Finding the incentive for cybersecurity

Another day, another large corporate hack. Companies continue to lose our data, through a combination of poor funding and misjudged security measures. None of them want it to happen, but do they have enough incentives to prevent it?

Companies must comply with industry regulations, but as we repeatedly see, the bare minimum often isn’t enough. There’s a difference between investing in cybersecurity because you have to, and investing in it because you want to.

The Internet Society, a nonprofit organization that helps guide policy for an open, innovative Internet, worries that companies aren’t going the extra mile because the incentives aren’t strong enough. It recently released its 2016 Global Internet Report, which suggests that cybersecurity investments are governed by an underlying market failure. There are two problems, it says:

Asymmetric information and externalities

Organizations suffer from asymmetric information, according to the Society. Stakeholders (typically, customers and employees) don’t fully understand the risks they face online. It is difficult for companies to explain to these people how well they have secured themselves.

Talk to a non-technical user about how and why you installed an intrusion prevention system and you are likely to be rewarded with a blank stare. That creates a problem for cybersecurity experts, according to Michael Kende, author of the report and a fellow at the Internet Society.

“Even if you did invest and did everything to protect yourself, you couldn’t convince your customers or contractors or others that you’d done that, so it’s hard to monetize the investment, which is another reason not to invest,” he says.

Another problem here is the cost borne by customers, which typically isn’t paid for by the breached company, and the cost of eroded trust, which is difficult to account for on the balance sheet – especially in an age where consumers have short memories.

“They don’t bear much of the cost so they have less incentive to invest in protection, and their assessment of risk may be off, in terms of the probability,” he says of compromised firms.

In economic terms, costs like these that aren’t accounted for in a financial analysis are known as ‘externalities’. When deciding how much to invest in cybersecurity, these externalities make it difficult to justify higher investments.

This doesn’t mean that all companies callously disregard cybersecurity risks, but it can lead to some selective blindness, suggests Kende.

“Many breaches are preventable,” he says, pointing to the recent Tesco breach, in which company executives were warned of the risks and failed to take action.

The fact is that companies do bounce back. TalkTalk, the UK telco that hopelessly fumbled its data breach back in 2015, was fined £400,000 by the Information Commissioner for the hack, which is estimated to have eventually cost it £60m. Profits fell 50% and the firm lost over 180,000 subscribers.

That may seem bleak, but its problems are proving temporary. It had added 148,000 new customers in the final months of its financial year, and that number will probably keep on rising. Its customer churn rate was at its lowest ever by its financial year-end last summer.

Interim results for the first half, till Sept 30 2016, showed EBITDA profits up 44% year on year to £130m for TalkTalk – twice the cost of the breach – on flat revenues. Predictions for the full year? Shareholder dividends in line with 2016, profits up, debt down. A cynic might argue that an embarrassing hack every once in a while is a great opportunity for contrarian investors.

What about Target, which suffered a major breach in 2013? Losing 40 million credit and debit card records and around 70 million customer records cost the firm $291 million. It only paid $201 million of that figure, though, because it was covered by cyber risk insurance. Overall, the firm lost 0.27% of its $73.78 billion in 2015 sales.

What can we do to build constructive incentives for cybersecurity investment? The report has a few suggestions.

One is the creation of markets for trusted, independent assessment of data security measures. It would be important to communicate these assessments in a form that’s easily digestible by users. Current ‘hacker-proof’ labels carry little sway among users, especially when firms like Ashley Madison began inventing their own.

He wants something like a consumer reports or underwriters labs that certifies the security of a company. Perhaps an easily-understandable star or colour rating that customers can get without having to understand what an application firewall is.

He uses the automobile industry as an example. That started off with precious little safety certification at all, but things have changed. “Now you have a market where you have a lot of passive restraints, and also active things like looking at the lane lines, and automatic braking,” he says. “It evolved into a selling point where companies are touting their safety. That evolution hasn’t taken place in IT.”

That could be the thing that encourages companies to pile more money into securing their systems. Other measures may be more punitive.

“There has to be a better study of the cost of users, and there has to be more accountability, whether it’s government imposing liability or the courts taking a more expansive view of user cost,” says Kende.

Punitive measures are on the horizon anyway, in Europe at least. The General Data Protection Regulation (GDPR) comes into effect in May 2018. It will make it possible for national privacy offices to fine companies up to 4% of their revenues if they are found to be negligent following a data breach.

That could make things hurt a lot more, and could compel companies to invest more in cybersecurity. If the carrot won’t work, then the stick just might.