Top

Published in:

2020 | OriginalPaper | Chapter

13. An Incentives-Based Mechanism for Corporate Cyber Governance Enforcement and Regulation

Authors : Shaen Corbet, Constantin Gurdgiev

Published in: Ecological, Societal, and Technological Risks and the Financial Sector

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

A growing literature in finance examines the impact of cybercrime on equity markets and publicly traded corporations, with an emerging strand of this literature investigating the contagion channel from cybersecurity breaches against the publicly traded companies, to broader market volatility. The dominant responses by the corporations to these threats can be described as ‘test internally for internal vulnerabilities’, and the ‘insure and forget’ approach, both of which imply a lack of significant preventative actions by companies under the risk of an external cybersecurity attack. The evidence of growing adverse impact and risk of hacking events on firms’ market valuations is highlighted by (i) the rising cumulative abnormal returns impact of such events, (ii) the rising systemic contagion effects of hacks, and (iii) the lack of robust regulatory mechanisms for systematic prevention, mitigation, and enforcement of data security breaches. This supports our proposal that when acting under regulatory authority’s supervision from within a ring-fenced incentives system, ‘white knight’ hackers may provide the appropriate mechanism for discovery and deterrence of weak corporate cybersecurity practices and systems. This mechanism can help alleviate the systemic weaknesses in the existent mechanisms for cybersecurity oversight and enforcement in financial markets.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Financial Risk Management in the Anthropocene Age

next chapter FinTech for Consumers and Retail Investors: Opportunities and Risks of Digital Payment and Investment Services

Evidence for the potential efficacy of such a mechanism may be presented in the attempted start-up of a hedge fund ‘TRO LLC’. This hedge fund idea was developed by Mr. Andrew Auernheimer (a hacker also known as ‘WEEV’). The main issue with this hedge fund idea is that at its core is the promotion of hacking or identity theft for financial gain. As a result, Mr. Auernheimer has proposed that the fund will not be directly for hack companies but will ‘probe the public surface of a company’ and ‘actually watch hackers’ (CNBC interview, 28 April 2014).

This view is broadly consistent with the existent literature and practices on the use of whistle-blowers (internal and external to the company) in detecting other potential breaches and violations, as discussed in Dahlgren (2015) and referenced by the RICO system, discussed below.

Data on the frequency of cybercrime on publicly traded companies covering the period from 2005 through early 2015 shows that one specific form of cybercrime becoming ever more prevalent is a breach of the company’s firewall to steal client data which can be used for a host of illegal activities.

While U.S. Security Agencies are reported to have engaged white knights and current hacktivists, these engagements are structured on selecting known hacktivists and using them as agents working for the agency. This is distinct from the mechanism we propose in a fundamental way. Our proposal involves voluntary self-selection of hacktivists to participate in a reward-for-breach testing ‘tournament’, as opposed to cooption of a selected hacktivist for cooperation with an agency. As a result, our mechanism is designed to address the core issue of economic agency problems that arise from direct or indirect employment of hacktivists by the contracting entity.

Notably, in a range of sectors, although not yet widely in finance, the use of ‘white hat’ or ‘white knight’ hackers is growing in both frequency and scope. Some industry-level examples are discussed in Kelly (2013). The lack of similar approaches in financial regulation was recently discussed in McKendry and Macheel (2015). Our proposal builds on this momentum and extends the system of cooperative engagement between regulators, companies, and white knighthacktivists to a mechanism that would create functional incentives for hacktivists’ participation in the regulatory prevention of the cybersecurity risks. Such a mechanism is currently lacking in the industry.

Those hackers or hacktivists possessing the best technological talent are more likely to be swayed by the financial returns of private practice. In simple terms, there is an argument in favour of a learning-by-doing second order effect of such a system of enforcement based on repeated interactions with leading experts in cybersecurity who represent the front end of the knowledge curve, as opposed to the past ‘dark hat’ hackers who may or may not be leaders in their field at the moment of their engagement by the firms and regulators as ‘red teams’ or white knights.

Corbet and Gurdgiev (2019) document the evidence on the negative abnormal returns experienced by the companies following cybersecurity breaches. This evidence is summarized below and in Fig. 13.1. Some examples of reputational damages sustained by companies following the attacks is discussed and summarized in Alva Group (2016), Tiedemann-Nkabinde and Davydoff (2019), and Spam Titan (2019), amongst others.

These tests will have to involve not only the best human hacktivist talent, but also preventative AI. Reactionary responses to cybersecurity breaches in the age of AI will be too little, too late to mitigate extensive damages that can be inflicted by information systems moving closer to the speeds of light, as opposed to human-led attacks by modern day hacktivists.

Another example of the lagging nature of legal and enforcement frameworks relating to cybercrime is presented by the relatively frequent hacking events involving cryptocurrencies exchanges. According to Chen and Yuji Nakamura (2016), lack of legal frameworks operating in the relation to cybersecurity is illustrated by the August 2016 attack on Hong Kong-based bitcoin exchange Bitfinex.

CAR methodology for assessing financial markets penalty for cybersecurity breach is consistent with that used in The Council of Economic Advisers (2018).

Data on other cyber-risk events, including accidental disclosure of data, and theft of data and devices is available in Corbet and Gurdgiev (2019).

The extent of markets development for transactions in illicit data is exemplified by the fact that today, data obtained from cybercrime activities represent a de facto self-sustained industry supported by back office and supply chain services, as described, for example in Levchenko et al. (2011) for the case of spam activities.

A substantive discussion of legal and enforcement challenges relating to development and implementation of cybercrime combatting legal frameworks and operational enforcement systems is discussed in Kramer et al. (2009) and Wilson (2014).

This mixed approach is consistent with the selection mechanisms currently used by the tax authorities in identifying target companies and individuals for conduct of audits.

See https://www.justice.gov/sites/default/files/usao/legacy/2012/10/31/usab6006.pdf for some details on RICO cases rewards.

See http://www.kmblegal.com/practice-areas/whistleblower-law/dodd-frank-act-whistleblower-incentives for some details on Dodd-Frank Act and associated whistleblower rewards system.

Dahlgren (2015) argument can be seen as supportive of the idea that regulatory and supervisory fines should apply more broadly to the cases of cybersecurity breaches. She states: ‘I fear that until we can assign financial consequences to cyber risks, and ensure staff are taking that into account when making decisions, we will not get the commitment needed from every level of the organization to adequately address the problem. As long as decisions are made and actions are taken without this type of assessment, we are going to see more and more of these weaknesses exposed.’

Ablon, L., Libicki, M. C., & Golay, A. A. (2014). Markets for cybercrime tools and stolen data. Rand National Security Division. Retrieved from https://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf.

Accenture. (2019). The cost of cybercrime. Retrieved from https://www.accenture.com/_acnmedia/PDF-96/Accenture-2019-Cost-of-Cybercrime-Study-Final.pdf.

Alva Group. (2016, November 10). What is the long-term impact of a cybersecurity breach on corporate reputation? Alva. Retrieved from https://www.alva-group.com/case-studies/what-is-the-long-term-impact-of-a-cybersecurity-breach-on-corporate-reputation/.

Anderson, R., Barton, C., Böhme, R., Clayton, R., van Eaton, M. J. G., Levi, M., Moore, T., & Savage, S. (2013). Measuring the cost of cybercrime. The Economics of Information Security and Privacy, 1(4), 265–300.CrossRef

Beckert, J., & Dewey, M. (2017). The architecture of illegal markets: Towards an economic sociology of illegality in the economy. Oxford Scholarship Online: August 2017. https://doi.org/10.1093/oso/9780198794974.001.0001.

Boes, S., & Leukfeldt, E. R. (2016). Fighting cybercrime: A joint effort. In R. M. Clark & S. Hakim (Eds.), Cyber-physical security: Protecting critical infrastructure at the state and local level. Springer.

Brown, C. (2015). White or black hat? An economic analysis of computer hacking (working paper). Retrieved from the Economics Department of Georgetown University.

Chen, L. Y., & Yuji Nakamura, Y. (2016, August 5). Hacked bitcoin exchange says users may share $68 million loss, Bloomberg. Retrieved from https://www.bloomberg.com/news/articles/2016-08-05/hacked-bitcoin-exchange-says-it-will-spread-losses-among-users.

Corbet, S., & Gurdgiev, C. (2017a). Hacking the market: Systemic contagion from cybersecurity breaches, LSE Business Review, Retrieved November, 2017, from http://eprints.lse.ac.uk/86064/.

Corbet, S., & Gurdgiev, C. (2017b). Financial disrupters: Is the rise of financial disruptors knocking traditional banks off their track? Journal of Terrorism and Cyber Insurance, 1(2), 58–62.

Corbet, S., & Gurdgiev, C. (2019). What the hack: Systematic risk contagion from cyber event. International Review of Financial Analysis, 65, 101386.

CPMI-IOSCO. (2016). Guidance on cyber resilience for financial market infrastructures. Retrieved from BIS: https://www.bis.org/cpmi/publ/d146.pdf.

Dahlgren, S. (2015, March 24). The importance of addressing cybersecurity risks in the financial sector. Federal Reserve Bank of New York. Retrieved from https://www.newyorkfed.org/newsevents/speeches/2015/dah150324.

DHS. (2018). Cybersecurity strategy. Department of Homeland Security. Retrieved from https://www.dhs.gov/sites/default/files/publications/DHS-Cybersecurity-Strategy_1.pdf.

Egan, M. (2014, March 20). Companies turn to cyber insurance as hacker threats mount. Fox Business. Retrieved from http://www.foxbusiness.com/features/2014/03/20/companies-turn-to-cyber-insurance-as-hacker-threat-mounts.html.

Finkle, J., & Spicer, J. (2016, June 7). U.S. warns banks on cyber threat after Bangladesh heist. Reuters. Retrieved from http://www.reuters.com/article/us-cyber-heist-regulator-idUSKCN0YT25H.

Greenfield, D. (2014). Social media in financial markets: The coming of age…, [GNIP White Paper]. Retrieved from https://s3.amazonaws.com/st-research/social-media-and-markets-the-coming-of-age.pdf.

Holt, T. J., & Lampke, E. (2010). Exploring stolen data markets online: Products and market forces. Criminal Justice Studies: A Critical Journal of Crime, Law and Society, 23(1), 33–50.CrossRef

Ionescu, L., Mirea, V., & Blăjan, A. (2011). Fraud, corruption and cybercrime in a global digital network. Economics, Management and Financial Markets, 6(2), 373–380.

Kelly, M. (2013, November 8). From dark days to white knights: 5 bad hackers gone good. Venture Beat. Retrieved from http://venturebeat.com/2013/11/08/black-to-white-hat/.

Keplinger, K. (2018). Is quantum computing becoming relevant to cyber-security? Network Security, 2018(9), 16–19.CrossRef

Khrennikov, I. (2016, June 15). Hackers found selling access to 70,000 company computer systems. Bloomberg. Retrieved from https://www.bloomberg.com/news/articles/2016-06-15/your-company-s-servers-now-on-sale-for-just-6.

Kraemer-Mbula, E., Tang, P., & Rush, H. (2013). The cybercrime ecosystem: Online innovation in the shadows? Technological Forecasting and Social Change, 80(3), 541–555.CrossRef

Kramer, F. D., Starr, S. H., & Wentz, L. K. (2009, April). Cyberpower and national security. Center for Technology and National Security Policy, National Defense University, Washington DC. Retrieved from http://ctnsp.dodlive.mil/2009/04/01/cyberpower-and-national-security/.

Kremer, J. (2014). Policing cybercrime or militarizing cybersecurity? Security mind-sets and the regulation of threats from cyberspace. Information and Communications Technology Law, 23(3), 220–237.CrossRef

Larson, E., Hurtado, P., & Strohm, C. (2016, March 24). Iranians hacked from Wall Street to New York dam, US says. Bloomberg. Retrieved from https://www.bloomberg.com/news/articles/2016-03-24/u-s-charges-iranian-hackers-in-wall-street-cyberattacks-im6b43tt.

Levchenko, K., Pitsillidis, A., Chachra, N., Enright, B., Felegyheazi, M., Grier, C., … Savage, S. (2011). Click trajectories: End-to-end analysis of the spam value chain. 2011 IEEE Symposium on Security and Privacy, pp. 431–446. Retrieved from http://www.ieee-security.org/TC/SP2011/PAPERS/2011/paper027.pdf.

MacKenzie, D. (2018). Material signals: A historical sociology of high-frequency trading. American Journal of Sociology, 123(6), 1635–1683.CrossRef

McKendry, I., & Macheel, T. (2015, July 28). Regulators to step up cybersecurity activity: Lawsky. American Banker. Retieved from http://www.americanbanker.com/news/bank-technology/regulators-to-step-up-cybersecurity-activity-lawsky-1075715-1.html.

Novet, J. (2017, August 16). Shipping company Maersk says June cyberattack could cost it up to $300 million. CNBC. Retrieved from https://www.cnbc.com/2017/08/16/maersk-says-notpetya-cyberattack-could-cost-300-million.html.

Packin, N. G., & Aretz, Y. L. (2016). Big data and social netbanks: Are you ready to replace your bank? Houston Law Review, 53(5), May 11, 2016.

Ponemon Institute. (2015). 2015 Cost of data breach study: Global. Retrieved from http://ibm.co/1FStqBu.

Ponemon Institute. (2018a). DNS cybersecurity & protection. Retrieved from https://www.onserve.ca/ponemon-institute-2018-cybersecurity-report-information/

Ponemon Institute. (2018b). 2018 Cost of data breach study: Global. Retrieved from https://www.ibm.com/downloads/cas/861MNWN2.

PWC. (2014, June). Managing cyber risks with insurance: Key factors to consider when evaluating how cyber insurance can enhance your security program. Retrieved from https://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/pwc-managing-cyber-risks-with-insurance.pdf.

Riley, M., Robertson, J., & Geiger, K. (2015, October 17). Russian hackers of Dow Jones said to have sought trading tips. Bloomberg. Retrieved from https://www.bloomberg.com/news/articles/2015-10-16/russian-hackers-of-dow-jones-said-to-have-sought-trading-tips.

Rollins, J., & Wilson, C. (2007). Terrorist capabilities for cyberattack: Overview and policy issues (Congressional Research Service (CRS) Report for Congress, Order Code RL33123), The Library of Congress, updated January 22, 2007, pp. 43–63.

Rosengren, E. S. (2016). Perspectives on risks – Both economic and cyber: Remarks at the Federal Reserve Bank of Boston’s 2016 Cybersecurity Conference. Federal Reserve Bank of Boston. Retrieved from https://www.bostonfed.org/news-and-events/speeches/2016/perspectives-on-risks-both-economic-and-cyber.aspx.

Security Magazine. (2019, June 20). Domain name system attack cost rises 49 percent to $1,070,000. Retrieved from https://www.securitymagazine.com/articles/90400-domain-name-system-attack-cost-rises-49-percent-to-1070000.

Shell, A. (2017, September 17). Equifax image is battered by data breach as consumers feel violated. USA Today. Retrieved from https://www.usatoday.com/story/money/2017/09/18/equifax-image-battered-data-breach-consumers-feel-violated/677908001/.

Spam Titan. (2019, January 25). New research reveals extent of reputation loss after a cyberattack. Retrieved from https://www.spamtitan.com/web-filtering/new-research-reveals-extent-of-reputation-loss-after-a-cyberattack/

Stearns, J. (2016, July 6). European Union’s first cybersecurity law gets green light. Bloomberg. Retrieved from https://www.bloomberg.com/news/articles/2016-07-06/european-union-s-first-cybersecurity-law-gets-green-light.

Summers, S. (2015). EU criminal law and the regulation of information and communication technology. Bergen Journal of Criminal Law and Criminal Justice, 3(1), 48–60.CrossRef

The Council of Economic Advisers. (2018). The cost of malicious cyber activity to the U.S. economy. The Council of Economic Advisers. Retrieved from https://www.whitehouse.gov/wp-content/uploads/2018/03/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf.

Tiedemann-Nkabinde, R., & Davydoff, D. (2019, March 4). Why reputational risk is a security risk and what to do about it. Security Magazine. Retrieved from https://www.securitymagazine.com/articles/89908-why-reputational-risk-is-a-security-risk-and-what-to-do-about-it.

Townsend, K. (2014, September). Cybercrime and punishment. InfoSecurity. Retrieved from http://www.infosecurity-magazine.com/magazine-features/cybercrime-and-punishment/.

UN. (2011). Cybersecurity: A global issue demanding a global approach. Retrieved from http://www.un.org/en/development/desa/news/ecosoc/cybersecurity-demands-global-approach.html.

Wilson, C. (2014). Cyber Crime. In F. D., Kramer, S. H., Starr, & L. K. Wentz (Eds.), Cyberpower and national security (Chapter 18). Center for Technology and National Security Policy, National Defense University, Washington DC, April 2009. Chapter 18 updated version from March 2014. Retrieved from http://ctnsp.dodlive.mil/files/2014/03/Cyberpower-I-Chap-18.pdf.

Yampolskiy, R. V. (2016, June 13). Fighting malevolent AI: Artificial intelligence, meet cybersecurity. The Conversation. Retrieved from https://theconversation.com/fighting-malevolent-ai-artificial-intelligence-meet-cybersecurity-60361.

Title: An Incentives-Based Mechanism for Corporate Cyber Governance Enforcement and Regulation
Authors: Shaen Corbet
Constantin Gurdgiev
Publisher: Springer International Publishing
Book: Ecological, Societal, and Technological Risks and the Financial Sector
Print ISBN: 978-3-030-38857-7

Electronic ISBN: 978-3-030-38858-4

Copyright Year: 2020
DOI: https://doi.org/10.1007/978-3-030-38858-4_13