assumptions about them.
If we think about the various loss forms that exist in a FAIR loss magnitude assessment, the one this helps with is Fines and Judgements. In other words, I’m drawing a line from the Cuomo’s request to a concept I’m calling “Most Likely Fined Like” (MLFL). There is an interesting element of this to me, namely that these companies are not all insurance companies. Many companies in this list would balk at being considered like each other. Some do life insurance, car insurance, others do health insurance, some do all this plus financial services, investments, etc. All of which contributes to various types of losses (things like primary value proposition are different obviously). These different companies have different public profiles as well which contributes to how often they will be attacked.
This sort of analysis is the core of a sophisticated risk analysis. Looking at secondary loss factors can be a tricky thing if as these values tend to get more abstract, but Most Likely Fined Like can be a good mental model to grab some data points from other companies and expand the pool of data from which you are extrapolating your ranges. You may get push back – “We don’t sell commercial auto policies,” or “We are a financial services company that happens to sell annuities.” I’m not defining corporate identity, strategy, or vision here. I’m trying to make a model of the reality in which we are operating. And I sense that amongst this list of companies, were they to experience a regulatory fine due to information security failures, you’d have a great data point for any of the others. This is a risk assessment technique that you can put in your pocket for the next time you are in a tough place identifying loss values.