Tag Archives: ip

How Much Cyber Risk Should You Take?

I have been spending a fair amount of time over the last few months, talking and listening to board members and advisers, including industry experts, about cyber risk.

A number of things are clear:

  • Boards, not just those members who are on the audit or risk committee, are concerned about cyber and the risk it represents to their organizations. They are concerned because they don’t understand it – and the actions they should take as directors. The level of concern is sufficient for them to attend conferences dedicated to the topic rather than relying on their organizations.
  • They are not comfortable with the information they are receiving on cyber risk from management – management’s assessment of the risk that it represents to their organization; the measures management has taken to (a) prevent intrusions, (b) detect intrusions that got past defenses and (c) respond to such intrusions; how cyber risk is or may be affected by changes in the business, including new business initiatives; and, the current level and trend of intrusion attacks (some form of metrics).
  • The risk should be assessed, evaluated and addressed, not in isolation as a separate IT or cyber risk, but in terms of its potential effect on the business. Cyber risk should be integrated into enterprise risk management. Not only does it need to be assessed in terms of its potential effect on organizational business objectives, but it is only one of several risks that may affect each business objective.
  • It is impossible to eliminate cyber risk. In fact, it is broadly recognized that it is impossible to have impenetrable defenses (although every reasonable effort should be made to harden them). That recognition mandates increased attention to the timely detection of those who have breached the defenses, as well as the capability to respond at speed.
  • Because it is impossible to eliminate risk, a decision has to be made (by the board and management, with advice and counsel from IT, information security, the risk officer and internal audit) as to the level of risk that is acceptable. How much will the organization invest in cyber compared with the level of risk and the need for those same resources to be invested in other initiatives? The board members did not like to hear talk of accepting a level of risk, but that is an uncomfortable fact of life – they need to get over and deal with it!

The National Association of Corporate Directors has published a handbook on cyber for directors (free after registration).

Here is a list of questions I believe directors should consider. They should be asked of executive management (not just the CIO or CISO) in a session dedicated to cyber.

  1. How do you identify and assess cyber-related risks?
  2. Is your assessment of cyber-related risks integrated with your enterprise-wide risk management program so you can include all the potential effects on the business (including business disruption, reputation risk, inability to bill customers, loss of IP, compliance risk and so on) and not just “IT-risk”?
  3. How do you evaluate the risk to know whether it is too high?
  4. How do you decide what actions to take and how much resource to allocate?
  5. How often do you update your cyber risk assessment? Do you have sufficient insight into changes in cyber-related risks?
  6. How do you assess the potential risks introduced by new technology? How do you determine when to take the risk because of the business value?
  7. Are you satisfied that you have an appropriate level of protection in place to minimize the risk of a successful attack?
  8. How will you know when your defenses have been breached? Will you know fast enough to minimize any loss or damage?
  9. Can you respond appropriately at speed?
  10. What procedures are in place to notify you, and then the board, in the event of a breach?
  11. Who has responsibility for cybersecurity, and do they have the access they need to senior management?
  12. Is there an appropriate risk-aware culture within the organization, especially given the potential for any manager to introduce risks by signing up for new cloud services?

I welcome your thoughts, perspectives and comments.

12 Questions for Managing Cyber Risk

Recently, I participated in an NACD Master Class. I was a panelist in discussions of technology and cyber risk with 40 to 50 board members very actively involved, because this is a hot topic for boards.

I developed and shared a list of 12 questions that directors can use when they ask management about their organization’s understanding and management of cyber-related business risk.

The set of questions can also be used by executive management, risk professionals or internal auditors, or even by information security professionals interested in assessing whether they have all the necessary bases covered.

This is my list:

How do you identify and assess cyber-related risks?

Is your assessment of cyber-related risks integrated with your enterprise-wide risk management program so you can include all the potential effects on the business (including business disruption, reputation risk, inability to bill customers, loss of intellectual property, compliance risk and so on) and not just IT risk?

How do you evaluate the risk to know whether it is too high?

How do you decide what actions to take and how much resource to allocate?

How often do you update your cyber risk assessment? Do you have sufficient insight into changes in cyber-related risks?

How do you assess the potential new risks introduced by new technology? How do you determine when to take the risk because of the business value?

Are you satisfied that you have an appropriate level of protection in place to minimize the risk of a successful attack?

How will you know when your defenses have been breached? Will you know fast enough to minimize any loss or damage?

Can you respond appropriately at speed?

What procedures are in place to notify you, and then the board, in the event of a breach?

Who has responsibility for cybersecurity, and do they have the access they need to senior management?

Is there an appropriate risk-aware culture within the organization, especially given the potential for any manager to introduce new risks by signing up for new cloud services?

I am interested in your comments on the list, how it can be improved and how useful it is – and to whom.

Stunning Patterns Found in the Dark Net

One of the most powerful technologies for spying on cyber criminals lurking in the Dark Net comes from a St. Louis-based startup, Norse Corp.

Founded in 2010 by its chief technology officer, Tommy Stiansen, Norse has assembled a global network, called IPViking, composed of sensors that appear on the Internet as vulnerable computing devices. These “honeypots” appear to be everything from routers and servers, to laptops and mobile devices, to Internet-connected web cams, office equipment and medical devices.

When an intruder tries to take control of a Norse honeypot, Norse grabs the attacker’s IP address and begins an intensive counterintelligence routine. The IP address is fed into web crawlers that scour Dark Net bulletin boards and chat rooms for snippets of discussions tied to that IP address.

Analysts correlate the findings, and then IPViking displays the results on a global map revealing the attacking organization’s name and Internet address, the target’s city and service being attacked and the most popular target countries and origin countries.

Stiansen grew up tinkering with computers on a Norwegian farm, which led him to a career designing air-traffic control and telecom-billing systems. After immigrating to the U.S. in 2004, Stiansen began thinking about a way to gain a real-time, bird’s-eye view of the inner recesses of the Dark Net. The result was IPViking, which now has millions of honeypots dispersed through 167 data centers in 47 countries.

Norse recently completed a major upgrade to IPViking, which has led to some stunning findings. Stiansen explains:

Tommy Stiansen - NorseCorp

3C: Can you tell us about your most recent milestone?

Stiansen: We have managed to do a tenfold (increase) to where we can now apply millions of rules in our appliance.

3C: So more rules allow you to do what?

Stiansen: It allows us to have a lot more threat data and apply a lot more intelligence to a customer’s traffic. We can start applying more dynamic data. Our end goal is to apply full counterintelligence onto traffic. Meaning when we see a traffic flow coming through our appliance we will be able to see the street address, the domain, the email address used to register this domain. We can see who a packet is going to, and the relationship between the sender and receiver, all kinds of counterintelligence behind actual traffic, not just for blocking but for visualization.

3C: That level of detail was not available earlier?

Stiansen: Nope. This is something we’ve pioneered. This is our platform that we built so we can enable this (detailed view) to actually happen.

3C: So what have you discovered?

Stiansen: We’re learning that traffic and attacks coming out of China isn’t really China. It’s actually other nations using China’s infrastructure to do the attacks. It’s not just one country, it’s the top 10 cyber countries out there using other countries’ infrastructure.

3C: So is China getting a bad rap?

Stiansen: Correct.

3C: Who’s responsible? Russia? The U.S.? North Korea?

Stiansen: Everyone.

3C: What else are you seeing?

Stiansen: We’re also seeing how hackers from certain communities are joining together more and more. The hacking world is becoming smaller and smaller. Iranian hackers are working with Turkish hackers. Pakistani and Indian hackers, they’re working together. Indonesia hackers and Iranian hackers are working together.

3C: Odd combinations.

Stiansen: It’s weird to see these mixes because there’s no affiliation, there’s no friendship between the countries on a state level. But the hacker groups are combining together. The borders between hackers have been lifted.

3C: What’s driving them to partner, is it money or ideology?

Stiansen: All of the above. That’s the thing, the people who have similar ideologies find each other on social media and start communicating with each other. And the people with the financial means and shared goals meet each other, that’s the evolution. And when they do that, they become really powerful.

‘Interactive Finance’: Meshing with Google

The insurance industry is poised to enhance its power, burnish its prestige and increase its income in the 21st century by developing interactive finance to mesh with Internet enterprises. By interactive finance, I mean rewarding institutions and individuals with financial or strategic advantage for revealing information that details risk.

Insurance industry success requires recognizing information as this century’s distinct commodity, analogous to steam in the 19th and oil in the 20th. Information also needs to be seen as an indispensable element in fresh, emerging digital currencies.

Information technologies are adequately mature, and mobile and broadband communications networks sufficiently widespread, that digital currencies like Bitcoin are beginning to emerge. Cognitive computing, big data, parallelization, search, capture, curation, storage, sharing, transfer, analysis and visualization are commonplace; three-quarters of American households enjoy broadband access; and nine in 10 Americans carry mobile telephones. User-generated information now is everywhere.

Insurance industry leaders would be wise to cultivate interactive finance. It could be used to manage institutional investments with less risk and more liquidity. Interactive finance could also be used with retail consumers to create experiences, incentives and products to help manage what promises to be massive, new wealth.

A key part of interactive finance — navigating crowds and matching parties — is up and running. For instance, with Airbnb and accommodation or Uber and ride sharing, individuals reveal information voluntarily to enable counter party matching. Both are emerging as phenomenally successful simply by using information in new ways to create efficient markets.

The glimmerings of these potential gold mines are now eliciting insightful commentaries about how insurers might aggregate and parse information gathered through “crowd-sourcing.” Sharing portions of the reward with institutions and individuals through protected communications channels — also known as interactive finance — will provide the broad avenues and fastest expressways to 21st century wealth among insurers.

In two, insightful articles published here on ITL, Denise Garth discerns the key value of information. “Consider the explosion of new data that will be available and valuable in understanding the customers better so as to personalize their experience, provide insights, uncover new needs and identify new products and services that they may be unaware of,” she observes of the strategic alliance betweenFacebook and AXA. “For insurers, the coming years promise unparalleled opportunity to increase their value to their customers. Those that are best able to capitalize on the key technology influencers will reap the most in rewards,” Garth notes in an earlier article on Google.

Indeed, Facebook is poised to offer a money-transfer service in Europe. Pending regulatory approval in Ireland, Facebook would be permitted to employ user deposits in fiat currencies to become a payment services powerhouse with what seems tantalizingly close to a virtual currency. “Authorization from the central bank to become an ‘e-money’ institution would allow Facebook to issue units of stored monetary value that represent a claim against the company,” the Irish Times reported.

The company will use its acquisition of WhatsApp for access and traffic and will build on its 30% participation in revenue with Candy Crush Saga and Farmville games. Facebook will also take advantage of “‘passporting,’ which allows digital payments to be used across EU member states without having to gain regulatory approval from each one,” according to a news report.

Should Facebook succeed, AXA’s partnership with Facebook would put it well ahead of its competition in employing mobile markets to acquire and retain clients.

In an article on ITL on how Amazon could get into insurance, Sathyanarayanan Sethuraman enumerates “the convenience of on-demand buying. . . personalization of product and service delivery.” Crucially, he notes the importance of “building trust through transparency in pricing,” which provides impelling “reasons for insurers and Amazon to create a distribution model to match ever-evolving customer demands.”

Brian Cohen indicates in a thoughtful commentary on ITL that companies can collect customer feedback that is volunteered on social media and can also use new channels to provide new types of information. For instance, he says that, when inclement weather approaches, agents can caution readers to secure objects that may cause damage to their property, as a means toward generating webpage traffic and strengthening client relationships.

Joseph Sebbag cautions that technological mismatches can threaten insurance industry value. “Insurers’ numerous intricate reinsurance contracts and special pool arrangements, countless policies and arrays of transactions create a massive risk of having unintended exposure,” he notes in an intriguing essay evaluating information technology and reinsurance.

Focusing on a company with which I am very familiar, former Comptroller General David Walker says Marketcore has transformative IP in interactive finance that could provide pathways to phenomenal growth for the insurance industry and, in general, finance. The mechanism is incentives for “truth, transparency and transformation” that will make risk vehicles and markets perform more efficiently and reliably. (Walker is honorary chairman of Marketcore; I am an adviser.)

Marketcore generates liquidity by rewarding individuals and institutions for sharing information, such as the history of individual loans being bundled into residential mortgage-backed securities. The reward could be a financial advantage, say a discount on the next interval of a policy for individuals purchasing retail products. The reward could also be a strategic advantage, say foreknowledge of risk exposure for institutions dealing in structured risks like residential mortgage-backed securities or bonds, contracts, insurance policies, lines of credit, loans or securities.

Through interactive finance, Marketcore creates efficient markets for insurers and reinsurers. All do well as each does good. Risk determination permits insureds, brokers and carriers to update risks through “a transparency index. . . based. . . on the quality and quantity of the risk data records.” Component analysis of pooled securities facilitates drilling down in structured risk vehicles so insurers and reinsurers can address complex reinsurance contracts and special pool arrangements with foreknowledge of risk. Real time revaluation of contracts clarifies “the risk factors and valuation of [an] instrument” and, in so doing, “increases liquidity and tracks risks’ associated values even as derivative instruments are created.”

These interactive finance capabilities are at tipping points for insurers and reinsurers, as outlined so thoughtfully by Garth, Sethuraman and Cohen.

As those thought leaders say, large Internet enterprises like Google, Amazon and Facebook are striving for market reach and domination. Because of distributed wire line and wireless networks and the Internet, experts project that global trade will grow to $45 trillion from $6.5 trillion in less than 10 years. Global mobile transactions are projected to show more than 33% average annual growth, with 450 million users in a $720 billion market by 2017.

Only if Amazon, Facebook and Google offer new services can they exert market power in global electronic commerce analogous to late 19th century railroads, energy and steel industries. Each of them needs services like insurance no less than railroads required passengers and freight; than coal and oil required factories, homes, offices and motor vehicles; than steel required cities, railroads, trollies and cars. These Internet enterprises must have insurance, among other services associated with their brands, to remain dominant. All seek to create voluntary, de facto, walled gardens for their brands, and what better way to do so than to get users to rely on their brands to manage risks and pay bills?

None of these Internet search-and-connect giants can recoup its investments in mobile applications, drones and data centers unless it has voluminous, recurrent transactions and traffic engaging its mobile capabilities. For instance, Derek Thompson reports that the iPhone drives 60% of Apple revenue and that mobile advertising accounts for 60% of Facebook advertising revenue. John Greathousespells out the implications for advertising in a thoughtful essay on conversion rates and mobile formats. A service like insurance brings in users and encourages stickiness. In this way, insurance is the correlative to apps, drones and data centers. All these Internet giants are less without it.

Similarly, consumers and institutions are keen to participate in the value that they create with their participation in information technology and communications networks. Citizens and consumers, while resenting unremitting spying, shrug off the constant sale of metrics about their data to advertisers as inescapable and would love to turn tables on all these massive, intrusive public- and private-sector forces. People would willingly patronize a firm rewarding them for revealing risk information that they are comfortable sharing.

By rewarding institutions and individuals with financial or strategic advantage for voluntarily revealing risk-detailing information, interactive finance expressly rewards users for what they forego voluntarily with daily Internet use.

At this stage, the Internet firms have first-mover advantage when it comes to gathering and using people’s information. When I recently watched streaming video of Masterpiece Theatre’s “Mr. Selfridge,” there was the anomalous propinquity of an advertisement for an Internet tire seller in the bottom right portion of my display – within a day or so of my searching Google for motor vehicle tires. Clearly, Google, Internet ad placers and, in my case, the tire vendor are selling and purchasing access to user experiences. The sole party excluded from the value chain is the person who creates value in the information.

Earlier loyalty programs prefigure some of the notions of interactive finance. In mid-20th century America, supermarkets, gasoline stations and retailers often rewarded customer loyalty with S&H Green Stamps. Airlines, grocery chains and hotels employ loyalty programs and provide reward cards to provide incentives for recurrent patronage. In keeping with the times, Bellycard supports customer retention with a scannable card and mobile application. Each time I buy Italian bread and scan the card at the local bakery, I earn points toward a pastry.

What of insurance brokers, who reward consumers with incentives on forthcoming purchases for revealing risk information that they are comfortable sharing? Or insurer carriers, which protect asset values and boost shareholder confidence through enhanced capacities for risk detection and real-time valuation of risk exposures?

From here on out, the emphasis needs to be on rewarding customers and institutions by enabling them to create wealth with the information they are willing to reveal and by commanding information as a commodity and as the cornerstone component of emerging digital currencies. Insurers that can tap Internet industry demands for users, provide rewards for information and equip themselves to manage their risks more effectively can position themselves to dominate their sector well into the second quarter of the 21st century.

“Insurance is above all a relationship,” remarks Elise Manzi, account manager with Biddle & Company Insurance Brokers, based in Newtown Square, Pennsylvania. “We’re devoted to continuing to provide our clients with the exceptional services they have come to expect of us through these new communications capabilities. Interactive finance sounds like a great relationship builder.”

Ernest Tedesco, head of Philadelphia-based Webesco, says, “For brokers, web services support client retention and communication. For large retail carriers like Progressive and Geico, web services enable them to reach consumers directly with service and product offerings. Anything kludgy on one of these sites will send customers scurrying to competitors.” He adds that if Google and other Internet giants get into the retail insurance space, current industry leaders need to be ready to respond aggressively with technology or will be disintermediated. “Back-office executives managing trillions in risk will find themselves at competitive disadvantage without real-time and near-real-time risk detection, which web services visualize.”

By meshing with Internet industry firms on interactive finance terms, the insurance industry will have all the strength of the Internet yet sustain more discretion to manage institutional and customer experiences on terms much more favorable than those that musicians and publishers experience with Apple.

As Erik Brynjolffson and Andrew McAfee point out in The Second Machine Age, digitization both spawns vast new bounty and stimulates an increasingly drastic spread between the small fraction of winners and everyone else.

How better to build crowds and grow volumes than to provide incentives to customers by rewarding them for sharing information they are willing to reveal and to serve institutional clients with foreknowledge of oncoming risks to sustain competitive advantage and protect liquidity.

It is as straightforward as that.

For my part, I am optimistic about Marketcore because its IP enables insurance industry adopters to organize, channel and reward rich, diverse crowds of capital accumulation through interactive finance. Large, incumbent Internet firms like Amazon, Facebook and Google may still prosper from first-mover advantages based, in part, on recognition that information is the distinct commodity of the 21stcentury. But each and all now must offer more to maximize return on investments in capital-intensive operations. And that’s where any insurers, deploying Marketcore IP as sword and shield, stand most to gain for themselves and the people and institutions whose trust they hold.

 

Should You Insure Your Intellectual Property?

While industrial companies always insure their physical plants, they rarely insure their intellectual property even though it is often the most valuable thing the company owns.

Core IP, which defines and individualizes the company, is most often the company’s inventions — patented machinery, devices and technology. But it could be something as seemingly simple as the copyrighted graphics and designs on a wildly popular designer handbag or a top-selling toy. Trademarks can be invaluable IP — for instance, Coca-Cola’s trademark is recognized worldwide.

Because IP is intangible, it can be easily stolen — though the proper term, “infringement,” sounds more polite, theft is often what it is. An engineer can walk out the door with knowledge about your patented technology and trade secrets. A counterfeiter can copy your designs and trademarks as fast as a computer or photocopier works. The Web, of course, is paradise for infringers.

On the other hand, your company can stand accused of infringing someone else’s intellectual property. Let’s say it’s a series of patents on complex machinery. You’re convinced the suit is groundless, but you still have to hire an expensive law firm and bring in expert witnesses. In the end, you win. Congratulations. You’re still out a few million dollars in legal fees.

Your general liability policy gives you very limited coverage for your liability for your alleged infringements against others. (It’s generally restricted to infringing copyrighted advertising materials.) And it gives you no coverage to sue infringers. If you want significant coverage, you have to get a special policy. 

Given the amount of litigation — for example, 2,830 patent cases in 2006 — IP insurance is well worth considering.

Because there are two potential money pits — someone ripping off your IP and someone accusing you of ripping off theirs — there are two distinct types of IP insurance.

Defensive IP policies take effect when someone sues you for infringing their intellectual property. Even if your company is scrupulous, inadvertent infringement can happen. These policies are also sometimes called “IP infringement defense insurance” or “IP liability insurance.” They cover both your legal costs and the cost of the judgment if you lose. Judgments can run into the millions, and, besides paying out damages, you’ll be forced to stop making the infringing product.

A defensive policy kicks in when another party demands either money from your company or non-monetary relief, such as an injunction. Only a handful of insurers offer these policies. Depending on the carriers, you can buy coverage limits of anywhere from $5 million to $15 million. Minimum deductibles vary, and some insurers also insist on coinsurance, meaning you would pay larger out-of-pocket expenses.

Offensive IP policies are effective when someone else infringes your intellectual property. That is, the policy will provide money so your company can hire a law firm to sue the company that infringed your patent, trademark or copyright or stole your trade secrets. You will have to get permission from the insurer to hire a law firm and start litigation.

Why would you need an offensive policy? Unlike personal liability lawyers, who get paid by taking a percentage of the settlement if they win, IP law firms generally demand cash on the barrelhead for their services. If your company is a startup or a small organization without a lot of money in the bank, you might not be able to afford to hire a topnotch IP litigator to go after the bad guys. If you have a trademark or copyright case, the legal fees might be manageable, but going after a patent infringer takes millions. Your IP could be stolen by a bigger company, and there’d be little you could do about it. If the infringed patents are your competitive advantage, your company might even be forced out of business eventually. There’s only one known insurer that underwrites offensive IP insurance.

Do you need IP insurance and, if so, how much of what kind? There are no cut-and-dried answers. If your company manufactures generic goods like plywood, you may not need it, unless your manufacturing process is a trade secret. But if your company’s inventions, designs and trademarks are crucial to your company’s success, you may. Start by assessing how important your company’s IP is, and how vulnerable it is to being infringed by someone else or having someone claim that you’re the infringer. Once you have a clearer idea of the risks and potential consequences, you can start to investigate IP insurance systematically and determine if it’s worth it.

Ultimately, you may decide you don’t need IP insurance. But the time to investigate is now. Once you have been sued or your IP has been infringed, it will be too late.