SlideShare a Scribd company logo

Cyber Risks - Maligec and Eskins

C
Christine Maligec, CRM-E, CRIS
1 of 6
Download to read offline
Risk Watch Spring 2015 The Conference Board of Canada 13 I t is widely recognized that the effective use of technology, regard- less of one’s industry sector, is required in order to keep pace and provide a competitive advantage in a globalized economy. In fact, in many cases, it can prove to be a game-changer for an organization’s strategic direction. To achieve its goals, organizations have to work smarter and be more collab- orative—both internally and with their external stakeholders. This article is part of a series that focuses on various aspects of cyber risk. In this first article, we explore the need for a well-established cyber risk framework that is integrated into the organization’s enterprise-wide risk management process; look at some key questions organizations should be asking to help frame these ever-evolving risks; provide some statistics on the financial impacts of cyber risk; and provide a few “what-if” scenarios and their pos- sible impacts and potential mitigation strategies. The spirit and intent of ERM is to instill a culture of cross-functional collabora- tion with the outcome of achieving the organization’s objectives. This includes working strategically and holistically on cyber risks. For instance, organizations should consider what could happen when the corporate security group is not kept in the loop and there is a missed opportunity to avert a known threat. As well, organizations should recognize the outcomes if the information systems and information technology groups didn’t discuss hardware needs for new software purchases. And, specifically, the organiz- ation must consider what would happen to its balance sheet if finance and insur- ance were not involved in the discussion to protect shareholder value. A CYBER RISK FRAMEWORK A cyber risk framework is a well- communicated tool that is supported by cross-functional teams that develop strategic insight and responses to managing these dynamic risks. An established cyber risk framework ensures that your company engages and includes the right subject matter experts in the process at the right time, and is speaking the same language. (See Exhibit 1 for an example of a Cyber Risk Framework.) Elementally, this framework embraces a response where crisis management, investigation, and contractual or financial risk transfer are critical. For instance, according to a McAfee report in 2014, Italy sustained an $875-million economic impact of cyber crimes (actual losses) but the recovery and opportunity costs reached $8.5 billion.1 QUESTIONS FOR FRAMING CYBER RISK The following are a few fundamental questions about cyber risks that organ- izations need to consider. Being able to affirmatively answer any one of those questions will help frame what your organization currently has in place and what work is left to undertake: • Does your company have a written cyber security risk management strategy and governance framework? How is it measured? • What does cyber risk mean to your organization? What is the true nature of the risk (e.g., privacy, reliance on technology/business continuity)? • Is there a culture of awareness among your employees? • Which corporate cyber policies does your organization have in place and are they enforced? Examples include “bring your own device” (BYOD); employee e-mail agree- ments; Internet use, and security violation procedures. 1 McAfee, Intel Security, Net Losses, 18. By Christine Maligec and Gregory Eskins Cyber Risks: Imagining the Possible and Plausible
Risk Watch Spring 2015 The Conference Board of Canada14 • What are your regulator’s expect­ ations for cyber risk standards or controls (e.g., SOX,2 Health Information Act (HIA), Personal Information Protection Act (PIPA)? • Which cyber security controls are currently in place and how often are they tested? • If a material breach or other cyber event were to occur, is there a written/defined crisis management protocol? Has it been tested? • Has your company identified pos- sible and plausible events where your cyber infrastructure could be at risk? 2 The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation passed by the U.S. Congress to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures. THE VALUE OF STRUCTURED “WHAT-IF” (SWIFT) DISCUSSIONS AND SCENARIO ANALYSIS The ISO 31010:2009 risk assessment techniques guide3 describes the SWIFT assessment as “a system for prompting a team to identify risk. Normally used with a facilitated workshop. Normally linked to a risk analysis and evaluation technique.”4 That might be a lot of jar- gon, but it is a conversation starter on the possible and plausible risks. It is more aligned with the risk identification phase of the ISO 31000 ERM Process Model. Additional tools—such as busi- ness impact, or cash flow analysis 3 International Organization for Standardization (ISO), 31010:2009 Principles and Guidelines. 4 International Organization for Standardization, ISO 31000: Risk Management, 23. and stress tests—would be required to further evaluate the cyber risk and add probability and quantum, both pre- and post-mitigation, to understand the organ- ization’s risk appetite. Scenario analysis, however, has a greater time horizon and proves more useful where historical data on prob- ability might not be available. Scenario analysis aids in developing a “series of scenarios … each one focusing on a plausible change in parameters.”5 The advantage is not so much on risk assessment, but being able to review your risk assessments when monitoring changes to your organization’s environ- ment. For these reasons, we will explore 5 Ibid, 41. Exhibit 1 Cyber Risk Framework Source: Marsh Risk Consulting. (Reproduction is not permitted without the express written consent of Marsh.) Cyber Security Assessment 1 • STEP 1: Penetration testing and threat intelligence • STEP 2: Assessment of security framework/ prevention and emergency response Cyber Risk Quantification 2 • STEP 1: Risk tolerance estimation • STEP 2: Risk scenario identification and quantification • STEP 3: Cyber risk modelling • STEP 4: Claim preparation (in case of loss) Risk Transfer Analysis 3 • STEP 1: Contractual risk transfer with third-party practices optimization • STEP 2: Insurance gap analysis and optimization • STEP 3: Estimation of cyber insurance cost Actions Prioritization and Planning 4 • STEP 1: Prioritization of recommendations • STEP 2: Total cost of risk optimization
Risk Watch Spring 2015 The Conference Board of Canada 15 three possible scenarios, as shown below. Still, organizations should imagine the possible and plausible when it comes to their own cyber risks relative to their business. SCENARIO 1: INTERRUPTION BY RANSOMWARE The mid-level manager of an architec- ture and engineering firm received an e-mail with an attachment. The e-mail appeared to be from a client’s dot com address, but the manager did not rec- ognize the sender. Thinking nothing of it, he opened the e-mail attachment, which then took over his computer and eventually the company’s network. The manager and his colleagues sat helplessly in front of their computers as an image appeared and informed them that the company was the victim of ran- somware. They also were told that they had 48 hours to pay $250,000 or their systems and all data would be destroyed. After paying the ransom, the IT depart- ment analyzed the system to find that not only had a number of files been damaged, but blueprints for a client’s proprietary process were copied and had ended up on the Internet. Possible and Plausible Impacts/Losses • Damage to server and critical files • Payment of ransom funds • Intellectual property loss MITIGATION STRATEGIES Damage to Server/Critical Files A well-designed, financial risk transfer program for cyber-related occurrences can assist in a number of ways. “Damage” usually conjures up an image of something being physically broken. However, in the context of cyber risk, damage is typically made to the intan- gible data—a peril most have never experienced. Most people have little to no frame of reference and lack the experience to manage an active response or investigation. Despite the competence of a firm’s internal IT department, the cost of hiring an independent foren- sics team to investigate and preserve evidence (indeed, a crime has been com- mitted) is extremely worthwhile from a couple of perspectives. Engaging a forensic team will provide an objective picture of what has transpired. And, given the team’s specialization, they may be more effective with respect to the confirmation of threat and loss con- tainment, as well as recovery efforts. Second, other parties—e.g., regulators— generally prefer to see an independent analysis (also beneficial in the event the organization is later sued by its clients). Ransom Funds The actual ransom payment may or may not be deemed a material amount. That said, the financial loss can certainly be insured. Beyond the actual payment, management—and, by extension, the organization—may be incapable of con- ducting business while its digital assets are encrypted. What is the impact on the revenue stream? Perhaps revenue is only deferred? But, nonetheless, companies incur additional expenses to continue operations during this time. More likely, there will be a combination of revenue loss and extra expense involved dur- ing the period of restoration. Both the actual loss of revenue and the extra expense incurred to continue operations are insurable. Intellectual Property Loss In general, the most critical asset of any organization is its intellectual property (IP). To the extent that IP is entrusted to a third party, and there is a breach of privacy of such third-party’s IP (i.e., corporate confidential information), a cyber policy can respond by defending in the event of a lawsuit, and potentially pay certain damages. Having said the above, if it were an organization’s own IP that was breached (think cyber espionage), the loss of value is essentially uninsurable at this point in time. SCENARIO 2: WEAK LINK IN THE TECHNOLOGY CHAIN A mid-sized, financial services company moved the majority of its back office operations to a cloud-based solution. The prevailing strategic reasons were cost savings on modernizing servers and software; virtual access—any time, any place; the most up-to-date software; flexibility with IT use and bandwidth; and carbon footprint reduction. The intended outcome of this implementa- tion was to translate into a competitive advantage that could be passed on as savings to the customer, and an increase in shareholder value. The cloud provider experienced a disruption, which took the access to the financial company’s software and to client files off-line for almost a week. This was not a good week for one client that lost several deals and could not meet disclosure requirements with regulators. As a result, several clients did not renew their con- tract or cancelled service. Possible and Plausible Impacts/Losses • First-party loss of business and share value • Third-party financial loss • Shareholder litigation
Risk Watch Spring 2015 The Conference Board of Canada16 MITIGATION STRATEGIES First-Party Loss Many organizations think the biggest expense resulting from a cyber threat is to compensate individuals whose privacy was breached. As such, many think a financial risk transfer program would not add any value to their mitiga- tion planning. For a growing number of organizations, however, business continuity takes precedence on a scale of likelihood and impact. Although large-scale breaches get media atten- tion—and can certainly have a large financial impact on the organization— the business interruption exposure and costs are often overlooked. Third-Party Financial Loss While traditional financial risk transfer programs may provide business inter- ruption coverage (e.g., loss of profits/ income and/or extra expense), they generally will not respond to a cyber event, (i.e., an event that does not cause physical damage). Enter cyber risk insurance. It can be tailored to protect against the financial loss, such as rev- enue (more specifically, gross profits) during an interruption of business oper- ations; the additional expenses incurred during the interruption; and even normal operating costs. The hidden wrinkle in this scenario is that the disruption did not originate within the financial services company and, thus, its exposure is contingent on another firm (its cloud technol- ogy vendor). Given the proliferation of cloud-based vendors—for a variety of business functions—the potential for a material interruption is magnified. Shareholder Litigation Contingent business interruption cover- age is also something that can be addressed via a robust cyber policy. What cannot be insured via a cyber policy is the loss of shareholder value. SCENARIO 3: AN “APP” FOR THAT A major retail chain created and launched an “app”—which scanned smart devices for GPS and browser search information—to create cus- tomized advertisements. After a very successful marketing campaign, hundreds of thousands of shoppers downloaded the app, with many link- ing their profile to other social media and payment accounts. Vulnerability in the code made the app a target for a foreign, organized crime syndicate known for stealing and selling credit card information on the black market to finance terrorism. Possible and Plausible Impacts/Losses • Crisis management and communication assistance MITIGATION STRATEGIES Crisis Management and Communication Assistance Unlike many other insurance products, which are purely a form of risk finan- cing or transfer, cyber policies can pro- vide additional resources in the form of pre- and post-claims services. Pre-claim services may include consultation with a security vendor; vulnerability assess- ments; crisis management simulation, other risk management tools and tem- plates; and/or tabletop exercises aimed at prevention and mitigation. Post-claim services typically include access to a panel of vendors in the areas of foren- sics, legal and public relations, notifi- cation, and remediation (identity theft services). Many organizations have similar internal functions, but perhaps not the level of specialization of external firms. Furthermore, pulling internal individuals away from their core responsibilities will surely negatively impact the business and productivity. Essentially, the costs incurred to conduct a forensic investigation, respond to a regulatory investigation, hire counsel and a public relations firm, and notify and communicate with the affected (and potentially affected) individuals are insurable. Scenario Conclusion In summary, cyber risk requires a clear strategy in order to manage and monitor it effectively. This will lead to an accept- able level of organizational resiliency should any of these scenarios play out. ADDITIONAL INFORMATION Exhibit 2 provides definitions for various loss categories.
Risk Watch Spring 2015 The Conference Board of Canada 17 Christine joined Covenant Health— Canada’s largest Catholic health care organization with over 14,000 phys- icians, employees, and volunteers serving Alberta—as its Risk Management Advisor in 2013. Her role is focused on designing and implementing an ERM framework, along with supporting educa- tion. Prior to this role, Christine served in risk management positions within the entertainment, post-secondary, energy, and construction industries. She also sits on the Northern Alberta Risk & Insurance Management Society Board. As national practice leader, Greg is charged with advising clients on emerging cyber risk issues, developing client-specific product solutions, manag- ing and growing market relationships, and assisting Marsh offices/colleagues across all industry segments. Since joining Marsh in 2006, Greg has been part of the Financial Institutions & Professional Services Industry Practice and also leads Marsh’s Cyber Risk Practice. Greg speaks regularly on cyber issues, and is on the advisory committee of the International Cyber Risk Management Conference. Christine Maligec, CRM-E, CRIS Risk Management Advisor Covenant Health Gregory L. Eskins, MBA candidate, CRM, CAIB Senior Vice President, Cyber Practice Leader Marsh Canada Exhibit 2 Loss Category Definitions Loss Category Description A Intellectual property (IP) Loss of value of an IP asset, expressed in terms of loss of revenue as a reduced market share, as well as lost investment (R&D). B Business interruption Loss of profits or extra expenses incurred due to the unavailability of IT systems or data as a result of cyber attacks or other non-malicious IT failures. C Data and software loss The cost to reconstitute data or software that have been deleted or corrupted. D Cyber extortion The cost of expert handling of an extortion incident, combined with the ransom payment. E Cyber crime/cyber fraud The direct financial loss suffered by an organization arising from the use of computers to commit fraud or theft of money, securities, or other property. F Breach of privacy event The cost to investigate and respond to a privacy breach event, including IT forensics and notifying affected individuals, as well as third-party liability claims arising from the same incident, and fines from regulators and industry associations. G Network failure liabilities Third-party liabilities from certain security events occurring within the organization’s IT network or passing through it (without the organization’s cooperation) in order to attack a third party. H Impact on reputation Loss of revenues arising from an increase in cus- tomer churn or reduced transaction volumes, which can be directly attributed to the publication of a defined security breach event. I Physical asset damage First-party loss due to the destruction of physical property resulting from cyber attacks. J Death and bodily injury Third-party liability for death and bodily injuries resulting from cyber attacks. K Incident investigation and response costs Direct costs incurred to investigate and “close” the incident and minimize post-incident losses. This applies to all other categories/events. Source: Marsh Cyber Risk Practice (Marsh Canada Limited). (Reproduction is not permitted without the express written consent of Marsh.)
Risk Watch Spring 2015 The Conference Board of Canada18 BIBLIOGRAPHY International Organization for Standardization (ISO). Risk Management—Risk Assessment Techniques. Mississauga: Canadian Standards Association, December 2010. ––. Principles and Guidelines. 2009. www.iso.org/obp/ui/#iso:std:iso:31000: ed-1:v1:en. McAfee, Intel Security. The Economic Impact of Cyber Crime and Cyber Espionage. July 2013. www.mcafee.com/ca/resources/reports/ rp-economic-impact-cybercrime.pdf. ––. Net Losses: Estimating the Global Cost of Cybercrime—Economic Impact of Cybercrime II. June 2014. www.mcafee.com/ca/resources/reports/ rp-economic-impact-cybercrime2.pdf. U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE). National Exam Program Risk Alert: OCIE Cybersecurity Initiative. April 15, 2014. www.sec.gov/ocie/announcement/ Cybersecurity+Risk+Alert++%2526+ Appendix+-+4.15.14.pdf.

Recommended

White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
Outsourcing
OutsourcingOutsourcing
Outsourcingkarlhennessy
 
2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-finalΔρ. Γιώργος K. Κασάπης
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic SecurityChad Korosec
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionThe Economist Media Businesses
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The Economist Media Businesses
 
speaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperspeaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperBilha Diaz
 

Recommended

White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
Outsourcing
OutsourcingOutsourcing
Outsourcingkarlhennessy
 
2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-finalΔρ. Γιώργος K. Κασάπης
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic SecurityChad Korosec
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionThe Economist Media Businesses
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The Economist Media Businesses
 
speaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperspeaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperBilha Diaz
 
2017 cost of cyber crime study accenture
2017 cost of cyber crime study accenture2017 cost of cyber crime study accenture
2017 cost of cyber crime study accenturejob Titri company
 
Cost of Cybercrime 2017
Cost of Cybercrime 2017Cost of Cybercrime 2017
Cost of Cybercrime 2017Paperjam_redaction
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityShareDocView.com
 
Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report Graeme Cross
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016Ben Browning
 
Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsAbdul-Hakeem Ajijola
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015John Budriss
 
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015Scott Smith
 
Executive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarExecutive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarFERMA
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Sarah Nirschl
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber RiskMark Gibson
 
What Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackWhat Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackBooz Allen Hamilton
 
Provide a MEMO.docx
Provide a MEMO.docxProvide a MEMO.docx
Provide a MEMO.docxwrite30
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 

More Related Content

What's hot

2017 cost of cyber crime study accenture
2017 cost of cyber crime study accenture2017 cost of cyber crime study accenture
2017 cost of cyber crime study accenturejob Titri company
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityShareDocView.com
 
Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report Graeme Cross
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016Ben Browning
 
Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsAbdul-Hakeem Ajijola
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015John Budriss
 
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015Scott Smith
 
Executive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarExecutive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarFERMA
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Sarah Nirschl
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber RiskMark Gibson
 
What Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackWhat Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackBooz Allen Hamilton
 

What's hot (20)

2017 cost of cyber crime study accenture
2017 cost of cyber crime study accenture2017 cost of cyber crime study accenture
2017 cost of cyber crime study accenture
 
Cost of Cybercrime 2017
Cost of Cybercrime 2017Cost of Cybercrime 2017
Cost of Cybercrime 2017
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for Cybersecurity
 
Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the Boardroom
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
 
Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of Directors
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
 
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
 
Executive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarExecutive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk Webinar
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & Executives
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk
 
What Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackWhat Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target Attack
 

Similar to Cyber Risks - Maligec and Eskins

Provide a MEMO.docx
Provide a MEMO.docxProvide a MEMO.docx
Provide a MEMO.docxwrite30
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
Mind the Gaps: AML and Fraud Global Benchmark Survey
Mind the Gaps: AML and Fraud Global Benchmark Survey Mind the Gaps: AML and Fraud Global Benchmark Survey
Mind the Gaps: AML and Fraud Global Benchmark Survey Paul Hamilton
 
Metrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationMetrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationChris Ross
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfHumphrey Humphrey
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsSarah Cirelli
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10David X Martin
 
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadsavassociates1
 
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainSanjay Chadha, CPA, CA
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)ishan parikh production
 
Compliance & data security – the way we work
Compliance & data security – the way we workCompliance & data security – the way we work
Compliance & data security – the way we workPuneet Chopra
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...DFLABS SRL
 
Dr haluk f gursel fraud examination rises to distinction article grcj 2010 1_v3_
Dr haluk f gursel fraud examination rises to distinction article grcj 2010 1_v3_Dr haluk f gursel fraud examination rises to distinction article grcj 2010 1_v3_
Dr haluk f gursel fraud examination rises to distinction article grcj 2010 1_v3_Haluk Ferden Gursel
 
Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Livingstone Advisory
 
The 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party RiskThe 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party RiskElizabeth Dimit
 
GMFI Conference (3)
GMFI Conference (3)GMFI Conference (3)
GMFI Conference (3)Daniel Paula
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 

Similar to Cyber Risks - Maligec and Eskins (20)

Provide a MEMO.docx
Provide a MEMO.docxProvide a MEMO.docx
Provide a MEMO.docx
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
 
Mind the Gaps: AML and Fraud Global Benchmark Survey
Mind the Gaps: AML and Fraud Global Benchmark Survey Mind the Gaps: AML and Fraud Global Benchmark Survey
Mind the Gaps: AML and Fraud Global Benchmark Survey
 
Metrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationMetrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in Communication
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdf
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial Institutions
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10
 
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor upload
 
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chain
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)
 
Compliance & data security – the way we work
Compliance & data security – the way we workCompliance & data security – the way we work
Compliance & data security – the way we work
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
 
Dr haluk f gursel fraud examination rises to distinction article grcj 2010 1_v3_
Dr haluk f gursel fraud examination rises to distinction article grcj 2010 1_v3_Dr haluk f gursel fraud examination rises to distinction article grcj 2010 1_v3_
Dr haluk f gursel fraud examination rises to distinction article grcj 2010 1_v3_
 
Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
 
The 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party RiskThe 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party Risk
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec
 
GMFI Conference (3)
GMFI Conference (3)GMFI Conference (3)
GMFI Conference (3)
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
 

Cyber Risks - Maligec and Eskins

  • 1. Risk Watch Spring 2015 The Conference Board of Canada 13 I t is widely recognized that the effective use of technology, regard- less of one’s industry sector, is required in order to keep pace and provide a competitive advantage in a globalized economy. In fact, in many cases, it can prove to be a game-changer for an organization’s strategic direction. To achieve its goals, organizations have to work smarter and be more collab- orative—both internally and with their external stakeholders. This article is part of a series that focuses on various aspects of cyber risk. In this first article, we explore the need for a well-established cyber risk framework that is integrated into the organization’s enterprise-wide risk management process; look at some key questions organizations should be asking to help frame these ever-evolving risks; provide some statistics on the financial impacts of cyber risk; and provide a few “what-if” scenarios and their pos- sible impacts and potential mitigation strategies. The spirit and intent of ERM is to instill a culture of cross-functional collabora- tion with the outcome of achieving the organization’s objectives. This includes working strategically and holistically on cyber risks. For instance, organizations should consider what could happen when the corporate security group is not kept in the loop and there is a missed opportunity to avert a known threat. As well, organizations should recognize the outcomes if the information systems and information technology groups didn’t discuss hardware needs for new software purchases. And, specifically, the organiz- ation must consider what would happen to its balance sheet if finance and insur- ance were not involved in the discussion to protect shareholder value. A CYBER RISK FRAMEWORK A cyber risk framework is a well- communicated tool that is supported by cross-functional teams that develop strategic insight and responses to managing these dynamic risks. An established cyber risk framework ensures that your company engages and includes the right subject matter experts in the process at the right time, and is speaking the same language. (See Exhibit 1 for an example of a Cyber Risk Framework.) Elementally, this framework embraces a response where crisis management, investigation, and contractual or financial risk transfer are critical. For instance, according to a McAfee report in 2014, Italy sustained an $875-million economic impact of cyber crimes (actual losses) but the recovery and opportunity costs reached $8.5 billion.1 QUESTIONS FOR FRAMING CYBER RISK The following are a few fundamental questions about cyber risks that organ- izations need to consider. Being able to affirmatively answer any one of those questions will help frame what your organization currently has in place and what work is left to undertake: • Does your company have a written cyber security risk management strategy and governance framework? How is it measured? • What does cyber risk mean to your organization? What is the true nature of the risk (e.g., privacy, reliance on technology/business continuity)? • Is there a culture of awareness among your employees? • Which corporate cyber policies does your organization have in place and are they enforced? Examples include “bring your own device” (BYOD); employee e-mail agree- ments; Internet use, and security violation procedures. 1 McAfee, Intel Security, Net Losses, 18. By Christine Maligec and Gregory Eskins Cyber Risks: Imagining the Possible and Plausible
  • 2. Risk Watch Spring 2015 The Conference Board of Canada14 • What are your regulator’s expect­ ations for cyber risk standards or controls (e.g., SOX,2 Health Information Act (HIA), Personal Information Protection Act (PIPA)? • Which cyber security controls are currently in place and how often are they tested? • If a material breach or other cyber event were to occur, is there a written/defined crisis management protocol? Has it been tested? • Has your company identified pos- sible and plausible events where your cyber infrastructure could be at risk? 2 The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation passed by the U.S. Congress to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures. THE VALUE OF STRUCTURED “WHAT-IF” (SWIFT) DISCUSSIONS AND SCENARIO ANALYSIS The ISO 31010:2009 risk assessment techniques guide3 describes the SWIFT assessment as “a system for prompting a team to identify risk. Normally used with a facilitated workshop. Normally linked to a risk analysis and evaluation technique.”4 That might be a lot of jar- gon, but it is a conversation starter on the possible and plausible risks. It is more aligned with the risk identification phase of the ISO 31000 ERM Process Model. Additional tools—such as busi- ness impact, or cash flow analysis 3 International Organization for Standardization (ISO), 31010:2009 Principles and Guidelines. 4 International Organization for Standardization, ISO 31000: Risk Management, 23. and stress tests—would be required to further evaluate the cyber risk and add probability and quantum, both pre- and post-mitigation, to understand the organ- ization’s risk appetite. Scenario analysis, however, has a greater time horizon and proves more useful where historical data on prob- ability might not be available. Scenario analysis aids in developing a “series of scenarios … each one focusing on a plausible change in parameters.”5 The advantage is not so much on risk assessment, but being able to review your risk assessments when monitoring changes to your organization’s environ- ment. For these reasons, we will explore 5 Ibid, 41. Exhibit 1 Cyber Risk Framework Source: Marsh Risk Consulting. (Reproduction is not permitted without the express written consent of Marsh.) Cyber Security Assessment 1 • STEP 1: Penetration testing and threat intelligence • STEP 2: Assessment of security framework/ prevention and emergency response Cyber Risk Quantification 2 • STEP 1: Risk tolerance estimation • STEP 2: Risk scenario identification and quantification • STEP 3: Cyber risk modelling • STEP 4: Claim preparation (in case of loss) Risk Transfer Analysis 3 • STEP 1: Contractual risk transfer with third-party practices optimization • STEP 2: Insurance gap analysis and optimization • STEP 3: Estimation of cyber insurance cost Actions Prioritization and Planning 4 • STEP 1: Prioritization of recommendations • STEP 2: Total cost of risk optimization
  • 3. Risk Watch Spring 2015 The Conference Board of Canada 15 three possible scenarios, as shown below. Still, organizations should imagine the possible and plausible when it comes to their own cyber risks relative to their business. SCENARIO 1: INTERRUPTION BY RANSOMWARE The mid-level manager of an architec- ture and engineering firm received an e-mail with an attachment. The e-mail appeared to be from a client’s dot com address, but the manager did not rec- ognize the sender. Thinking nothing of it, he opened the e-mail attachment, which then took over his computer and eventually the company’s network. The manager and his colleagues sat helplessly in front of their computers as an image appeared and informed them that the company was the victim of ran- somware. They also were told that they had 48 hours to pay $250,000 or their systems and all data would be destroyed. After paying the ransom, the IT depart- ment analyzed the system to find that not only had a number of files been damaged, but blueprints for a client’s proprietary process were copied and had ended up on the Internet. Possible and Plausible Impacts/Losses • Damage to server and critical files • Payment of ransom funds • Intellectual property loss MITIGATION STRATEGIES Damage to Server/Critical Files A well-designed, financial risk transfer program for cyber-related occurrences can assist in a number of ways. “Damage” usually conjures up an image of something being physically broken. However, in the context of cyber risk, damage is typically made to the intan- gible data—a peril most have never experienced. Most people have little to no frame of reference and lack the experience to manage an active response or investigation. Despite the competence of a firm’s internal IT department, the cost of hiring an independent foren- sics team to investigate and preserve evidence (indeed, a crime has been com- mitted) is extremely worthwhile from a couple of perspectives. Engaging a forensic team will provide an objective picture of what has transpired. And, given the team’s specialization, they may be more effective with respect to the confirmation of threat and loss con- tainment, as well as recovery efforts. Second, other parties—e.g., regulators— generally prefer to see an independent analysis (also beneficial in the event the organization is later sued by its clients). Ransom Funds The actual ransom payment may or may not be deemed a material amount. That said, the financial loss can certainly be insured. Beyond the actual payment, management—and, by extension, the organization—may be incapable of con- ducting business while its digital assets are encrypted. What is the impact on the revenue stream? Perhaps revenue is only deferred? But, nonetheless, companies incur additional expenses to continue operations during this time. More likely, there will be a combination of revenue loss and extra expense involved dur- ing the period of restoration. Both the actual loss of revenue and the extra expense incurred to continue operations are insurable. Intellectual Property Loss In general, the most critical asset of any organization is its intellectual property (IP). To the extent that IP is entrusted to a third party, and there is a breach of privacy of such third-party’s IP (i.e., corporate confidential information), a cyber policy can respond by defending in the event of a lawsuit, and potentially pay certain damages. Having said the above, if it were an organization’s own IP that was breached (think cyber espionage), the loss of value is essentially uninsurable at this point in time. SCENARIO 2: WEAK LINK IN THE TECHNOLOGY CHAIN A mid-sized, financial services company moved the majority of its back office operations to a cloud-based solution. The prevailing strategic reasons were cost savings on modernizing servers and software; virtual access—any time, any place; the most up-to-date software; flexibility with IT use and bandwidth; and carbon footprint reduction. The intended outcome of this implementa- tion was to translate into a competitive advantage that could be passed on as savings to the customer, and an increase in shareholder value. The cloud provider experienced a disruption, which took the access to the financial company’s software and to client files off-line for almost a week. This was not a good week for one client that lost several deals and could not meet disclosure requirements with regulators. As a result, several clients did not renew their con- tract or cancelled service. Possible and Plausible Impacts/Losses • First-party loss of business and share value • Third-party financial loss • Shareholder litigation
  • 4. Risk Watch Spring 2015 The Conference Board of Canada16 MITIGATION STRATEGIES First-Party Loss Many organizations think the biggest expense resulting from a cyber threat is to compensate individuals whose privacy was breached. As such, many think a financial risk transfer program would not add any value to their mitiga- tion planning. For a growing number of organizations, however, business continuity takes precedence on a scale of likelihood and impact. Although large-scale breaches get media atten- tion—and can certainly have a large financial impact on the organization— the business interruption exposure and costs are often overlooked. Third-Party Financial Loss While traditional financial risk transfer programs may provide business inter- ruption coverage (e.g., loss of profits/ income and/or extra expense), they generally will not respond to a cyber event, (i.e., an event that does not cause physical damage). Enter cyber risk insurance. It can be tailored to protect against the financial loss, such as rev- enue (more specifically, gross profits) during an interruption of business oper- ations; the additional expenses incurred during the interruption; and even normal operating costs. The hidden wrinkle in this scenario is that the disruption did not originate within the financial services company and, thus, its exposure is contingent on another firm (its cloud technol- ogy vendor). Given the proliferation of cloud-based vendors—for a variety of business functions—the potential for a material interruption is magnified. Shareholder Litigation Contingent business interruption cover- age is also something that can be addressed via a robust cyber policy. What cannot be insured via a cyber policy is the loss of shareholder value. SCENARIO 3: AN “APP” FOR THAT A major retail chain created and launched an “app”—which scanned smart devices for GPS and browser search information—to create cus- tomized advertisements. After a very successful marketing campaign, hundreds of thousands of shoppers downloaded the app, with many link- ing their profile to other social media and payment accounts. Vulnerability in the code made the app a target for a foreign, organized crime syndicate known for stealing and selling credit card information on the black market to finance terrorism. Possible and Plausible Impacts/Losses • Crisis management and communication assistance MITIGATION STRATEGIES Crisis Management and Communication Assistance Unlike many other insurance products, which are purely a form of risk finan- cing or transfer, cyber policies can pro- vide additional resources in the form of pre- and post-claims services. Pre-claim services may include consultation with a security vendor; vulnerability assess- ments; crisis management simulation, other risk management tools and tem- plates; and/or tabletop exercises aimed at prevention and mitigation. Post-claim services typically include access to a panel of vendors in the areas of foren- sics, legal and public relations, notifi- cation, and remediation (identity theft services). Many organizations have similar internal functions, but perhaps not the level of specialization of external firms. Furthermore, pulling internal individuals away from their core responsibilities will surely negatively impact the business and productivity. Essentially, the costs incurred to conduct a forensic investigation, respond to a regulatory investigation, hire counsel and a public relations firm, and notify and communicate with the affected (and potentially affected) individuals are insurable. Scenario Conclusion In summary, cyber risk requires a clear strategy in order to manage and monitor it effectively. This will lead to an accept- able level of organizational resiliency should any of these scenarios play out. ADDITIONAL INFORMATION Exhibit 2 provides definitions for various loss categories.
  • 5. Risk Watch Spring 2015 The Conference Board of Canada 17 Christine joined Covenant Health— Canada’s largest Catholic health care organization with over 14,000 phys- icians, employees, and volunteers serving Alberta—as its Risk Management Advisor in 2013. Her role is focused on designing and implementing an ERM framework, along with supporting educa- tion. Prior to this role, Christine served in risk management positions within the entertainment, post-secondary, energy, and construction industries. She also sits on the Northern Alberta Risk & Insurance Management Society Board. As national practice leader, Greg is charged with advising clients on emerging cyber risk issues, developing client-specific product solutions, manag- ing and growing market relationships, and assisting Marsh offices/colleagues across all industry segments. Since joining Marsh in 2006, Greg has been part of the Financial Institutions & Professional Services Industry Practice and also leads Marsh’s Cyber Risk Practice. Greg speaks regularly on cyber issues, and is on the advisory committee of the International Cyber Risk Management Conference. Christine Maligec, CRM-E, CRIS Risk Management Advisor Covenant Health Gregory L. Eskins, MBA candidate, CRM, CAIB Senior Vice President, Cyber Practice Leader Marsh Canada Exhibit 2 Loss Category Definitions Loss Category Description A Intellectual property (IP) Loss of value of an IP asset, expressed in terms of loss of revenue as a reduced market share, as well as lost investment (R&D). B Business interruption Loss of profits or extra expenses incurred due to the unavailability of IT systems or data as a result of cyber attacks or other non-malicious IT failures. C Data and software loss The cost to reconstitute data or software that have been deleted or corrupted. D Cyber extortion The cost of expert handling of an extortion incident, combined with the ransom payment. E Cyber crime/cyber fraud The direct financial loss suffered by an organization arising from the use of computers to commit fraud or theft of money, securities, or other property. F Breach of privacy event The cost to investigate and respond to a privacy breach event, including IT forensics and notifying affected individuals, as well as third-party liability claims arising from the same incident, and fines from regulators and industry associations. G Network failure liabilities Third-party liabilities from certain security events occurring within the organization’s IT network or passing through it (without the organization’s cooperation) in order to attack a third party. H Impact on reputation Loss of revenues arising from an increase in cus- tomer churn or reduced transaction volumes, which can be directly attributed to the publication of a defined security breach event. I Physical asset damage First-party loss due to the destruction of physical property resulting from cyber attacks. J Death and bodily injury Third-party liability for death and bodily injuries resulting from cyber attacks. K Incident investigation and response costs Direct costs incurred to investigate and “close” the incident and minimize post-incident losses. This applies to all other categories/events. Source: Marsh Cyber Risk Practice (Marsh Canada Limited). (Reproduction is not permitted without the express written consent of Marsh.)
  • 6. Risk Watch Spring 2015 The Conference Board of Canada18 BIBLIOGRAPHY International Organization for Standardization (ISO). Risk Management—Risk Assessment Techniques. Mississauga: Canadian Standards Association, December 2010. ––. Principles and Guidelines. 2009. www.iso.org/obp/ui/#iso:std:iso:31000: ed-1:v1:en. McAfee, Intel Security. The Economic Impact of Cyber Crime and Cyber Espionage. July 2013. www.mcafee.com/ca/resources/reports/ rp-economic-impact-cybercrime.pdf. ––. Net Losses: Estimating the Global Cost of Cybercrime—Economic Impact of Cybercrime II. June 2014. www.mcafee.com/ca/resources/reports/ rp-economic-impact-cybercrime2.pdf. U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE). National Exam Program Risk Alert: OCIE Cybersecurity Initiative. April 15, 2014. www.sec.gov/ocie/announcement/ Cybersecurity+Risk+Alert++%2526+ Appendix+-+4.15.14.pdf.