ASSGNMT2

IT S ervice P roviders and C yb e rse cu rity Risk

There is growing evidence that information technology outsourcing (ITO) is a major contributor to cybersecurity risk exposure. Reports of cybersecurity incidents linked to IT providers arrive regularly. Most often ITO clients are the ones suffering the major consequences.

xamples from government and corporate sectors abound. In 2013, QinetiQ, a defense contractor of software used by US Special Forces, was subject to an ongoing cybersecurity breach that compromised much classified research. In 2011, RSA, a cybersecurity subcontractor of Lockheed Martin and the

Department of Defense, was breached and subsequently contributed to a cyberattack on Lockheed Martin. Even worse is the incident with Edward Snowden, an employee

of Booz Allen Hamilton, a US National Security Agency contractor, who has been charged with deliberately leaking massive amounts of classified information. More recently, in July 2019 there was CapitalOne’s data breach allegedly due to a former Amazon Cloud Services employee who hacked over 100 million customers’ data hosted on Amazon’s cloud, and in May 2019 Salesforce had a multi-hour cloud meltdown due to a database blunder that granted users access to all data. Similar examples involving government contractors abound. There are also broader studies suggesting that

50 S Armed Forces Comptroller | Fall 2019

IT S ervice P roviders and C y b e rs e c u rity Risk

almost one third of cyber incidents in financial services and healthcare originate with ITO and other third-party service providers.1

Cybersecurity risk considerations remain paramount in all forms of ITO. ITO clients may implicitly or explicitly expect ITO and managed security service providers to assume some responsibility for cyber risk. In reality, organizations cannot outsource their cybersecurity liability. Reputation-wise, they are liable for the security of their data and systems, no matter what. More importantly, laws simply do not allow firms to outsource regulatory responsibility. This means that ITO clients must still actively monitor, document, and manage their cybersecurity risk exposure. Indeed, corporations often disclose in annual statements to shareholders cybersecurity concerns about ITO providers, sometimes conceding that these concerns compromise their financial reports’ reliability and lead to re-insourcing of IT services.

What options do ITO client organizations have? This question requires understanding key cybersecurity challenges in ITO. These challenges point to trust in ITO providers as a key success ingredient, however, multiple ways have been suggested for establishing such trust. Our review of different perspectives on trust shows that trust anchored in independent cybersecurity certification and market-based reputation mechanisms is emerging as a dominant model.

Cybersecurity Challenges in ITO

Although IT insourcing is subject to cybersecurity risks, many of the risks are exacerbated in the ITO context because of the following challenges.

• Quantifying Cyber Risk Exposure. ITO clients lack data on ITO providers’ vulnerability to cyber incidents, as well as on the frequency and damage magnitude of each type of incidents. Because cyber risk also stems from ITO providers’ partners along the supply chain, the nature of

risk is more diverse and evolves at a rapid pace. These factors limit any attempt to reliably quantify ITO clients’ cybersecurity risk exposure.

• Liability Asymmetry. ITO providers seek to disclaim their liability to avoid paying damages that are disproportionate to the revenue received, and customers are concerned that ITO providers may not have the same incentives to protect client data and systems.

• Opaque Supply Chains. ITO involves increasingly complex, dynamic, and non-transparent supply chains. Cloud computing, for example, is an ecosystem with many more points of access and higher potential for cybersecurity failure. A transparency assessment of 25 top cloud computing providers, based on their published information, concludes that most offer very limited visibility into their operations and supply chains. Lack of visibility among IT service providers and supply chain partners constrains ITO customers’ ability to control cybersecurity risk.

• Growing Regulatory Demands. Cybersecurity regulations imposing disclosure and compliance requirements on firms have been growing at a rapid pace in the United States, United Kingdom (UK), European Union, and elsewhere.2 Ensuring regulatory compliance becomes daunting for ITO providers. Data and services may be moving across supply chain partners operating in different regulatory environments. In particular, rapid evolution of the regulatory environment adds to the frustrations and near impossibility of ITO and cloud computing providers to satisfy all laws applicable to global customers in different jurisdictions.

• Strategic Imperative. Many enterprises no longer view cybersecurity as an operational concern but rather as a

While ITO continues to be popular because it improves enterprise agility and cost effectiveness, associated cybersecurity risks have been growing and taking on an urgent priority. Contributing to the growing concern are two trends. One is the rising reliance on cloud-computing service providers (CSP). In cloud computing, clients’ risk exposure grows as they move sensitive data to federated cloud environments that may be hosted with multiple providers and sub-providers belonging to different legal entities in various jurisdictions. Such a layered structure will invariably pose greater risk. Another trend is reliance on managed security service providers, also called cybersecurity as a service. According to a 2019 Ernst & Young study, more companies are outsourcing than insourcing their cybersecurity needs. This is common among corporations as well as US government agencies seeking cost savings and access to staff with highly specialized skills. For example, in 2015, US Cyber Command outsourced $475 million worth of work covering nearly 20 cyber task areas.

“...trust anchored in independent cybersecurity

certification and market-based reputation mechanisms is emerging

as a dominant model.”

1 Benaroch M. and Chernobai A., “ Linking Operational IT Failures to IT Control Weaknesses,” Proceedings ofAMCIS’2015, Puerto Rico, 2015. Vasishta N.V., Gupta M., Misra S.K., Mulgund P., and Sharman R., “Optimizing Cybersecurity Program - Evidence from Data Breaches in Healthcare”, 13th Annual Symposium on Information Assurance (ASIA’18), June, 2018, Albany, NY.

2 Gozman, D., Willcocks, L. 2019. “The emerging Cloud Dilemma: Balancing innovation with cross-border privacy and outsourcing regulations,” Journal o f Business Research, forthcoming 2019.

The Journal o f the Am erican S ociety o f M ilitary C om ptrollers ■ 51

IT Service Providers and Cybersecurity Risk

strategic imperative. This holds equally for government bodies. They store far more data than private sector organizations, and they are major cybercrime targets that could imperil national security and citizens’ trust. This reality makes cybersecurity and data privacy among the most challenging issues in ITO contract negotiations.

Client Provider Trust in Managing Cybersecurity Risk

Because most cybersecurity risks inherent in ITO are not likely to be mitigated contractually, many ITO clients are knowingly or unknowingly accepting cybersecurity risk. A frequently made argument is that managing cybersecurity risks in ITO involves client-provider trust. However, there are multiple perspectives on how to achieve such trust. Figure 1 labels these as the decision-theoretic, transpar­ ency-based, and market-based perspectives.

decision-theoretic strategies, including the strategy of risk transfer using cyber liability insurance. Pricing such insurance policies is challenging even for insurers. Information on risk is incomplete and the risk is fast-changing.3 Moreover, cyber insurance policies typically impose restrictive liability exclusions and conditions, leaving clients with coverage limits and considerable risk exposure. Even for the largest financial institutions coverage limits are usually under $300 million. These challenges are exacerbated in the ITO context, in part, due to blurry delineation of where ITO providers’ cybersecurity responsibility starts and ends.

2. Transparency-Based Perspective If we cannot reliably calculate cybersecurity risk exposure, one alternative is to develop visibility into ITO providers’ operations as a basis for trust. Transparency of the supply chain should allow ITO clients to verify that

Figure 1: Three Perspectives on Client-Provider Trust in ITO

1. Decision-Theoretic Perspective This view is about ITO clients developing trust in their own decision to outsource, including what to outsource and to whom. This trust is anchored in a decision-theoretic calculation of risk exposure based on data about (1) the firm ’s and ITO provider’s cybersecurity vulnerabilities, sources of threats, and assets subject to those threats, (2) the distributions of frequency and damage-magnitude of cybersecurity events, and (3) contract terms and their pricing in the case of purchasing cybersecurity liability insurance.

However, again, limited availability of these data restricts the ability to quantify risk and manage it using

their trust in ITO providers is not misplaced. Some hold that supply chains involving multinational companies need to be inspected down to the second, third, and fourth tiers.

However, visibility into ITO providers’ operations and supply chain partners remains a challenge.4 IT executives continue to cite supply chain visibility as a very high priority. Transparency-based trust could work only if every player in the supply chain has visibility into the IT security controls of their directly connected parties and is willing to audit those parties to validate the reliability of those controls. In reality, ITO providers can share little with clients because most are not fully aware of their

3 Kopp E., Kaffenberger L., and Wilson C., “ Cyber Risk, Market Failures, and Financial Stability,” IMF Working Paper (WP/17/185), International Monetary Fund, 2017. 4 Akinrolabu O. and New S., “Can Improved Transparency Reduce Supply Chain Risks in Cloud Computing?” Operations and Supply Chain Management, Vol. 10, No. 3, 2017,

pp. 130-140

52 ■ Armed Forces Comptroller Fall 2019

IT Service Providers and Cybersecurity Risk

supply chains beyond the first tier. Moreover, many ITO clients are simply not capable of executing security audits of their IT providers. Even if these requirements are met, there is the added cost to doing business with ITO providers. More importantly, ITO clients’ liability for cybersecurity risk may grow as they know more about their ITO providers’ operations and supply chains.

3. Market-Based Perspective This view of trust requires market mechanisms for establishing the reputation of ITO providers. Reputation, or the fear of its loss, constrains opportunistic behavior and exemplifies how markets self-regulate. Sometimes service providers hire a trusted third-party to evaluate and certify their quality. Examples are Dun & Bradstreet, which provides dependable credit information on businesses of all sizes, and Underwriters Laboratories, which provides a seal of approval on products. Evaluation standards are often established by regulators, especially when market-based reputation mechanisms and evaluation standards are slow to develop.

For market-based trust to work, the key is balanced and well-designed regulations. Whereas lack of transparency increases demand for regulations, serious information asymmetries between regulator and firms render regulations ineffective. For example, over 60 percent of public firms do not disclose their cyber incidents despite a mandate from the Securities and Exchange Commission to disclose incidents when they materially damage the business. Another factor that renders ex-ante regulation ineffective is failure to design effective evaluation standards.

Of the three perspectives on trust, the market-based perspective is emerging as the dominant alternative in ITO service delivery.

Financial Reporting Regulations and Certification

The accounting field has extensively studied regulatory evaluation standards and market-based reputational mechanisms. A prime example is the 2002 Sarbanes-Oxley (SOX) Act, which was enacted to boost investor trust in public firms’ financial reporting after several high-profile corporate scandals (e.g., Enron). SOX mandates firms to audit and disclose deficiencies in internal controls over financial reporting, where audits are certified by trusted

public accounting firms (e.g., Deloitte, KPMG, Ernst & Young). Given SOX regulatory requirements, sponsoring organizations, such as the American Institute of Certified Public Accountants (AICPA), developed evaluation standards comprising lists of controls to audit for SOX compliance. Secondary market data observed after revelations of (reported) information about internal controls reflect how shareholders and security analysts react to the new information. It provides insights into a host of issues, including: penalties shareholders inflict to hold firms accountable for internal control deficiencies (e.g., drop in equity prices, rise in cost of capital, and higher audit fees), what types of internal controls matter most, and what role corporate board governance plays regarding internal

control effectiveness.

Similar insights can, and are starting to, emerge in the cybersecurity context, particularly regarding ITO providers’ security controls. Two recent studies examine IT security control deficiencies associated with data breaches in healthcare and cyber incidents in financial services firms. Two other studies document a favorable stock market reaction to ITO providers

announcing investments in certification of their IT security controls.5

There is enough evidence that market-based trust works. Generally, it holds firms accountable to their shareholders - shareholders trust regulatory certifications, and firms work hard to avoid problems with their certified internal controls that would result in punitive market reactions. This should work for cybersecurity risk in ITO. Most ITO client firms are not capable or willing to evaluate the IT security controls of their ITO providers and supply chain partners, and no ITO provider wants to be audited repeatedly and by every client separately. What could fill the gap is market-based trust and independent certifications of ITO providers’ IT security controls.

Cybersecurity Regulations and Standards

As we implied earlier, regulations are operationalized and expanded into evaluation standards by various sponsoring entities. Sample standards for cybersecurity include SOC1/2, IS027001, NIST800-53, and country-specific standards such as UK’s G-Cloud and Singapore’s MTCS. All such standards seek visibility into service providers’ IT security and data

“Reputation, or the fear of its loss, constrains opportunistic

behavior and exemplifies how markets self-regulate.”

5 Benaroch M. and Chernobai A., “ Linking Operational IT Failures to IT Control Weaknesses,” Proceedings ofAM CIS'2015, Puerto Rico, 2015. Vasishta N.V., Gupta M„ Misra S.K., Mulgund P., and Sharman R., “ Optimizing Cybersecurity Program - Evidence from Data Breaches in Healthcare”, 13th Annual Symposium on Information Assurance (ASIA’18), June, 2018, Albany, NY.

The Journal o f th e Am erican S ociety o f M ilitary Com ptrollers ■ 53

IT Service Providers and Cybersecurity Risk

privacy controls for ensuring the confidentiality, integrity, and availability of those providers’ systems and services.

ITO providers seeking participation in specific industry environments, such as cloud computing, are increasingly expected to adhere to specific cybersecurity standards. If their IT platforms achieve certifications, the platforms are

judged to have capabilities to meet specific security requirements. Certification attests to a commitment to robust cybersecurity management.

SOC1/2, Service Organization Control, appears to be more widely adopted by ITO service providers, primarily because it extends SOX.6 SOC is geared toward certifying financial reporting controls of publicly traded service providers. SOC1/2 is sponsored by the AICPA with public accounting firms acting as the audit certifying bodies. SOC1/2 certification yields two common reports. The SOC1 report informs auditors and shareholders about controls over financial reporting. The SOC2 report informs knowledgeable users (e.g., clients, partners, regulators) about controls for meeting information handling objectives (security, availability, processing integrity, confidentiality, and privacy).

The Way Ahead

The promise of market-based trust has increasing empirical support. One study demonstrates that firms announcing completion of IS027001 certification witness an appreciation of their stock price.7 The same way such certifications lead to positive market reactions that create firm value, so do cybersecurity incidents indicating failures of certified controls lead to punitive market reactions that destroy firm value. It is this dual market-based mechanism that should hold ITO providers accountable for cybersecurity risk. Similar results are reported for Cyber Essentials Plus, a certification program the UK government and National Cyber Security Centre mandate of firms bidding for government contracts involving the processing of sensitive and personal information.8

This indicates the power of large players to impose standards that markets recognize and respect. A third study documents a stronger negative market reaction when cyber incidents are linked to pervasive and difficult to remediate IT security control deficiencies.9 Apparently, markets are also sensitive to how critical are different IT security controls.

There are also obstacles to market-based trust. Chief among them is the optionality of cybersecurity certification. Another is the myriad of cybersecurity regulations and standards around the world that runs the whole gamut from very strong to non-existent. SOC1/2 is a popular standard but it is overly focused on financial reporting. More comprehensive standards exist but one is yet to achieve dominance and broad market acceptance. Perhaps over time large govern­ ment and industry bodies may use their economic power to impose standards that markets will adopt.

In conclusion, market-based trust can ensure ITO service provider accountability for cybersecurity risk if clients demand ITO providers to obtain suitable cybersecurity certification, and if surfaced deficiencies in certified IT security controls have punitive market implications for ITO providers.

Mr. Michel Benaroch Michel Benaroch is Professor o f Information Systems at the Lubin School o f Accountancy in the Whitman School o f Management, Syracuse University. He is also Associate Dean for Research and Ph.D. Programs at the Whitman School. Professor Benaroch has published extensively on a range o f topics, including economics o f I T, management o f IT investment risk, cybersecurity impacts on organizations, and artificial intelligence applications in finance. He teaches courses on business analytics and managerial decision-making. He earned a Ph.D. in business administration from New York University, and an MBA and B.Sc. in mathematics and computer science from the Hebrew University in Jerusalem.

6 Weiss M. and Solomon M.G., Auditing IT Infrastructures for Compliance, Jones & Bartlett Learning, LLC, an Ascend Learning Company, 2016. 7 See note 6. 8 Malliouris D.D. and Simpson A.C., “The stock market impact of information security investments: The case of security standards,” Workshop on Economics o f Information Security,

June 2019, Boston, MA. 9 Benaroch, M. “Properties o f IT Control Deficiencies at the Root of Cyber Incidents: Theoretical and Empirical Examination," Proceedings o f the 12th ILAIS Conference, June, 2018.

54 ■ Armed Forces Comptroller | Fall 2019

Copyright of Armed Forces Comptroller is the property of American Society of Military Comptrollers and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.