Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016

2,824 views

Published on

PART II – Cyber Security: the mitigation strategies – how to identify, assess and mitigate cyber risks
The Risk Manager must be responsible, as for others risks, for the quantification aspect of cyber security. It is a necessary step towards understanding and managing the exposure of the company. He/she should act as a facilitator between the Board and the operational department (IT, Finance, Legal and other functions).
A key subject to unlock the cyber insurance development and to support the economic growth the Digital world is bringing to Europe.

Published in: Business
  • Be the first to comment

  • Be the first to like this

Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016

  1. 1. Julia Graham Technical Director AIRMIC julia.graham@airmic.com Richard Knowlton CEO Internet Security Alliance for Europe (ISAFE) rknowlton@Isa4europe.org Marc Vael President ISACA Belgium president@isaca.be Mark Camillo Head of Cyber & Professional Indemnity AIG mark.camillo@aig.com
  2. 2. 2 Cybersecurity Mitigation Strategies
  3. 3. 3 What is the added value of a risk manager for cyber security? • Estimate the cost and liabilities of cyber- attacks and near misses • Draw conclusions for information security investments and insurance solutions for residual risks • Be the bridge between the Board, the C- suite, IT (and IS) and other stakeholders terms of cyber risk strategy and decisions A unique position
  4. 4. 4 Cyber risk is not only an IT risk but an enterprise risk Integration into the enterprise risk management (ERM) system of the organization Board playing a critical oversight role Risk manager providing expert advice to support the decision-making process
  5. 5. 5 Kite marks and standards • Standards require sharing of intellectual property about how systems work and experience yet many are reluctant to share their useful knowledge • Challenges include: • embracing the role of risk management, is not only a technical issue • defining the scope of cyber This is a challenging area • The definition of a standard takes time and does not match the pace of cyber risks • They can encourage a compliance-led approach • Not fit for SMEs yet lacking in substance • Some good knowledge and guidance documents are available but quickly date • this is a global risk and has to be looked globally Standards produced to date typically disappointing
  6. 6. 6 Confidentiality remains a challenge •It involves a number of different players: the broker, all the insurers on the programme, their reinsurers, loss adjustors, etc. •It is a challenge to ensure that critical information remains confidential despite the number of involved parties •How organisations are ready to let those third parties access the most critical and secret part of their systems? How to disclose sensitive information to external parties for digital risk management purposes (pre-underwriting assessment, claims management…)? •Role to provide guarantees about how the information is treated within the insurance community •Help preserve business confidentiality, to encourage business leaders to embed digital risk management across all the organization (thanks to the RM support) Public authorities
  7. 7. 7 Beware of Board Room Blindness
  8. 8. 8 Our full position paper Available now on FERMA website www.ferma.eu
  9. 9. Cyber Risk Management Oversight Four Principles for Boards of Directors 24 March 2016 Richard Knowlton Executive Director (Europe) Internet Security Alliance
  10. 10. Cyber Risk Management Oversight: Four Principles for Boards of Directors {1} 1. Directors must ensure that the business has an enterprise- wide cyber-risk management framework. Key features: – Cross-functional cyber risk management team – Senior executive to lead the team and with authority to drive action across multiple departments – Company-wide cyber risk management plan – Ensure regular team meetings and reports for the Board – Total and adequately resourced cyber risk budget
  11. 11. Cyber Risk Management Oversight: Four Principles for Boards of Directors {2} 2. Boards should have adequate access to cyber- security expertise, and they must give cyber/risk management issues regular and adequate time on their meeting agenda – Schedule “deep dive” briefings from third party experts – Leverage independent advisers with a multi-client and industry-wide perspective on cyber risk trends – Enrol Directors on cyber education programmes – Mandate regular management reports on the state of cyber security risk management
  12. 12. Cyber Risk Management Oversight: Four Principles for Boards of Directors {3} 3. Boards need to discuss which cyber-risks to avoid, which to accept, which to mitigate and which to transfer. There should be specific plans for each category. A couple of key questions: • What data and how much of it are we willing to lose through theft or compromise? • How should we assess the impact of cyber events?
  13. 13. Cyber Risk Management Oversight: Four Principles for Boards of Directors {4) 4. Directors need to understand the legal/liability implications of cyber-risk as they apply to their company. The key factors include: • Constant evolution of corporate liability related to cyber- incidents • Differences between jurisdictions • Implications of EU legislation • Obligations to report cyber incidents Board minutes should reflect discussion of cyber security and decisions about the cyber security programme
  14. 14. Cyber Risk Management Oversight: Four Principles for Boards of Directors • Ensure that the business has an enterprise-wide management framework for cyber-risk • Ensure adequate Board access to cyber-security expertise, and regular & adequate time for cyber/risk management issues on the Board agenda • Discuss which cyber-risks to avoid, which to accept, which to mitigate and which to transfer • Understand the legal/liability implications of cyber-risk as they apply to the company
  15. 15. Email: rknowlton@isaeuropean.org Tel:+44 7500 103164 (UK) +39 3493 820008 (Italy) www.isaeuropean.org Richard Knowlton Executive Director (Europe)
  16. 16. CYBERSECURITY THE MITIGATION STRATEGIES Marc VAEL March 2016
  17. 17. CYBERSECURITY CORE MITIGATION STRATEGIES
  18. 18. CYBERSECURITY PROCESS MITIGATION STRATEGIES
  19. 19. http://www.cybersecuritycoalition.be/cyber-security-incident-management-guide/ https://www.b-ccentre.be/wp-content/uploads/2014/04/B-CCENTRE-BSCG-EN.pdf http://www.isaca.org/knowledge-center/research/researchdeliverables/pages/implementing-the-nist- cybersecurity-framework.aspx
  20. 20. 22 Credentialing and Training Education/ Conferences Membership Resources/ Publications Career Management CYBERSECURITY SKILLS & COMPETENCES MITIGATION STRATEGIES
  21. 21. STATE OF CYBERSECURITY: IMPLICATIONS FOR 2015 www.isaca.org/state-of-cybersecurity-2015
  22. 22. www.isaca.org/cyber Contact: Mr. Marc Vael marc@vael.net http://www.linkedin.com/in/marcvael @marcvael
  23. 23. ABOUT ISACA Assuring trust in and value from information systems in a dynamically changing digital world  Global association serving 140,000 cybersecurity, assurance, IT governance and IT risk professionals  Members in 180 countries: 200+ chapters worldwide  Launched Cybersecurity Nexus (CSX) in 2014 to address growing cybersecurity skills crisis and develop a skilled cyber workforce  Skills-based training  Performance-based certifications  Developed & maintains the COBIT framework  Offers CISA, CISM, CGEIT and CRISC certifications www.isaca.org
  24. 24. CyberEdge
  25. 25. 28 Thinking about board meetings in the last twelve months, how often have you discussed the company’s Cyber Security Policy? UK Captain of Industry Research How confident are you that the IT department is able to protect the company from a cyber-attack? How confident are you that directors fully understand the legal implications of a serious cyber security breach?
  26. 26. 29 • Costs from a data breach can quickly escalate and include: • Public Embarrassment, Shareholder and Public Outcry • Loss of Customers/Revenue • Damaged Reputation/Brand • Notification and identity monitoring • Computer forensics, PR consulting, Legal Assistance + Call Center Services • Liability from class action lawsuits, regulatory actions and fines/penalties • Potential D&O suits: • Allegations of Negligence By Board – Lack of Oversight • Allegations Directors Should Have Known that Information Assets Were Vulnerable • Allegations Directors Failed to Purchase Sufficient Insurance Despite Clear And Prevalent Exposure • When organizations lose money, shareholder suits are not far behind – no exception for data security losses. What this Means for the Board
  27. 27. 30 • Security and privacy liability insurance covers third-party claims arising from a failure of the insured’s network security or a failure to protect data regulatory actions in connection with a security failure, privacy breach or the failure to disclose a security failure or privacy breach. • Event management insurance responds to a security failure or privacy breach by paying costs of notifications, public relations and other services to assist in managing and mitigating a cyber incident. Forensic investigations, legal consultations and identity monitoring costs for victims of a breach are all included. • Network business interruption responds to a material interruption of an insured’s business operations caused by a network security failure by reimbursing for resulting lost income and operating expenses. • Cyber extortion insurance responds to the threat of intentional security attacks against a company by an outsider attempting to extort money, securities or other valuables. This includes monies paid to end the threat and the cost of an investigation to determine the cause of the threat. Risk Transfer Overview
  28. 28. 31 Factor Considerations Industry/Revenue What industry does the insured belong to? What is the insured’s annual revenue? Claims History How many claims are made annually on average? What is the largest claim payment experienced by the insured? Type of Data What type of data and information is processed, stored, and maintained? How hard is the data to replace or recreate? IT Controls Are all technology platforms updated regularly with their respective security patches? Does the organization enforce encryption controls for all sensitive data at rest and transit? Regulatory Compliance Is the applicant compliant with applicable regulations (PCI, HIPAA, etc.)? Governance Does the applicant have formal information security and privacy policies in place? Outsource Vendors What is the applicant’s due diligence process prior to engaging a new vendor? Do contracts with vendors contain an indemnification provision? Internal Threat Does the applicant require all computer users to undergo security awareness training program? Pricing and Underwriting Considerations
  29. 29. Any Questions? Please use the GoTo Webinar Dashboard to send a question to the Moderator

×