How Data Insurance Might Have Prevented The Ashley Madison Hack

It’s all over the news today: Ashley Madison, a dating site used by unfaithful married people to cheat on their spouses, was breached and the data on all of its subscribers was stolen by hackers. The hackers, unusually, aren’t demanding money. They’re demanding that the service either shut down or all of the data will be publicized.

Now, let’s just say that it’s hard for most people to feel sorry for either the owners of Ashley Madison or its customers. “Karma is a bitch” was my first thought at reading news of the breach. But this incident highlights a fairly serious problem that not nearly enough people take seriously. If your business depends on proprietary information, failing to protect it could legitimately put you out of business. This might not happen overnight in a public and dramatic incident, but CEOs should view the risk as akin to the risk of embezzlement. Losing the data that gives you a competitive edge can be even more harmful than losing the contents of your bank account, and the loss is a lot harder to track.

If you’re a business with something to lose, you can usually insure against it. For example, you can buy liability insurance, business interruption insurance, and fire insurance. While there is some insurance coverage available to assist business owners in the event of data breaches, it’s pretty limited in scope and doesn’t come with strict requirements. So most businesses don’t carry it, if they’re even aware that such coverage exists. It’s truly astonishing how massive a gap this is.

One of the biggest drivers of fire safety in America is insurance requirements. There are legal requirements too, which often go hand-in-hand. One of my jobs at Microsoft involved managing 9 separate IT labs scattered around campus, and I got to know the Redmond Fire Marshal pretty well. I think I may have been the only Microsoft lab manager in history never to be fined (I ran a pretty tight ship). If you want to avoid fines and prevent cancellation of your fire insurance, you need to have fire extinguishers, smoke alarms, and a sprinkler system. You’ll need to perform regular fire drills to make sure that everyone knows how to evacuate safely. And this presents a very real cost. People will roll their eyes but at the end of the day, they’ll comply with the requirements. Think about it: roughly 4 times a year, almost every business in America shuts down the whole company for an hour to meet fire insurance requirements and nobody really questions this. Everyone understands that complying with fire safety requirements is just a cost of doing business and while the interruption is annoying, people shrug it off and move forward. And they’re sure glad that everything works when it is needed! You’ll never hear a real argument in the executive suite about the cost of keeping fire extinguisher certifications up-to-date, or inspecting the fire sprinklers. It’s a routine matter, because even if it’s not a legal requirement, it’s an insurance requirement. And nobody would seriously consider running a business without fire insurance. The same is true for insurance requirements around industry-standard financial controls and physical security. You need to lock up the money and watch it carefully so nobody steals it. Everybody clearly understands this.

However, if you’re an IT manager implementing information security best practices, there are often howls of protest. Nobody questions locking the door to the computer room, but just try to lock up the data inside the computers. In every IT management job I’ve held, there was a security policy, and then there were the exceptions — and there were a lot of exceptions. And I didn’t really have anything to say about it unless there were legal requirements that carried a risk of fines or jail. Sarbanes-Oxley compliance? That stuff always got done, because the CFO had a seat in every board meeting and a personal risk of going to jail if it wasn’t done. But the risk of data breaches? Chances are your CISO doesn’t have a regular seat at the table during board meetings, and even if present, the legal risks of bad security practices are minimal. “Updating our security program is really important,” she will say. “It’s in line with industry best practices. Bad things could happen if we don’t.” There will be smiles and nods while the funding is again declined. “Thanks! Great presentation. Sorry it’s not in the budget this time. Maybe we’ll reconsider next year.”

Is Ashley Madison enough of a wake-up call? I think it could be, but it’s probably going to be up to the insurance industry to drive this. There is a definite gap in the marketplace for meaningful insurance against data breaches, and given the massive (potentially even fatal) costs of breaches, this is surprising. However, the gap exists for a good reason: actuaries need to be able to accurately calculate their risk, and this is very difficult to do in information security programs. Every shop has a unique combination of information systems and information security programs, which may or may not be effectively followed in practice. However, it doesn’t necessarily need to be this way. Most (not all) breaches can be effectively prevented with a robust information security program in line with industry standards, and the majority of this stuff can be boiled down to checklists that can be audited. This is already the case with PCI compliance and Sarbanes-Oxley. Although information security and IT professionals often resist cookie-cutter approaches, these actually work (nothing has done more to stop viruses and malware than Microsoft changing the Windows Update default to automatic updates) and what’s more, they’re much more easily enforced with the move to cloud architectures. There has never been a better time, and there has also never been a more urgent time, to create and enforce effective information security standards.

Insurance is perhaps the most boring business on earth, but the industry wields a huge amount of influence when it comes to making our world safer. Manufactured goods that use electricity are now much safer because Underwriters’ Laboratories has a strict set of insurance requirements before they can be certified. Fewer fires happen than in the past, they’re put out more quickly, and more people are safely evacuated because the insurance industry has driven dramatic improvements in fire safety. And cars are much safer today than in the past, largely because the auto insurance industry has driven safety initiatives. However, there is no Underwriters’ Laboratories for software. There is no Fire Marshal of information security. Instead, there is a person called the CISO whose job is largely to be blamed and fired for failing to force people to do what she has no real power to require. As an industry, we can — and must — do better. We need a Trojan horse to introduce better practices that stick, and the availability of data insurance might just be the Trojan horse that allows information security practices to evolve.

About the author: I’m the founder of Cuddli and previously worked in a variety of senior global IT roles at Microsoft. I’m interested in technology that keeps people and their data safe without slowing business down. Feel free to reach out if I can help you.