2. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Presentation Format
Four Key Questions
How important is cyber risk and how should we view the cyber
threat?
To what extent do European organisations have a clear and
documented understanding of their cyber risk profile and how
can this be improved?
Where are the gaps in knowledge and data that might impair
an organisation’s ability to make informed risk transfer
choices?
Are the insurance products available meeting client demand
or is the insurance market developing a product that clients do
not believe they need?
2
4. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
4
Importance of cyber risk?
Context – National Level UK
•“Attacks in cyberspace can have a potentially devastating real-world effect. Government, military, industrial, and
economic targets, including critical services, could feasibly be disrupted by a capable adversary.” National Security
Strategy, October 2010.
5. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
5
Importance of cyber risk?
Context – National Level USA
“Despite ever-improving network defenses, the diverse possibilities for remote hacking intrusions, supply chain operations to insert
compromised hardware or software, and malevolent activities by human insiders will hold nearly all ICT systems at risk for years to come.
In short, the cyber threat cannot be eliminated; rather, cyber risk must be managed.” Senate Armed Services Committee, February
2015.
6. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
6
Importance of cyber risk
Context – European Cyber Risk Survey 2015
17%
28%
30%
25%
Top five risk. Top ten risk. Outside the top 10. Not on the corporate risk register
Where does cyber risk feature in the corporate risk register?
The fact that over half of all organisations surveyed do not have
cyber risk within the top 10 items on the risk register would suggest
a divergence from the government view.
7. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
7
To what extent do European organisations have a
clear and documented understanding of their cyber
risk profile and how can this be improved?
8. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
8
Understanding of Cyber Risk
Context – European Cyber Risk Survey 2015
4%
26%
49%
21%
No understanding.
Limited understanding.
Basic understanding.
Complete understanding.
To what extent do you believe your organisation has a clear
understanding of its exposure to cyber risk?
79% of organisations reported that they have, at best, a basic
understanding of their cyber risk profiles.
9. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Understanding of Cyber Risk
Context – European Cyber Risk Survey 2015
9
The fact that only slightly
more than half (57%) of
respondents have
identified one or more
cyber scenarios that could
most affect their
organisations would
…suggest that the lack of
a complete understanding
and absence/low
positioning of cyber on the
risk register is, for many
companies, filtering
through to a lack of
definition around specific
scenarios that might
impact their business.
Have you identified one or more
cyber scenarios that could most
affect your organisation?
No
Yes
10. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
10
Understanding Cyber Risk
Context – European Cyber Risk Survey 2015
65%
71%
75%
86%
67%
11%
75%
58%
65%
70%
50%
93%
66%
44%
76%
62%
56%
68%
11%
6%
5%
39%
9%
8%
15%
17%
7%
9%
22%
3%
6%
19%
8%
11%
24%
5%
33%
11%
5%
8%
15%
3%
30%
10%
8%
12%
15%
Total Europe
Belgium
Turkey
Switzerland
Denmark
France
Portugal
Sweden
Netherlands
Germany
Cyprus
Russia
Austria & CEE
Spain
Italy
Poland
UK
Ireland
IT function including security. Board. Risk management.
IT departments continue to take primary responsibility for cyber risk in the majority (65%) of organisations.
12. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
12
Understanding Cyber Risk
Marsh/HM Government, UK Cyber Security Report – Risk Profile
for a Large Business – Insurer View
13. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
13
Understanding Cyber Risk
Scenario Gathering Process
Set parameters
Which group companies, business divisions are in scope?
Malicious events versus non-malicious events.
Map the IT value chain.
Gather exposure data
Single day workshop.
Structured interviews.
Questionnaire.
Select from a menu.
Refine to create risk scenarios for material exposures
Amalgamate common/similar items.
Write up as a scenario that can be considered for quantification.
Remove immaterial items, reallocate any that don’t fit parameters.
14. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Understanding Cyber Risk
Scenario Example
14
Actor Criminal
Motivation Acquisition of payment card details
Means of access Remote via internet
Point of attack Point of sale devices
Damage • Investigation/response costs
• PCI fines and assessments
• Regulatory (ICO) fines and costs
• Civil compensation claims
o Banks
o Customers
o Shareholders
• Reputational income loss
15. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
15
Where are the gaps in knowledge and data that
might impair an organisation’s ability to make
informed risk transfer choices?
16. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Preparedness for Risk Transfer
16
1. An understanding of the event that is to trigger an insurance.
2. An appreciation of the likely quantum.
3. An appreciation as to the likely frequency of the triggering event.
17. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
17
The majority of
organisations
(68%) have not
yet made any
attempt to
estimate/calculate
loss estimates
making it difficult
to direct mitigation
efforts to areas of
most potential
harm. 17%
6%
10%
20%
13%
14%
10%
5%
22%
25%
9%
25%
12%
15%
6%
5%
4%
11%
10%
5%
25%
10%
4%
7%
15%
2%
5%
5%
4%
6%
6%
24%
10%
33%
10%
4%
8%
30%
16%
14%
25%
8%
14%
65%
56%
75%
67%
70%
77%
100%
62%
50%
75%
100%
78%
75%
73%
25%
66%
61%
Austria & CEE
Belgium
Cyprus
Denmark
France
Germany
Ireland
Italy
Netherlands
Portugal
Russia
Spain
Sweden
Switzerland
Turkey
Poland
UK
EUR1 million or below.
EUR1 million to EUR2 million.
EUR2 million to EUR5 million.
EUR5 million and above.
No loss estimates made.
Preparedness for Risk Transfer
Context – European Cyber Risk Survey 2015
18. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Preparedness for Risk Transfer
Expert Judgement
18
Scale Description Financial Reputation Service / Operations
1 Negligible
<$1m
(max of 1% EBITDA)
Public concern restricted to
local complaints
Insignificant fall in service quality,
limited interruption to
partnerships, insignificant effect
on service standards
2 Significant
$1m-$4.9m
(max of 4% EBITDA)
Minor adverse local/public/
media attention and complaints
Minor fall in service quality,
interruption to partnerships,
some minor service standards
are not met
3 Major
$5m-$8.9m
(max of 8% EBITDA)
Serious negative national or
regional criticism
Major fall in service quality, major
partnerships deteriorating,
ongoing serious disruption in
service standards
4 Catastrophic
>$9m
(exceeds 8% EBITDA)
Prolonged international, regional
& national condemnation
Catastrophic fall in service
quality, failure of several major
partnerships, complete failure in
service standards
20. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
20
Are the insurance products available meeting
client demand or is the insurance market
developing a product that clients do not believe
they need?
21. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Suitability of Insurance Products
Context – European Cyber Risk Survey 2015
21
The insurance market continues to address the issues that represent organisations’
greatest concerns.
22. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Suitability of Insurance Products
Context – European Cyber Risk Survey 2015
22
The insurance market appears to be innovating in the right direction to address the primary
concern of risk managers.
23. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Suitability of Insurance Products
Context – European Cyber Risk Survey 2015
23
Over half (57%) of respondents admit to having “insufficient knowledge” in order to assess
the insurances available.
24. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Is this a conscious
decision not to
purchase following a
thorough evaluation of
the available insurance
products or are
companies not yet in a
position to approach
the market due to a
lack of risk profiling in
their own
organisations?
24
Suitability of Insurance Products
The Insurance Communications Gap
27. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Cyber Insurance Update:
Policy Basics
First
Party
Coverage
• Business Interruption
• Loss of First Party Data
• Cyber Extortion
• Customer Notification
Expenses
• Reputational Damages
Third
Party
Coverage
• Network Security Liability
• Privacy Liability
• Multimedia Liability
• Loss of Third Party Data
27
28. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Cyber Insurance Update:
Coverage Trends
Contingent Business Interruption
Administrative Costs Coverage
Regulatory Fines and Penalties Coverage
Emergency Costs
Crime Coverage
Bodily Injury / Property Damage Extensions
Cyber Exclusions under “Traditional” Property &
Casualty Policies
28
31. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
5 - 24 hours 24 - 48 hours1 hour 2 - 5 hours
Triage Call with all
stakeholders
Specialist/s
investigations /
discussions
underway
Stakeholder
update
conference call/s
Notification to
Incident Manager
24/7/365
Incident Manager
appointed
Incident Manager
First call with
Insured
Incident Manager
appoints
specialists
Next steps and
actions agreed
Stakeholder
update
conference call/s
Specialists initial
reports
Clear
Solution Plan
emerges
Immediate
mitigations if
appropriate
Clear Discovery
Plan emerges
Cyber Insurance Update:
Post-Breach Remediation
32. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Cyber Insurance Update:
Pre-Breach Services
Risk Assessments
Contractual and
Regulatory /
Legal Review
Analysis of
Security &
Privacy Practices
Systems
Monitoring
Incident
Response
Planning
Business
Continuity
Enhancement
32
33. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Cyber Insurance Update:
Purchasing Trends
0%
10%
20%
30%
40%
50%
60%
70%
2011 2012 2013 2014 2015
U.S.
Europe
Asia
33
Source: Zurich / Advisen Information Security & Cyber Liability Risk Management Reports for U.S. and Europe; 2011-2015
34. Cyber risks,
a view from the industry
Philippe COTELLE
Head of Insurance Risk Management
35. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
A new industrial revolution
35
Where the aeronautic industry had been so a century ago…
… this is how we see this in the coming
decade :
37. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Cyber risks exposure
Internet : a tool allowing the sharing of
information between people in order to create an
open world
Difficulties to protect companies
and their datas from the outside.
37
38. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Reputation
What are the obstacles to a good
assessment of our cyber risks ?
38
Wrong perception
Confidentiality
39. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
SPICE initiative
(Scenario Planning to Identify Cyber Exposure)
39
A program for Business impact analysis on disaster
scenarios affecting our operational capabilities
related to a cyber-event
Gathering representatives of all the functions as
well as IT and IM Security to overcome 3 hurdles :
• Explain to the operational people that we need
them
• Address the security issue with extreme care,
• Be prepared to openly discuss some potential
scenarios of exposure. No company shall
assume that it is impossible to be hacked.
40. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Scenarios identification
40
Scenario identification
• Focus on disaster scenarios
• clear hypothesis
41. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Assessing financial costs
41
Assessing financial cost of each scenario
• Split scenarios in 4 different phases
• Simplify the list of impacted functions
• Compute over/under charge per scenario, per phase
10
46
88
22
Phase A
Phase B
Phase C
Phase D
10 46 88 22
…
Financial costs
Scenario x
Security Breach Crisis
Remediation
Investments
Vigilance
Security Breach
Detection
42. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Assessing financial costs
Lessons learned
42
NUMBERS are related to our financial exposure
There is no final number
The objective is to reach a consensus:
acceptable by everyone
valid for our analysis
43. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Evaluate probability of occurence
43
Quantify the technical probability of success of
a scenario to occur
• For each step of a given scenario, identify
technical ways to proceed
• Rate each step with a probability of occurrence
(using internal probability scale)
Assessment performed by the local Information
Management Security
APT Kill Chain
description used in the
technical threat scenario
44. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Evaluate probability of occurrence
Lessons learned
44
Same method but different numbers !?
2 different approaches:
• Need an homogeneous approach
• Associate to each scenario the type of hacker and their motives
If an attacker was seriously
considering hacking a major
company, then this must be a
very strong organisation which in
itself should have gathered all
those unique skills and
resources. Therefore their
probabilities were more
important.
Given the defence systems in
place, in order to be successful
the attacker should gather so
many different skills and
resources that this was very
unlikely to be plausible.
As such the probabilities were
therefore very low.
45. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Next Steps
Provide a rationale for mitigation strategy
45
Insurance
Premium
cost is
efficient
Cost of
implementing IT
security
% of
Mitigation
IT Investment make sense to mitigate
the exposure
Justify the interest of the transfer to
insurance both for coverage and
premium budget
• IT investment and mitigation
measures to reduce the
probability and severity of
occurrence
• insurance then becomes
complementary (and not
competitive) to IT measures
and can be an efficient
financial tool
Risk identification Risk Assessment Risk Response
46. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Challenges
46
The process needs to be performed regularly and be as exhaustive as possible
• a strategy allowing to manage the roll out of this process across the entire organisation,
products and countries
• an efficient process manageable with the operational teams
47. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Challenges
47
The insurance market needs as well to face several challenges :
Conditions of dialog with the insurers
Problem of reputation in case of a claim
Claim settlement
48. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Conclusion
48
• Our mission to support technological development and to develop the
conditions of securing and mitigating the unavoidable risks that such
opportunities generate.
• Cybersecurity is one of the key priority for Airbus Group
• A dedicated entity: Airbus DS Cybersecurity
• Its products and services are also offered to external companies to
fight against cyber threats.
Active Cyber risk management is a key message
towards external stakeholders.
Standards for cyber risk assessment will be
necessary
49. BRUSSELS, 20-21 October
www.ferma.eu
FORUM 2015
Venice, Italy 4-7 October
Don’t forget!
Your evaluation and comments are the only way for FERMA
to obtain information in order to improve the quality of the
sessions
• Please fill in the documents given to you by our hostesses
Or
• Use the mobile application and earn points for the
Leaderboard game!
49