CC
Uploaded byChristine Maligec, CRM-E, CRIS
105 views

Cyber Risks - Maligec and Eskins

This document discusses the importance of establishing a cyber risk framework that is integrated into an organization's enterprise-wide risk management process. It provides questions that organizations should consider to help identify and assess cyber risks. It also describes three hypothetical cyber risk scenarios involving ransomware infection, and discusses potential impacts, losses, and mitigation strategies for each scenario.

Embed presentation

Download to read offline
Risk Watch Spring 2015 The Conference Board of Canada 13 I t is widely recognized that the effective use of technology, regard- less of one’s industry sector, is required in order to keep pace and provide a competitive advantage in a globalized economy. In fact, in many cases, it can prove to be a game-changer for an organization’s strategic direction. To achieve its goals, organizations have to work smarter and be more collab- orative—both internally and with their external stakeholders. This article is part of a series that focuses on various aspects of cyber risk. In this first article, we explore the need for a well-established cyber risk framework that is integrated into the organization’s enterprise-wide risk management process; look at some key questions organizations should be asking to help frame these ever-evolving risks; provide some statistics on the financial impacts of cyber risk; and provide a few “what-if” scenarios and their pos- sible impacts and potential mitigation strategies. The spirit and intent of ERM is to instill a culture of cross-functional collabora- tion with the outcome of achieving the organization’s objectives. This includes working strategically and holistically on cyber risks. For instance, organizations should consider what could happen when the corporate security group is not kept in the loop and there is a missed opportunity to avert a known threat. As well, organizations should recognize the outcomes if the information systems and information technology groups didn’t discuss hardware needs for new software purchases. And, specifically, the organiz- ation must consider what would happen to its balance sheet if finance and insur- ance were not involved in the discussion to protect shareholder value. A CYBER RISK FRAMEWORK A cyber risk framework is a well- communicated tool that is supported by cross-functional teams that develop strategic insight and responses to managing these dynamic risks. An established cyber risk framework ensures that your company engages and includes the right subject matter experts in the process at the right time, and is speaking the same language. (See Exhibit 1 for an example of a Cyber Risk Framework.) Elementally, this framework embraces a response where crisis management, investigation, and contractual or financial risk transfer are critical. For instance, according to a McAfee report in 2014, Italy sustained an $875-million economic impact of cyber crimes (actual losses) but the recovery and opportunity costs reached $8.5 billion.1 QUESTIONS FOR FRAMING CYBER RISK The following are a few fundamental questions about cyber risks that organ- izations need to consider. Being able to affirmatively answer any one of those questions will help frame what your organization currently has in place and what work is left to undertake: • Does your company have a written cyber security risk management strategy and governance framework? How is it measured? • What does cyber risk mean to your organization? What is the true nature of the risk (e.g., privacy, reliance on technology/business continuity)? • Is there a culture of awareness among your employees? • Which corporate cyber policies does your organization have in place and are they enforced? Examples include “bring your own device” (BYOD); employee e-mail agree- ments; Internet use, and security violation procedures. 1 McAfee, Intel Security, Net Losses, 18. By Christine Maligec and Gregory Eskins Cyber Risks: Imagining the Possible and Plausible
Risk Watch Spring 2015 The Conference Board of Canada14 • What are your regulator’s expect­ ations for cyber risk standards or controls (e.g., SOX,2 Health Information Act (HIA), Personal Information Protection Act (PIPA)? • Which cyber security controls are currently in place and how often are they tested? • If a material breach or other cyber event were to occur, is there a written/defined crisis management protocol? Has it been tested? • Has your company identified pos- sible and plausible events where your cyber infrastructure could be at risk? 2 The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation passed by the U.S. Congress to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures. THE VALUE OF STRUCTURED “WHAT-IF” (SWIFT) DISCUSSIONS AND SCENARIO ANALYSIS The ISO 31010:2009 risk assessment techniques guide3 describes the SWIFT assessment as “a system for prompting a team to identify risk. Normally used with a facilitated workshop. Normally linked to a risk analysis and evaluation technique.”4 That might be a lot of jar- gon, but it is a conversation starter on the possible and plausible risks. It is more aligned with the risk identification phase of the ISO 31000 ERM Process Model. Additional tools—such as busi- ness impact, or cash flow analysis 3 International Organization for Standardization (ISO), 31010:2009 Principles and Guidelines. 4 International Organization for Standardization, ISO 31000: Risk Management, 23. and stress tests—would be required to further evaluate the cyber risk and add probability and quantum, both pre- and post-mitigation, to understand the organ- ization’s risk appetite. Scenario analysis, however, has a greater time horizon and proves more useful where historical data on prob- ability might not be available. Scenario analysis aids in developing a “series of scenarios … each one focusing on a plausible change in parameters.”5 The advantage is not so much on risk assessment, but being able to review your risk assessments when monitoring changes to your organization’s environ- ment. For these reasons, we will explore 5 Ibid, 41. Exhibit 1 Cyber Risk Framework Source: Marsh Risk Consulting. (Reproduction is not permitted without the express written consent of Marsh.) Cyber Security Assessment 1 • STEP 1: Penetration testing and threat intelligence • STEP 2: Assessment of security framework/ prevention and emergency response Cyber Risk Quantification 2 • STEP 1: Risk tolerance estimation • STEP 2: Risk scenario identification and quantification • STEP 3: Cyber risk modelling • STEP 4: Claim preparation (in case of loss) Risk Transfer Analysis 3 • STEP 1: Contractual risk transfer with third-party practices optimization • STEP 2: Insurance gap analysis and optimization • STEP 3: Estimation of cyber insurance cost Actions Prioritization and Planning 4 • STEP 1: Prioritization of recommendations • STEP 2: Total cost of risk optimization
Risk Watch Spring 2015 The Conference Board of Canada 15 three possible scenarios, as shown below. Still, organizations should imagine the possible and plausible when it comes to their own cyber risks relative to their business. SCENARIO 1: INTERRUPTION BY RANSOMWARE The mid-level manager of an architec- ture and engineering firm received an e-mail with an attachment. The e-mail appeared to be from a client’s dot com address, but the manager did not rec- ognize the sender. Thinking nothing of it, he opened the e-mail attachment, which then took over his computer and eventually the company’s network. The manager and his colleagues sat helplessly in front of their computers as an image appeared and informed them that the company was the victim of ran- somware. They also were told that they had 48 hours to pay $250,000 or their systems and all data would be destroyed. After paying the ransom, the IT depart- ment analyzed the system to find that not only had a number of files been damaged, but blueprints for a client’s proprietary process were copied and had ended up on the Internet. Possible and Plausible Impacts/Losses • Damage to server and critical files • Payment of ransom funds • Intellectual property loss MITIGATION STRATEGIES Damage to Server/Critical Files A well-designed, financial risk transfer program for cyber-related occurrences can assist in a number of ways. “Damage” usually conjures up an image of something being physically broken. However, in the context of cyber risk, damage is typically made to the intan- gible data—a peril most have never experienced. Most people have little to no frame of reference and lack the experience to manage an active response or investigation. Despite the competence of a firm’s internal IT department, the cost of hiring an independent foren- sics team to investigate and preserve evidence (indeed, a crime has been com- mitted) is extremely worthwhile from a couple of perspectives. Engaging a forensic team will provide an objective picture of what has transpired. And, given the team’s specialization, they may be more effective with respect to the confirmation of threat and loss con- tainment, as well as recovery efforts. Second, other parties—e.g., regulators— generally prefer to see an independent analysis (also beneficial in the event the organization is later sued by its clients). Ransom Funds The actual ransom payment may or may not be deemed a material amount. That said, the financial loss can certainly be insured. Beyond the actual payment, management—and, by extension, the organization—may be incapable of con- ducting business while its digital assets are encrypted. What is the impact on the revenue stream? Perhaps revenue is only deferred? But, nonetheless, companies incur additional expenses to continue operations during this time. More likely, there will be a combination of revenue loss and extra expense involved dur- ing the period of restoration. Both the actual loss of revenue and the extra expense incurred to continue operations are insurable. Intellectual Property Loss In general, the most critical asset of any organization is its intellectual property (IP). To the extent that IP is entrusted to a third party, and there is a breach of privacy of such third-party’s IP (i.e., corporate confidential information), a cyber policy can respond by defending in the event of a lawsuit, and potentially pay certain damages. Having said the above, if it were an organization’s own IP that was breached (think cyber espionage), the loss of value is essentially uninsurable at this point in time. SCENARIO 2: WEAK LINK IN THE TECHNOLOGY CHAIN A mid-sized, financial services company moved the majority of its back office operations to a cloud-based solution. The prevailing strategic reasons were cost savings on modernizing servers and software; virtual access—any time, any place; the most up-to-date software; flexibility with IT use and bandwidth; and carbon footprint reduction. The intended outcome of this implementa- tion was to translate into a competitive advantage that could be passed on as savings to the customer, and an increase in shareholder value. The cloud provider experienced a disruption, which took the access to the financial company’s software and to client files off-line for almost a week. This was not a good week for one client that lost several deals and could not meet disclosure requirements with regulators. As a result, several clients did not renew their con- tract or cancelled service. Possible and Plausible Impacts/Losses • First-party loss of business and share value • Third-party financial loss • Shareholder litigation
Risk Watch Spring 2015 The Conference Board of Canada16 MITIGATION STRATEGIES First-Party Loss Many organizations think the biggest expense resulting from a cyber threat is to compensate individuals whose privacy was breached. As such, many think a financial risk transfer program would not add any value to their mitiga- tion planning. For a growing number of organizations, however, business continuity takes precedence on a scale of likelihood and impact. Although large-scale breaches get media atten- tion—and can certainly have a large financial impact on the organization— the business interruption exposure and costs are often overlooked. Third-Party Financial Loss While traditional financial risk transfer programs may provide business inter- ruption coverage (e.g., loss of profits/ income and/or extra expense), they generally will not respond to a cyber event, (i.e., an event that does not cause physical damage). Enter cyber risk insurance. It can be tailored to protect against the financial loss, such as rev- enue (more specifically, gross profits) during an interruption of business oper- ations; the additional expenses incurred during the interruption; and even normal operating costs. The hidden wrinkle in this scenario is that the disruption did not originate within the financial services company and, thus, its exposure is contingent on another firm (its cloud technol- ogy vendor). Given the proliferation of cloud-based vendors—for a variety of business functions—the potential for a material interruption is magnified. Shareholder Litigation Contingent business interruption cover- age is also something that can be addressed via a robust cyber policy. What cannot be insured via a cyber policy is the loss of shareholder value. SCENARIO 3: AN “APP” FOR THAT A major retail chain created and launched an “app”—which scanned smart devices for GPS and browser search information—to create cus- tomized advertisements. After a very successful marketing campaign, hundreds of thousands of shoppers downloaded the app, with many link- ing their profile to other social media and payment accounts. Vulnerability in the code made the app a target for a foreign, organized crime syndicate known for stealing and selling credit card information on the black market to finance terrorism. Possible and Plausible Impacts/Losses • Crisis management and communication assistance MITIGATION STRATEGIES Crisis Management and Communication Assistance Unlike many other insurance products, which are purely a form of risk finan- cing or transfer, cyber policies can pro- vide additional resources in the form of pre- and post-claims services. Pre-claim services may include consultation with a security vendor; vulnerability assess- ments; crisis management simulation, other risk management tools and tem- plates; and/or tabletop exercises aimed at prevention and mitigation. Post-claim services typically include access to a panel of vendors in the areas of foren- sics, legal and public relations, notifi- cation, and remediation (identity theft services). Many organizations have similar internal functions, but perhaps not the level of specialization of external firms. Furthermore, pulling internal individuals away from their core responsibilities will surely negatively impact the business and productivity. Essentially, the costs incurred to conduct a forensic investigation, respond to a regulatory investigation, hire counsel and a public relations firm, and notify and communicate with the affected (and potentially affected) individuals are insurable. Scenario Conclusion In summary, cyber risk requires a clear strategy in order to manage and monitor it effectively. This will lead to an accept- able level of organizational resiliency should any of these scenarios play out. ADDITIONAL INFORMATION Exhibit 2 provides definitions for various loss categories.
Risk Watch Spring 2015 The Conference Board of Canada 17 Christine joined Covenant Health— Canada’s largest Catholic health care organization with over 14,000 phys- icians, employees, and volunteers serving Alberta—as its Risk Management Advisor in 2013. Her role is focused on designing and implementing an ERM framework, along with supporting educa- tion. Prior to this role, Christine served in risk management positions within the entertainment, post-secondary, energy, and construction industries. She also sits on the Northern Alberta Risk & Insurance Management Society Board. As national practice leader, Greg is charged with advising clients on emerging cyber risk issues, developing client-specific product solutions, manag- ing and growing market relationships, and assisting Marsh offices/colleagues across all industry segments. Since joining Marsh in 2006, Greg has been part of the Financial Institutions & Professional Services Industry Practice and also leads Marsh’s Cyber Risk Practice. Greg speaks regularly on cyber issues, and is on the advisory committee of the International Cyber Risk Management Conference. Christine Maligec, CRM-E, CRIS Risk Management Advisor Covenant Health Gregory L. Eskins, MBA candidate, CRM, CAIB Senior Vice President, Cyber Practice Leader Marsh Canada Exhibit 2 Loss Category Definitions Loss Category Description A Intellectual property (IP) Loss of value of an IP asset, expressed in terms of loss of revenue as a reduced market share, as well as lost investment (R&D). B Business interruption Loss of profits or extra expenses incurred due to the unavailability of IT systems or data as a result of cyber attacks or other non-malicious IT failures. C Data and software loss The cost to reconstitute data or software that have been deleted or corrupted. D Cyber extortion The cost of expert handling of an extortion incident, combined with the ransom payment. E Cyber crime/cyber fraud The direct financial loss suffered by an organization arising from the use of computers to commit fraud or theft of money, securities, or other property. F Breach of privacy event The cost to investigate and respond to a privacy breach event, including IT forensics and notifying affected individuals, as well as third-party liability claims arising from the same incident, and fines from regulators and industry associations. G Network failure liabilities Third-party liabilities from certain security events occurring within the organization’s IT network or passing through it (without the organization’s cooperation) in order to attack a third party. H Impact on reputation Loss of revenues arising from an increase in cus- tomer churn or reduced transaction volumes, which can be directly attributed to the publication of a defined security breach event. I Physical asset damage First-party loss due to the destruction of physical property resulting from cyber attacks. J Death and bodily injury Third-party liability for death and bodily injuries resulting from cyber attacks. K Incident investigation and response costs Direct costs incurred to investigate and “close” the incident and minimize post-incident losses. This applies to all other categories/events. Source: Marsh Cyber Risk Practice (Marsh Canada Limited). (Reproduction is not permitted without the express written consent of Marsh.)
Risk Watch Spring 2015 The Conference Board of Canada18 BIBLIOGRAPHY International Organization for Standardization (ISO). Risk Management—Risk Assessment Techniques. Mississauga: Canadian Standards Association, December 2010. ––. Principles and Guidelines. 2009. www.iso.org/obp/ui/#iso:std:iso:31000: ed-1:v1:en. McAfee, Intel Security. The Economic Impact of Cyber Crime and Cyber Espionage. July 2013. www.mcafee.com/ca/resources/reports/ rp-economic-impact-cybercrime.pdf. ––. Net Losses: Estimating the Global Cost of Cybercrime—Economic Impact of Cybercrime II. June 2014. www.mcafee.com/ca/resources/reports/ rp-economic-impact-cybercrime2.pdf. U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE). National Exam Program Risk Alert: OCIE Cybersecurity Initiative. April 15, 2014. www.sec.gov/ocie/announcement/ Cybersecurity+Risk+Alert++%2526+ Appendix+-+4.15.14.pdf.

More Related Content

PDF
The case for a Cybersecurity Expert on the Board of an SEC firm
byDavid Sweigert
 
PDF
White paper cyber risk appetite defining and understanding risk in the moder...
bybalejandre
 
PDF
200606_NWC_Strategic Security
byChad Korosec
 
PDF
The cyber-chasm: How the disconnect between the C-suite and security endanger...
byThe Economist Media Businesses
 
PDF
2017 global-cyber-risk-transfer-report-final
byΔρ. Γιώργος K. Κασάπης
 
PDF
Briefing paper: Third-Party Risks: The cyber dimension
byThe Economist Media Businesses
 
PDF
speaking-to-board-securiity-whitepaper
byBilha Diaz
 
PDF
Outsourcing
bykarlhennessy
 
The case for a Cybersecurity Expert on the Board of an SEC firm
byDavid Sweigert
 
White paper cyber risk appetite defining and understanding risk in the moder...
bybalejandre
 
200606_NWC_Strategic Security
byChad Korosec
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
byThe Economist Media Businesses
 
2017 global-cyber-risk-transfer-report-final
byΔρ. Γιώργος K. Κασάπης
 
Briefing paper: Third-Party Risks: The cyber dimension
byThe Economist Media Businesses
 
speaking-to-board-securiity-whitepaper
byBilha Diaz
 
Outsourcing
bykarlhennessy
 

What's hot

PDF
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
bySlideTeam
 
PDF
Cybersecurity in the Boardroom
byMarko Suswanto
 
PDF
Cost of Cybercrime 2017
byPaperjam_redaction
 
PDF
2017 cost of cyber crime study accenture
byjob Titri company
 
PDF
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
bySarah Nirschl
 
PDF
Executive Summary on the Cyber Risk Webinar
byFERMA
 
PDF
CISO_Paper_Oct27_2015
byScott Smith
 
PDF
Leveraging Board Governance for Cybersecurity
byShareDocView.com
 
PDF
Improving Cyber Security Literacy in Boards & Executives
byTripwire
 
PPTX
Cybersecurity & the Board of Directors
byAbdul-Hakeem Ajijola
 
PDF
A CIRO's-eye view of Digital Risk Management
byDaren Dunkel
 
PDF
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
byBen Browning
 
PDF
10 Questions for the C-Suite in Assessing Cyber Risk
byMark Gibson
 
PDF
Cover and CyberSecurity Essay
byMichael Solomon
 
PDF
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
byEMC
 
PDF
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
byElizabeth Dimit
 
PDF
What Every CISO Should Learn From the Target Attack
byBooz Allen Hamilton
 
PDF
Ponemon 2015 EMEA Cyber Impact Report
byGraeme Cross
 
PDF
CISO_Paper_Oct27_2015
byJohn Budriss
 
PDF
Managed Security For A Not So Secure World Wp090991
byErik Ginalick
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
bySlideTeam
 
Cybersecurity in the Boardroom
byMarko Suswanto
 
Cost of Cybercrime 2017
byPaperjam_redaction
 
2017 cost of cyber crime study accenture
byjob Titri company
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
bySarah Nirschl
 
Executive Summary on the Cyber Risk Webinar
byFERMA
 
CISO_Paper_Oct27_2015
byScott Smith
 
Leveraging Board Governance for Cybersecurity
byShareDocView.com
 
Improving Cyber Security Literacy in Boards & Executives
byTripwire
 
Cybersecurity & the Board of Directors
byAbdul-Hakeem Ajijola
 
A CIRO's-eye view of Digital Risk Management
byDaren Dunkel
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
byBen Browning
 
10 Questions for the C-Suite in Assessing Cyber Risk
byMark Gibson
 
Cover and CyberSecurity Essay
byMichael Solomon
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
byEMC
 
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
byElizabeth Dimit
 
What Every CISO Should Learn From the Target Attack
byBooz Allen Hamilton
 
Ponemon 2015 EMEA Cyber Impact Report
byGraeme Cross
 
CISO_Paper_Oct27_2015
byJohn Budriss
 
Managed Security For A Not So Secure World Wp090991
byErik Ginalick
 

Similar to Cyber Risks - Maligec and Eskins

PDF
Cybersecurity Risk Management for Financial Institutions
bySarah Cirelli
 
PPTX
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
byTraintechTde
 
PDF
How To Handle Cybersecurity Risk Powerpoint Presentation Slides
bySlideTeam
 
PDF
Dealing with Information Security, Risk Management & Cyber Resilience
byDonald Tabone
 
PPTX
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
byFERMA
 
PDF
Risk Management
byijtsrd
 
PPTX
Information Security and Risk Management.pptx
byprembasnet12
 
PDF
FORUM 2013 Cyber Risks - not just a domain for IT
byFERMA
 
PDF
Department of Homeland Security Guidance
byMeg Weber
 
PDF
NextLevel Cyber Security Executive Briefing
byJoe Nathans
 
PDF
7350_RiskWatch-Summer2015-Maligec
byChristine Maligec, CRM-E, CRIS
 
PDF
Cyber Risk Quantification | Safe Security
byRahul Tyagi
 
DOCX
Cyber Management vfd
byLadd Muzzy
 
PDF
Managing Risk - The Board and Cyber Security
bySophia Stefanatto
 
PDF
DHS Guidelines
byMeg Weber
 
PPTX
How to Make Your Enterprise Cyber Resilient
byAccenture Operations
 
PDF
CRI-Exec-Cyber-Briefings (1)
byOCTF Industry Engagement
 
PDF
Digital economy and its effect on cyber risk
byaakash malhotra
 
PPTX
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
byJay Kesan
 
PDF
Atos wp-cyberrisks
byHenk van der Tweel
 
Cybersecurity Risk Management for Financial Institutions
bySarah Cirelli
 
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
byTraintechTde
 
How To Handle Cybersecurity Risk Powerpoint Presentation Slides
bySlideTeam
 
Dealing with Information Security, Risk Management & Cyber Resilience
byDonald Tabone
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
byFERMA
 
Risk Management
byijtsrd
 
Information Security and Risk Management.pptx
byprembasnet12
 
FORUM 2013 Cyber Risks - not just a domain for IT
byFERMA
 
Department of Homeland Security Guidance
byMeg Weber
 
NextLevel Cyber Security Executive Briefing
byJoe Nathans
 
7350_RiskWatch-Summer2015-Maligec
byChristine Maligec, CRM-E, CRIS
 
Cyber Risk Quantification | Safe Security
byRahul Tyagi
 
Cyber Management vfd
byLadd Muzzy
 
Managing Risk - The Board and Cyber Security
bySophia Stefanatto
 
DHS Guidelines
byMeg Weber
 
How to Make Your Enterprise Cyber Resilient
byAccenture Operations
 
CRI-Exec-Cyber-Briefings (1)
byOCTF Industry Engagement
 
Digital economy and its effect on cyber risk
byaakash malhotra
 
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
byJay Kesan
 
Atos wp-cyberrisks
byHenk van der Tweel
 

Cyber Risks - Maligec and Eskins

  • 1.
    Risk Watch Spring2015 The Conference Board of Canada 13 I t is widely recognized that the effective use of technology, regard- less of one’s industry sector, is required in order to keep pace and provide a competitive advantage in a globalized economy. In fact, in many cases, it can prove to be a game-changer for an organization’s strategic direction. To achieve its goals, organizations have to work smarter and be more collab- orative—both internally and with their external stakeholders. This article is part of a series that focuses on various aspects of cyber risk. In this first article, we explore the need for a well-established cyber risk framework that is integrated into the organization’s enterprise-wide risk management process; look at some key questions organizations should be asking to help frame these ever-evolving risks; provide some statistics on the financial impacts of cyber risk; and provide a few “what-if” scenarios and their pos- sible impacts and potential mitigation strategies. The spirit and intent of ERM is to instill a culture of cross-functional collabora- tion with the outcome of achieving the organization’s objectives. This includes working strategically and holistically on cyber risks. For instance, organizations should consider what could happen when the corporate security group is not kept in the loop and there is a missed opportunity to avert a known threat. As well, organizations should recognize the outcomes if the information systems and information technology groups didn’t discuss hardware needs for new software purchases. And, specifically, the organiz- ation must consider what would happen to its balance sheet if finance and insur- ance were not involved in the discussion to protect shareholder value. A CYBER RISK FRAMEWORK A cyber risk framework is a well- communicated tool that is supported by cross-functional teams that develop strategic insight and responses to managing these dynamic risks. An established cyber risk framework ensures that your company engages and includes the right subject matter experts in the process at the right time, and is speaking the same language. (See Exhibit 1 for an example of a Cyber Risk Framework.) Elementally, this framework embraces a response where crisis management, investigation, and contractual or financial risk transfer are critical. For instance, according to a McAfee report in 2014, Italy sustained an $875-million economic impact of cyber crimes (actual losses) but the recovery and opportunity costs reached $8.5 billion.1 QUESTIONS FOR FRAMING CYBER RISK The following are a few fundamental questions about cyber risks that organ- izations need to consider. Being able to affirmatively answer any one of those questions will help frame what your organization currently has in place and what work is left to undertake: • Does your company have a written cyber security risk management strategy and governance framework? How is it measured? • What does cyber risk mean to your organization? What is the true nature of the risk (e.g., privacy, reliance on technology/business continuity)? • Is there a culture of awareness among your employees? • Which corporate cyber policies does your organization have in place and are they enforced? Examples include “bring your own device” (BYOD); employee e-mail agree- ments; Internet use, and security violation procedures. 1 McAfee, Intel Security, Net Losses, 18. By Christine Maligec and Gregory Eskins Cyber Risks: Imagining the Possible and Plausible
  • 2.
    Risk Watch Spring2015 The Conference Board of Canada14 • What are your regulator’s expect­ ations for cyber risk standards or controls (e.g., SOX,2 Health Information Act (HIA), Personal Information Protection Act (PIPA)? • Which cyber security controls are currently in place and how often are they tested? • If a material breach or other cyber event were to occur, is there a written/defined crisis management protocol? Has it been tested? • Has your company identified pos- sible and plausible events where your cyber infrastructure could be at risk? 2 The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation passed by the U.S. Congress to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures. THE VALUE OF STRUCTURED “WHAT-IF” (SWIFT) DISCUSSIONS AND SCENARIO ANALYSIS The ISO 31010:2009 risk assessment techniques guide3 describes the SWIFT assessment as “a system for prompting a team to identify risk. Normally used with a facilitated workshop. Normally linked to a risk analysis and evaluation technique.”4 That might be a lot of jar- gon, but it is a conversation starter on the possible and plausible risks. It is more aligned with the risk identification phase of the ISO 31000 ERM Process Model. Additional tools—such as busi- ness impact, or cash flow analysis 3 International Organization for Standardization (ISO), 31010:2009 Principles and Guidelines. 4 International Organization for Standardization, ISO 31000: Risk Management, 23. and stress tests—would be required to further evaluate the cyber risk and add probability and quantum, both pre- and post-mitigation, to understand the organ- ization’s risk appetite. Scenario analysis, however, has a greater time horizon and proves more useful where historical data on prob- ability might not be available. Scenario analysis aids in developing a “series of scenarios … each one focusing on a plausible change in parameters.”5 The advantage is not so much on risk assessment, but being able to review your risk assessments when monitoring changes to your organization’s environ- ment. For these reasons, we will explore 5 Ibid, 41. Exhibit 1 Cyber Risk Framework Source: Marsh Risk Consulting. (Reproduction is not permitted without the express written consent of Marsh.) Cyber Security Assessment 1 • STEP 1: Penetration testing and threat intelligence • STEP 2: Assessment of security framework/ prevention and emergency response Cyber Risk Quantification 2 • STEP 1: Risk tolerance estimation • STEP 2: Risk scenario identification and quantification • STEP 3: Cyber risk modelling • STEP 4: Claim preparation (in case of loss) Risk Transfer Analysis 3 • STEP 1: Contractual risk transfer with third-party practices optimization • STEP 2: Insurance gap analysis and optimization • STEP 3: Estimation of cyber insurance cost Actions Prioritization and Planning 4 • STEP 1: Prioritization of recommendations • STEP 2: Total cost of risk optimization
  • 3.
    Risk Watch Spring2015 The Conference Board of Canada 15 three possible scenarios, as shown below. Still, organizations should imagine the possible and plausible when it comes to their own cyber risks relative to their business. SCENARIO 1: INTERRUPTION BY RANSOMWARE The mid-level manager of an architec- ture and engineering firm received an e-mail with an attachment. The e-mail appeared to be from a client’s dot com address, but the manager did not rec- ognize the sender. Thinking nothing of it, he opened the e-mail attachment, which then took over his computer and eventually the company’s network. The manager and his colleagues sat helplessly in front of their computers as an image appeared and informed them that the company was the victim of ran- somware. They also were told that they had 48 hours to pay $250,000 or their systems and all data would be destroyed. After paying the ransom, the IT depart- ment analyzed the system to find that not only had a number of files been damaged, but blueprints for a client’s proprietary process were copied and had ended up on the Internet. Possible and Plausible Impacts/Losses • Damage to server and critical files • Payment of ransom funds • Intellectual property loss MITIGATION STRATEGIES Damage to Server/Critical Files A well-designed, financial risk transfer program for cyber-related occurrences can assist in a number of ways. “Damage” usually conjures up an image of something being physically broken. However, in the context of cyber risk, damage is typically made to the intan- gible data—a peril most have never experienced. Most people have little to no frame of reference and lack the experience to manage an active response or investigation. Despite the competence of a firm’s internal IT department, the cost of hiring an independent foren- sics team to investigate and preserve evidence (indeed, a crime has been com- mitted) is extremely worthwhile from a couple of perspectives. Engaging a forensic team will provide an objective picture of what has transpired. And, given the team’s specialization, they may be more effective with respect to the confirmation of threat and loss con- tainment, as well as recovery efforts. Second, other parties—e.g., regulators— generally prefer to see an independent analysis (also beneficial in the event the organization is later sued by its clients). Ransom Funds The actual ransom payment may or may not be deemed a material amount. That said, the financial loss can certainly be insured. Beyond the actual payment, management—and, by extension, the organization—may be incapable of con- ducting business while its digital assets are encrypted. What is the impact on the revenue stream? Perhaps revenue is only deferred? But, nonetheless, companies incur additional expenses to continue operations during this time. More likely, there will be a combination of revenue loss and extra expense involved dur- ing the period of restoration. Both the actual loss of revenue and the extra expense incurred to continue operations are insurable. Intellectual Property Loss In general, the most critical asset of any organization is its intellectual property (IP). To the extent that IP is entrusted to a third party, and there is a breach of privacy of such third-party’s IP (i.e., corporate confidential information), a cyber policy can respond by defending in the event of a lawsuit, and potentially pay certain damages. Having said the above, if it were an organization’s own IP that was breached (think cyber espionage), the loss of value is essentially uninsurable at this point in time. SCENARIO 2: WEAK LINK IN THE TECHNOLOGY CHAIN A mid-sized, financial services company moved the majority of its back office operations to a cloud-based solution. The prevailing strategic reasons were cost savings on modernizing servers and software; virtual access—any time, any place; the most up-to-date software; flexibility with IT use and bandwidth; and carbon footprint reduction. The intended outcome of this implementa- tion was to translate into a competitive advantage that could be passed on as savings to the customer, and an increase in shareholder value. The cloud provider experienced a disruption, which took the access to the financial company’s software and to client files off-line for almost a week. This was not a good week for one client that lost several deals and could not meet disclosure requirements with regulators. As a result, several clients did not renew their con- tract or cancelled service. Possible and Plausible Impacts/Losses • First-party loss of business and share value • Third-party financial loss • Shareholder litigation
  • 4.
    Risk Watch Spring2015 The Conference Board of Canada16 MITIGATION STRATEGIES First-Party Loss Many organizations think the biggest expense resulting from a cyber threat is to compensate individuals whose privacy was breached. As such, many think a financial risk transfer program would not add any value to their mitiga- tion planning. For a growing number of organizations, however, business continuity takes precedence on a scale of likelihood and impact. Although large-scale breaches get media atten- tion—and can certainly have a large financial impact on the organization— the business interruption exposure and costs are often overlooked. Third-Party Financial Loss While traditional financial risk transfer programs may provide business inter- ruption coverage (e.g., loss of profits/ income and/or extra expense), they generally will not respond to a cyber event, (i.e., an event that does not cause physical damage). Enter cyber risk insurance. It can be tailored to protect against the financial loss, such as rev- enue (more specifically, gross profits) during an interruption of business oper- ations; the additional expenses incurred during the interruption; and even normal operating costs. The hidden wrinkle in this scenario is that the disruption did not originate within the financial services company and, thus, its exposure is contingent on another firm (its cloud technol- ogy vendor). Given the proliferation of cloud-based vendors—for a variety of business functions—the potential for a material interruption is magnified. Shareholder Litigation Contingent business interruption cover- age is also something that can be addressed via a robust cyber policy. What cannot be insured via a cyber policy is the loss of shareholder value. SCENARIO 3: AN “APP” FOR THAT A major retail chain created and launched an “app”—which scanned smart devices for GPS and browser search information—to create cus- tomized advertisements. After a very successful marketing campaign, hundreds of thousands of shoppers downloaded the app, with many link- ing their profile to other social media and payment accounts. Vulnerability in the code made the app a target for a foreign, organized crime syndicate known for stealing and selling credit card information on the black market to finance terrorism. Possible and Plausible Impacts/Losses • Crisis management and communication assistance MITIGATION STRATEGIES Crisis Management and Communication Assistance Unlike many other insurance products, which are purely a form of risk finan- cing or transfer, cyber policies can pro- vide additional resources in the form of pre- and post-claims services. Pre-claim services may include consultation with a security vendor; vulnerability assess- ments; crisis management simulation, other risk management tools and tem- plates; and/or tabletop exercises aimed at prevention and mitigation. Post-claim services typically include access to a panel of vendors in the areas of foren- sics, legal and public relations, notifi- cation, and remediation (identity theft services). Many organizations have similar internal functions, but perhaps not the level of specialization of external firms. Furthermore, pulling internal individuals away from their core responsibilities will surely negatively impact the business and productivity. Essentially, the costs incurred to conduct a forensic investigation, respond to a regulatory investigation, hire counsel and a public relations firm, and notify and communicate with the affected (and potentially affected) individuals are insurable. Scenario Conclusion In summary, cyber risk requires a clear strategy in order to manage and monitor it effectively. This will lead to an accept- able level of organizational resiliency should any of these scenarios play out. ADDITIONAL INFORMATION Exhibit 2 provides definitions for various loss categories.
  • 5.
    Risk Watch Spring2015 The Conference Board of Canada 17 Christine joined Covenant Health— Canada’s largest Catholic health care organization with over 14,000 phys- icians, employees, and volunteers serving Alberta—as its Risk Management Advisor in 2013. Her role is focused on designing and implementing an ERM framework, along with supporting educa- tion. Prior to this role, Christine served in risk management positions within the entertainment, post-secondary, energy, and construction industries. She also sits on the Northern Alberta Risk & Insurance Management Society Board. As national practice leader, Greg is charged with advising clients on emerging cyber risk issues, developing client-specific product solutions, manag- ing and growing market relationships, and assisting Marsh offices/colleagues across all industry segments. Since joining Marsh in 2006, Greg has been part of the Financial Institutions & Professional Services Industry Practice and also leads Marsh’s Cyber Risk Practice. Greg speaks regularly on cyber issues, and is on the advisory committee of the International Cyber Risk Management Conference. Christine Maligec, CRM-E, CRIS Risk Management Advisor Covenant Health Gregory L. Eskins, MBA candidate, CRM, CAIB Senior Vice President, Cyber Practice Leader Marsh Canada Exhibit 2 Loss Category Definitions Loss Category Description A Intellectual property (IP) Loss of value of an IP asset, expressed in terms of loss of revenue as a reduced market share, as well as lost investment (R&D). B Business interruption Loss of profits or extra expenses incurred due to the unavailability of IT systems or data as a result of cyber attacks or other non-malicious IT failures. C Data and software loss The cost to reconstitute data or software that have been deleted or corrupted. D Cyber extortion The cost of expert handling of an extortion incident, combined with the ransom payment. E Cyber crime/cyber fraud The direct financial loss suffered by an organization arising from the use of computers to commit fraud or theft of money, securities, or other property. F Breach of privacy event The cost to investigate and respond to a privacy breach event, including IT forensics and notifying affected individuals, as well as third-party liability claims arising from the same incident, and fines from regulators and industry associations. G Network failure liabilities Third-party liabilities from certain security events occurring within the organization’s IT network or passing through it (without the organization’s cooperation) in order to attack a third party. H Impact on reputation Loss of revenues arising from an increase in cus- tomer churn or reduced transaction volumes, which can be directly attributed to the publication of a defined security breach event. I Physical asset damage First-party loss due to the destruction of physical property resulting from cyber attacks. J Death and bodily injury Third-party liability for death and bodily injuries resulting from cyber attacks. K Incident investigation and response costs Direct costs incurred to investigate and “close” the incident and minimize post-incident losses. This applies to all other categories/events. Source: Marsh Cyber Risk Practice (Marsh Canada Limited). (Reproduction is not permitted without the express written consent of Marsh.)
  • 6.
    Risk Watch Spring2015 The Conference Board of Canada18 BIBLIOGRAPHY International Organization for Standardization (ISO). Risk Management—Risk Assessment Techniques. Mississauga: Canadian Standards Association, December 2010. ––. Principles and Guidelines. 2009. www.iso.org/obp/ui/#iso:std:iso:31000: ed-1:v1:en. McAfee, Intel Security. The Economic Impact of Cyber Crime and Cyber Espionage. July 2013. www.mcafee.com/ca/resources/reports/ rp-economic-impact-cybercrime.pdf. ––. Net Losses: Estimating the Global Cost of Cybercrime—Economic Impact of Cybercrime II. June 2014. www.mcafee.com/ca/resources/reports/ rp-economic-impact-cybercrime2.pdf. U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE). National Exam Program Risk Alert: OCIE Cybersecurity Initiative. April 15, 2014. www.sec.gov/ocie/announcement/ Cybersecurity+Risk+Alert++%2526+ Appendix+-+4.15.14.pdf.