Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

EU/US boards’ approach to cyber risk governance - webinar presentation


Published on

The 4th webinar is being hosted by the European Confederation of Directors' Associations (ecoDa), AIG, and the Federation of European Risk Managers' Associations (FERMA) and in close cooperation with the Internet Security Alliance (ISA).
it includes a Risk Manager’s’ perspective about the necessity to provide organisations with decision-support tools for mitigation and recommendations for risk transfer.

Published in: Business
  • Be the first to comment

  • Be the first to like this

EU/US boards’ approach to cyber risk governance - webinar presentation

  1. 1. Philippe Cotelle Head of Insurance Risk Management Airbus Defence and Space Mark Camillo Head of Cyber EMEA AIG The Honorable John P. Carlin Assistant Attorney General for National Security U.S. Department of Justice Mark Hughes President BT Security BT Global Services
  2. 2. The Honorable John P. Carlin Assistant Attorney General for National Security United States Department of Justice
  3. 3. A European perspective on the security landscape. Mark Hughes, BT Security 14th October 2016. Mark Hughes, CEO of BT Security.
  4. 4. The European threat and how to counter it. Traditional security is not enough. • Lack of preparation for new technological challenges such as cloud, Big data and shadow IT. We need to… focus on the protection of data. Complexity is growing. • The threat, the countermeasures and the technologies are all growing in complexity. We need to... forge strategic alliances with peers and security partners. Scarcity of skills. • Cyber skills shortage across the EU. We need to… develop strong recruitment and training programmes. A lack of focus on EU needs. • Uncertainty over future legal and commercial frameworks. We need to…invest in EU relevant solutions.
  5. 5. • Sets the highest standards globally. • Requires European companies, and non-EU companies operating in the EU region to mobilise leading security professionals and resources to comply with these new requirements. • European security vendors and service providers will have to quickly adapt to demanding customer requirements. The EU Digital Single Market – enabling digital transformation.
  6. 6. Embedding security in the early stages of new product or service development. What will make a difference? Influencing key business stakeholders. Having a holistic view of company risk. Developing vendor/supplier partnerships to build reference architectures. Getting full collaboration of internal and external stakeholders. Move to predictive vs. reactive.
  7. 7. 8 Risk Managers contribution to business valuation with digital risk management Benefits for the Boards and external stakeholders: investors, shareholders, public, regulators… Philippe Cotelle, Head of Insurance and Risk Management of Airbus Defence & Space VP of AMRAE IT Commission
  8. 8. 9 Cybersecurity and business valuation One of the key concerns for Boards • Business valuation • Trust and reputation Digital risks are affecting both business valuation and trust by the public • Fast-paced and evolving, impact across functions • Once disclosed, high sensitivity of investors and public opinion • Regulatory pressure in Europe to disclose more transparently on incidents: NIS directive, Data Protection regulation Digital risks are therefore also a key concern for the Boards
  9. 9. 10 Risk managers proposition on digital risk management 1/2 • Boards should be able to find and support internally the capabilities to respond to this challenge • Boards should send a key message towards external stakeholders Once aware of possible impacts on business valuation • Risk managers need to link their work to Boards preoccupation • Risk managers need to propose solutions relevant for Boards and talk the same language across functions To move towards a strategic advisor role
  10. 10. 11 Risk managers proposition on digital risk management 2/2 • Is currently evolving to propose a cross-function digital risk management… • Gathering representatives of all functions… • To start an open dialogue on scenarios and exposure The Risk Management profession… • Identify the scenarios linked to cyber-event (risk identification) • Assess their financial costs and likelihood (risk assessment) • Justify the prevention plan with IT investments and protection plan with captive and insurance which is complementary and not competitive (risk response) Provide a rationale for a mitigation strategy with a methodology to…
  11. 11. 12 Challenges ahead for the profession Development of high-quality indicators and metrics to support the investment decisions on cyber security • Accepted indicators and metrics across functions (accounting, IT, legal) and partners (insurance, loss adjuster, public authorities) • Accepted scenario analysis and possible damages, converted into financial terms • Accepted terminology and definitions across functions Proposed research projects on a new digital risk management methodology • At EU (Horizon2020 public fundings, cyber public-private partnerships) and OECD level (within specialised working parties) • Gathering academics, businesses like AIRBUS and professional organisations like FERMA • Possible start in 2017
  12. 12. 13 1 thing to remember We are convinced that a high-quality digital risk management will contribute to business valuation Thank you!
  13. 13. Risk Transfer: Managing Cyber as a Peril Mark Camillo Head of Cyber, EMEA
  14. 14. 16 Develop & Quantify Cyber Loss Scenarios  Identify several high-impact, notional, feasible cyber loss scenarios specific to your organization/operations  Estimate impact for selected scenarios using a structured impact taxonomy • Four quadrant model • All impacts from any cyber event can be categorized into these quadrants Exposure Quantification 1st Party Financial Damages Tangible Damages 3rd Party Impact Framework
  15. 15. 17 Four Generic Starter Scenarios  Customer & employee bank account info (ACH), credit cards, &other identity information is stolen (SSNs, address)  Proprietary exploration & financial data is also suspected to be stolen  A Shamoon-style attack deletes hard drive contents on every desktop and laptop computer in the enterprise overnight  Business operations are severely impacted for 2 (or more) weeks while machines are either replaced/restored  Attacker compromises network communications used to control field assets  Production operations are impacted due to inability to control remote assets  Stuxnet-like malware infects industrial control systems  Attacker overtakes control of key valves and pressurization equipment leading to disruption in operation and major spill of petroleum products Data Theft Data Destruction Network Disruption ICS Attack
  16. 16. 18 Top Quadrants: Financial Damages Some of these impacts are data-breach centric; many could apply to any event 1st Party FinancialDamages Tangible Damages 3rd Parties may seek to recover: • Consequential revenue losses • Restoration expenses • Legal expenses • Shareholder losses • Other financial damages 3rd Party Entities may issue or be awarded civil fines and penalties • Response costs: forensics, notifications, credit monitoring • Legal: advice and defense • Public Relations: minimizing brand damage • Revenue losses from network or computer outages, including cloud • Cost of restoring lost data • Cyber extortion expenses • Value of intellectual property 3rd Party
  17. 17. 19 Bottom Quadrants: Tangible Damages These impacts are of increasing concern to all companies, especially critical infrastructure Financial Damages • Mechanical breakdown of others’ equipment • Destruction or damage to others’ facilities or other property • Environmental cleanup of others’ property • Bodily injury to others • Mechanical breakdown of your equipment • Destruction or damage to your facilities or other property • Environmental cleanup of your property • Lost revenues from physical damage to your (or dependent) equipment or facilities (business interruption) • Bodily injury to your employees TangibleDamages 1st Party 3rd Party
  18. 18. 20 Review & Stress Test Insurance Portfolio  Review all insurance policies to understand cyber coverage or exclusion  Stress test insurance portfolio with the loss scenarios Exposure Quantification Insurance Analysis and Stress Test 1st Party FinancialTangible 3rd Party Uncertainty Policy Languag e Review Cyber Inclusion Cyber Exclusio n Affirmative (favorable) None None Partial Strong/clear (i.e., CL-380)
  19. 19. 21 Traditional Policies May Cover Cyber Impacts Analysis is required to fully understand how such policies are likely to respond Affirming language or cyber is a listed peril All risk and no cyber exclusions (silence) Debatable cyber or electronic data exclusions Definitive cyber exclusion (NMA-2914 or CL-380) 1st Party FinancialTangible • Crime • Fidelity • Kidnap & Ransom • Technology E&O • Miscellaneous E&O • Product Recall • Directors & Officers • Property • Workers Comp • Terrorism • Umbrella • Auto • General Liability • Excess Liability • Umbrella • Pollution • Terrorism • Product Liability 3rd Party AIG CyberEdge AIG CyberEdge PC/Plus
  20. 20. Any Questions? Please use the GoTo Webinar Dashboard to send a question to the Moderator