Too many incidents related to “ransomware” in North East of Italy. Companies needs to understand how to protect themselves and ensure continued access to the digital data. The damage of a cyber incidents exceed the threshold of US $ 25mil. Safe rating of Intangible Assets of a company need enhancement of the cyber risks insurance market. But a weak competence require clarification on this topic. The research intent was to identify the real risks and digital vulnerabilities in companies. We have done an evaluation of typical insurance products on IT risk and we have made a CIO/CISO Survey. The final scope was a guideline for approacing the problem of outsourcing Cyber Risk Protection.

1. Outsourcing Cyber Risks
Luca Moroni – Via Virtuosa
SFSCON 2017 - Bozen – 10/11/2017

2. ISACA VENICE research team coordinator
✔ Research n.1: Vulnerability and Penetration Test. User’s guidelines about third party
penetration test.
✔ Research n.5: Cyber Security Awareness of N/E Italian Critical
Infrastructures: Scenarios and Guidelines for self-assessment
Member of ISACA VENICE Chapter Translation team
✔Securing Mobile Devices – ITA
Research team coordinator Cybersecurity Risk Insurance
Graduation in Computer Science (1989. Milan), CISA, ISO 27001 and ITIL V3 certified
and other tech certifications
Focused on Cybersecurity since 2000, coach and lecturer in some
seminars about this topic
Founder of the innovative company Via Virtuosa, which focuses
on scouting and promotion of expertises in Cybersecurity and IT
governance in NE of Italy.
Luca Moroni
Who am I

3. Cyber Incident = Loss of Money

4. Cyber Risk
Allianz Risk Barometer 2016
Cyber Risk
45%

5. Cyber Risk Zone Level
The Global Risks Report 2016 11th Edition by the World Economic Forum

6. Our Research
Cyber Insurance for
Dummies
VS
I know about
new dangerous
problems!
I Have a full
portfolio of new
products!
MORE INTERESTED
IN CYBERSECURITY
MORE INTERESTED IN
COUNTER RESIDUAL RISK
Insurer CIO

7. • Understand CxO awareness of cyber insurance
• Scenario analysis of cyber exposure
• For what is a Cyber Insurance useful
• Understand Italian market of cyber insurance
• CxO business cases
• Common protocol with Cyber Insurer
• Suggest rules for Cyber Insurance requests
How Outsourcing Cyber Risks
… CxO must having a Risk Management Approach…

8. Cyber Risk Exposure in NE of Italy
Sample of 70 Companies ranked using “Determining Your Organization’s Information Risk Assessment and
Management” – ENISA Methodology – Via Virtuosa Research Data COPYRIGHT protected
Impact
Probabilityof
occurrence avoid the risk
30%

9. Did you ever asked, if existing policies are covering/excluding cyber
risks?
White Paper 2016 Via Virtuosa Srls COPYRIGHT protected
Cybersecurity Risk Insurance Survey on 63 companies

10. [] []
[] []
[] []
[] []
[] []
[] []
Who is asking you to provide Cybersecurity?
White Paper 2016 Via Virtuosa Srls COPYRIGHT protected
Cybersecurity Risk Insurance Survey on 63 companies

11. Have you registered cyber incidents involving your organization in
the last five years?
White Paper 2016 Via Virtuosa Srls COPYRIGHT protected
Cybersecurity Risk Insurance Survey on 63 companies

12. Adopting standards and measures
Check Controls 27002:2013
About 90% of vulnerabilities highlighted in a Gap Analysis 27001 are not residual risk

13. Security is not an investment that provides profit
but loss prevention
• First step is understand the situation
• Define a protocols for measure, mitigate and manage cyber risk
• About 10% of vulnerabilities highlighted in a Cyber Security Gap Analysis
are residual risk
• Some critical sectors (eg. Banks) are mature for Cyber Insurance
• Also SMB needs to have a financial parachute
• Manage Cybersecurity Life cycle reduces residual risk
Conclusions

14. Questions?

15. Thanks!
l.moroni@viavirtuosa.it
To Download: https://www.viavirtuosa.com/whitepaper/
English Abstract http://securityaffairs.co/wordpress/57664/security/cyber-risk-cyber-insurance.html