The Securities and Exchange Commission is contemplating comments to a proposed rule on cybersecurity of financial services companies. Federal Drive with Tom Temin spoke with someone who specializes in quantifying risks, and wonders whether the proposed rules will actually help. Saket Modi is Co-Founder and CEO of Safe Security, a global leader in cybersecurity and digital business risk quantification.
Tom Temin And what would the SEC have its financial services companies do? Because we see this all over government specialized sets of rules and requirements by various agencies for their particular constituencies.
Saket Modi The SEC is basically trying to make sure that everything related to cybersecurity and privacy is being streamlined. And during a time where businesses are going technology driven, technology is becoming the business. Securing technology becomes securing their business. And unfortunately, these regulations and almost the way you look at running your businesses for the last hundred years are not the same that would be for the next ten years. And that’s the reason why very clearly a ton of companies have screwed up when it comes to their disclosures, when it comes to a hack, when it comes to them maintaining their cybersecurity records of how they’ve been maintaining their cybersecurity resilience, both historically and during an incident. And also being able to future predict whether they will continue to protect the data of their customers in the rightful way in the most responsible way or not. And that’s really where the SEC is stepping in to say that now that businesses are becoming digital, securing that digital means securing the business and in order to streamline the expectations from companies is where the SEC is coming in. And we actually think it’s an extremely positive thing in the right direction.
Tom Temin What do they specifically ask for? That is, do they want faster reporting of incidents? That’s, for example, what Veterans Affairs is asking of its contractors, or are they also prescribing specific cyber measures?
Saket Modi Firstly, the SEC is not prescribing any cyber measures because the SEC stake is that it’s your business and you understand how to protect your data in the best possible way. However, I would say the two big themes which which actually come out, which is post incident, one is the reporting and reporting about the incident and the second is what have you historically done in order to protect your organization? And let me double click on that for a minute. The SEC is proposing that within a given time span and there’s still the debate which is going on whether it should be 48 hours, that should be 72 hours, whether it should be a week, what should be the right amount of time frame within which a company needs to notify the SEC in the case of any material incident that it gets to know about? And you want to keep this in mind, a lot of cyber hacks are not detected in real time, but that means in a very simple way is a lot of times you get to know about a hack which has been happening within your environment from one year back, from two years, back from five years back.
Tom Temin That’s what they call the dwell time, totally.
Saket Modi 100%. So that’s the amount of time that you need to go in and report as soon as possible for anything which had happened historically or is happening right now, as soon as you find out. And that’s exactly what the SEC is proposing right now, which is a giant leap frog when it comes to today’s regulations, which don’t require you to do that within any defined timeframe, especially for all publicly traded companies. And the second piece that the SEC is asking is that if you do get hacked, you need to prove to the SEC that you were doing enough when it comes to protecting the data of your customers historically. And that’s really where you obviously need to go in and say that quantitatively and not qualitatively of how secure your organization’s been and what have you been doing to invest your resources to not only measure but also manage your cyber risk in the most efficient way possible.
Tom Temin We’re speaking with Saket Modi. He is co-founder and CEO of Safe Security. And you hit upon a key phrase there, not just qualitatively but quantitatively. How is it possible to or how does one quantify their degree of protection, their degree of cybersecurity?
Saket Modi So Thomas, Peter Drucker very famously said that you cannot manage what you cannot measure everything when it comes to better management needs to start from measurement. How do you quantify cyber risk? The simple answer to that is take a credit risk. In the financial world today, when you have a credit score, depending on how many times you’ve paid your credit card bills, how many times you’ve not missed your mortgage payments, everything to do with your finances being all collected together to quantify into an Experian score or a FICO score saying this is how risky you are as an individual, if somebody wants to give you a mortgage, give you a credit card. That’s exactly how cybersecurity can also be quantified. Depending on how you are doing right now, starting from deploying the right antiviruses, deploying from the right firewalls, what kind of policies do you have? Do you have a disaster recovery incident response plan or not, etc., etc. Depending on various parameters, it is possible to quantify and say here is the likelihood of a cyber incident to occur in your environment probabilistically. And based on that, you can also say if it does occur, this is where you are, this is where the industry is and this is what it will cost you x million dollars if there is an incident that occurs in your environment. They have data science methodologies that can be stolen or inspired from the world of insurance or credit risk that you can apply to cyber risk, which is not done in the past. And that really makes the lives of the regulators, the feds, at the same time, companies which are trying to make sure they are compliant, much more easier.
Tom Temin Of course, then everything depends on what weight you give to the different factors so that what the algorithm turns out actually makes sense in reality.
Saket Modi 100%. Not only the factors. I think the bigger issue there is transparency of those factors. Because people don’t mind, because there’s always subjectivity, whether it should be 500, five or 5000 factors, and they will always remain. You cannot come to one list, which everybody agrees on. But I think the more important thing that we’ve seen is the transparency of those 30, 40, 50 factors. So when you click on your Experian score, it actually tells you, here are the ten factors that affect your score. And now that you know that you can work on that and you can prioritize what matters more than the other. Exactly the same with the transparency of the methodology is what we have seen is more important than getting everybody to agree to go ahead and say, what is that? What is the list of that key factors.
Tom Temin And getting back to the cybersecurity operational questions, we talked about dwell time and again VA is asking and a lot of other agencies are asking for this early disclosure. But as you pointed out, sometimes the intrusion can happen and sit there for a year watching your computer, your microprocessor clock and deciding when it’s going to deploy, is there a way to move? So it’s one thing, oh, we found this and you pick up the phone and call the SEC or call the CIA or whatever it might be, NSA, whatever it might be. But what about finding out at the point of intrusion so that it’s not a year and then 24 hours?
Saket Modi Yeah. The problem of finding at the intrusion is that you would probably have to pick up the phone at least 2500 times if you’re a Fortune 500 company every day and call the SEC for anything that’s happening. Because, as you know there are these security operations centers whose job is to notify B1, B2, B3 incidents that happen all the time. It’s almost like a very large real estate company, which has a lot of properties. It’ll always keep having incidents all the time. What matters are the material incidents that do occur, and that is what the SEC wants to know about. And to know that, and this is where the back and forth is happening, that is 72 hours is a weak enough time frame to know that whether something is material or not. And even if I do know what’s material, as you know it’s not so easy to just pick up the phone and talk to SEC. They would expect you to report in a particular format with all the evidence that you know about. So the question is that in the first four days, first three days, is it more important to build that report in that particular format or invest all your energy, all your resources in making sure that you’re responding to that incident first and then making sure nobody’s running away from disclosures. But the real the real question is the time for disclosure, which is out there. And that’s really what the debate has been all about.
Tom Temin Right. So if you find something that was an intrusion but you’re able to kill it before it executes, then no harm done. You don’t need to report that because there was no material effect, correct?
Saket Modi Absolutely.
Tom Temin All right. So then the question becomes finding when something did happen, responding one to the incident and fixing it and or at least getting the outlines of it, because if the data is gone, maybe you can’t fix it anymore. And then that disclosure, the closer those two can come together, the better off you’ll be in a regulatory sense and in a cybersecurity sense.
Saket Modi 100%. And remember, there are two types of disclosure that there are. One is about the incident, and the second is the historical trend line of saying how well have you been doing in order to historically protect the data of your customers? So that’s really the two dimensions, which is more tactical and then historically more strategic of seeing how secure you are. And that’s what obviously going in and bringing in a quantified solution helps not just saying, Hey, I’ve been doing everything in my capacity to protect the data. The better thing to say is a year back I was at 14% likelihood of a ransomware and the industry average was 13%. And I bought it down from 14% to 11% based on the $30 million of investments I made on cybersecurity. And that is the reason why that becomes like the the common language which today is missing in the world of cybersecurity, because you can go to a large company and get their S&P score, Moody’s score or a FICO score. But on the other side, you cannot do that for your cyber risk if you’re putting your money in Bank of America or JPMorgan Chase, you don’t know which bank is more secured. And hacks happen all the time. We’ve seen banks collapse over 24 hours. So that’s that’s that’s really what what the world is going towards. You need a standardized, consistent way of looking at the cyber risk, the way you look at credit risk.
Tom Temin Got it. So you can protect yourself against everything but the lawsuits.