This document summarizes cyber risks and insurance responses. It discusses evolving cyber threats facing European companies and how cyber risks are not just an IT issue. Key points include: most clients are extremely concerned about cyber attacks; the top causes of data breaches are hacking and stolen credentials; and cyber insurance claim volumes have risen significantly in recent years. The document also outlines how cyber insurance can help respond to incidents by providing services like breach coaching, legal defense, forensic investigations, and crisis management. Finally, it discusses challenges with relying solely on traditional insurance policies to address cyber risks and the need for specialized cyber insurance products and risk mitigation strategies.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Learning from Verizon 2017 Data Breach Investigations Report â The New TargetsUlf Mattsson
Â
The Verizon 2017 Data Breach Investigations Report findings relate specifically to the occurrence (likelihood) of security breaches leading to data compromise. The information, provided in aggregate, is filtered in many ways to make it relevant to you (e.g., by industry, actor motive). It is a piece of the information security puzzleâan awesome corner piece that can get you startedâbut just a piece nonetheless. This session will discuss the new targets that are identified and some solutions
Aonâs cyber capabilities can support organisations in embracing
a risk based approach. This facilitates the deployment of a
more effective cyber insurance strategy to help optimise the
total cost of risk associated with cyber exposures
Cyber Security Planning: Preparing for a Data BreachFletcher Media
Â
Presented by Clark Insurance in Portland, Maine, this two hour seminar featured lead panelists in the privacy security business.
This presentation reviews all aspects of a data breach from preparation, discovery, plan implementation, cyber insurance, crisis communication and PR policies and protocols.
Presentation talking about the ever increasing threat of cyber crime and how social media, mobile devices, cloud computing make an interesting point of attack. Cyber security is only getting more and more important due to the widespread of new platforms, increasingly available and simple to use exploit kits as well as attacks becoming more sophisticated and having specific targets.
We found that while cyber security was named as the topmost future tech adoption for organizations in 2019, cyber security is now the second tech priority for 2021 but with a higher budget than previously allocated. We also discovered that cloud security currently holds more importance with CISOs, CTOs and CIOs than data security and privacy.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Learning from Verizon 2017 Data Breach Investigations Report â The New TargetsUlf Mattsson
Â
The Verizon 2017 Data Breach Investigations Report findings relate specifically to the occurrence (likelihood) of security breaches leading to data compromise. The information, provided in aggregate, is filtered in many ways to make it relevant to you (e.g., by industry, actor motive). It is a piece of the information security puzzleâan awesome corner piece that can get you startedâbut just a piece nonetheless. This session will discuss the new targets that are identified and some solutions
Aonâs cyber capabilities can support organisations in embracing
a risk based approach. This facilitates the deployment of a
more effective cyber insurance strategy to help optimise the
total cost of risk associated with cyber exposures
Cyber Security Planning: Preparing for a Data BreachFletcher Media
Â
Presented by Clark Insurance in Portland, Maine, this two hour seminar featured lead panelists in the privacy security business.
This presentation reviews all aspects of a data breach from preparation, discovery, plan implementation, cyber insurance, crisis communication and PR policies and protocols.
Presentation talking about the ever increasing threat of cyber crime and how social media, mobile devices, cloud computing make an interesting point of attack. Cyber security is only getting more and more important due to the widespread of new platforms, increasingly available and simple to use exploit kits as well as attacks becoming more sophisticated and having specific targets.
We found that while cyber security was named as the topmost future tech adoption for organizations in 2019, cyber security is now the second tech priority for 2021 but with a higher budget than previously allocated. We also discovered that cloud security currently holds more importance with CISOs, CTOs and CIOs than data security and privacy.
EY Principal and Cyber Threat Management Leader Anil Markose shows you best practices for cyber risk management and how to sense, resist, and react to cyber attacks on your company.
Coronavirus has created new challenges for global IT teams. Join our experts to learn about the four areas of enterprise risk brought about by this global pandemic and what your IT team can do to lessen your exposure and limit the financial fallout.
2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ...Proofpoint
Â
Ponemon 2020 Cost Report for Insider Threats: Key Takeaways and Trends How much could Insider Threats cost your company annually? $11.45M, according to a new report from the Ponemon Institute, up from $8.76M in 2018. Ponemonâs 2020 Cost of Insider Threats Report surveyed hundreds of IT security professionals across North America, EMEA, and APAC, covering multi-year trends that prove the significance of this rapidly growing threat type. Join Larry Ponemon, Chairman and Founder of the Ponemon Institute, and Josh Epstein, CMO at ObserveIT a Proofpoint company, in a webinar to break down the key findings of the 2020 report. We will cover: â What kinds of Insider Threats cost organizations the most â How investigations are driving up the cost-per-incident for companies â Which organizations, industries, and regions are being targeted the most â How companies can potentially save millions by using a dedicated Insider Threat management approach.
In this report we share our insight on the recruitment of cyber security professionals including information regarding the key drivers in the cyber security market, permanent and contract recruitment trends, transferable skills, the top job titles, salaries and qualifications analysis, a heat map of skills demands/talent pools across the UK, concluding with recommendations on attracting and retaining cyber security talent.
Gowlings - November 12, 2014
In an ever-increasing digital world, all businesses face challenges in managing and protecting sensitive and confidential information. In this presentation Gowlings and Marsh Canada Limited addressed best practices for responding to a cyber breach, and what types of insurance may be available to respond to such a loss. Topics included:
⢠Trends, and the evolution of cyber insurance/products
⢠The D&O connection, cyber is a strategic business risk
⢠Risk Management Strategies
⢠Best Practices in Breach Response.
This paper introduces the concept of Supply Chain Risk
Management. It identifies various risks and explains the process of managing these risks. With technology in place, automation of some of the processes brings down the risks involved. Sadly, many companies are not adequately automated to address these issues. The paper also highlights how information technology can be adopted in certain areas in supply chain to ensure visibility and reduce risk occurrence.
Implementing a Security Management FrameworkJoseph Wynn
Â
Given at the Pittsburgh ISSA April 2017 chapter meeting.
This presentation discussed how to improve the success of your information security program by organizing it using a security management framework.
Top 10 leading fraud detection and prevention solution providersMerry D'souza
Â
CIOLOOK comes up with its edition of Top 10 Leading Fraud Detection and Prevention Solution Providers. Featuring itâs Cover Story is â Kaspersky is to save the world. Kaspersky is a global cybersecurity company founded in 1997 with its roots in antivirus solutions. Its mission is simple: to build a safer world.
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: How do we Protect our Systems and Meet Compliance in a Rapidly Changing Environment
Presenter: Sean McCloskey, Program Manager, Cyber Security Evaluations Program, DHS
Description: With all the constant innovation in cyber, what is âcutting edgeâ? What constraints hinder innovation? How is technology being used to address the Executive Orders, comply to standards, and other meet other mandates? What areas still need resources, ideas and innovation? Join us to hear advances in cyber security technology and ways to protect and monitor systems that will provide for resilient infrastructures and incorporate new solutions.
Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access
IDC developed a set of cybersecurity case studies of US commercial organizations in order to learn: What security problems they have experienced, changes that they have made to address them, and new underlying security procedures that they are exploring.
Accountability for Corporate Cybersecurity - Who Owns What?Henry Draughon
Â
Data breaches have progressed from low probability, high consequence events to high probability, high consequence events. This shift requires that senior executives become more involved to help reduce financial impact and protect their companiesâ reputation and brand.
Cybersecurity frameworks like NIST, HITRUST, PCI DSS, COBIT, and OSI provide the structure to facilitate senior executive participation. The technical perspective, sophistication, and complexity of frameworks can lead to silos of cybersecurity management. Cross-functional accountability for effective corporate cybersecurity management is required.
A Responsibility Assignment Matrix within a cybersecurity framework can visually and effectively illustrate cross-functional ownership of the corporate cybersecurity plan. Ownership of the creation and maintenance of the corporate security plan should remain with either the security or IT department. Many aspects of cybersecurity accountability naturally reside outside of the security and IT departments.
Please visit this site and explore how corporate accountability can be incorporated with cybersecurity planning.
http://processdeliverysystems.com/v2pds_nist/index.htm
Click here to download the presentation Accountability for Corporate Cybersecurity, Who Owns What?
http://processdeliverysystems.com/v2pds_nist/documents/PDS_Accountabiliy_NIST_Cybersecurity_Framework.pdf
Click here to download the Responsibility Assignment Matrix for the NIST Cybersecurity Framework.
http://processdeliverysystems.com/v2pds_nist/documents/PDS_NIST_Cybersecurity_Framework_RACI.pdf
We welcome your questions, insights, and comments.
Data Security: Why You Need Data Loss Prevention & How to Justify ItMarc Crudgington, MBA
Â
With the increasing number of cyber-attacks and incidents seeming to occur weeks/months/years before discovery of breach, simply securing your perimeter is no longer enough to protect your most critical assets. Privacy breaches are averaging upwards of $200 per record and studies have shown at intellectual property infringement cost the average company $101.9 million in revenues.
Key points addressed include:
⢠The Impact of Cyber Crime on our Economy
⢠The Cost Companies are incurring due to Cyber Crime and Data Breaches
⢠Who are the threat actors?
⢠What makes up a Data Loss Prevention ecosystem?
⢠What does a Data Loss Prevention strategy do for me?
⢠Hidden Benefits of Data Loss Prevention
⢠Justifying a Data Loss Prevention Strategy
EY Principal and Cyber Threat Management Leader Anil Markose shows you best practices for cyber risk management and how to sense, resist, and react to cyber attacks on your company.
Coronavirus has created new challenges for global IT teams. Join our experts to learn about the four areas of enterprise risk brought about by this global pandemic and what your IT team can do to lessen your exposure and limit the financial fallout.
2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ...Proofpoint
Â
Ponemon 2020 Cost Report for Insider Threats: Key Takeaways and Trends How much could Insider Threats cost your company annually? $11.45M, according to a new report from the Ponemon Institute, up from $8.76M in 2018. Ponemonâs 2020 Cost of Insider Threats Report surveyed hundreds of IT security professionals across North America, EMEA, and APAC, covering multi-year trends that prove the significance of this rapidly growing threat type. Join Larry Ponemon, Chairman and Founder of the Ponemon Institute, and Josh Epstein, CMO at ObserveIT a Proofpoint company, in a webinar to break down the key findings of the 2020 report. We will cover: â What kinds of Insider Threats cost organizations the most â How investigations are driving up the cost-per-incident for companies â Which organizations, industries, and regions are being targeted the most â How companies can potentially save millions by using a dedicated Insider Threat management approach.
In this report we share our insight on the recruitment of cyber security professionals including information regarding the key drivers in the cyber security market, permanent and contract recruitment trends, transferable skills, the top job titles, salaries and qualifications analysis, a heat map of skills demands/talent pools across the UK, concluding with recommendations on attracting and retaining cyber security talent.
Gowlings - November 12, 2014
In an ever-increasing digital world, all businesses face challenges in managing and protecting sensitive and confidential information. In this presentation Gowlings and Marsh Canada Limited addressed best practices for responding to a cyber breach, and what types of insurance may be available to respond to such a loss. Topics included:
⢠Trends, and the evolution of cyber insurance/products
⢠The D&O connection, cyber is a strategic business risk
⢠Risk Management Strategies
⢠Best Practices in Breach Response.
This paper introduces the concept of Supply Chain Risk
Management. It identifies various risks and explains the process of managing these risks. With technology in place, automation of some of the processes brings down the risks involved. Sadly, many companies are not adequately automated to address these issues. The paper also highlights how information technology can be adopted in certain areas in supply chain to ensure visibility and reduce risk occurrence.
Implementing a Security Management FrameworkJoseph Wynn
Â
Given at the Pittsburgh ISSA April 2017 chapter meeting.
This presentation discussed how to improve the success of your information security program by organizing it using a security management framework.
Top 10 leading fraud detection and prevention solution providersMerry D'souza
Â
CIOLOOK comes up with its edition of Top 10 Leading Fraud Detection and Prevention Solution Providers. Featuring itâs Cover Story is â Kaspersky is to save the world. Kaspersky is a global cybersecurity company founded in 1997 with its roots in antivirus solutions. Its mission is simple: to build a safer world.
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: How do we Protect our Systems and Meet Compliance in a Rapidly Changing Environment
Presenter: Sean McCloskey, Program Manager, Cyber Security Evaluations Program, DHS
Description: With all the constant innovation in cyber, what is âcutting edgeâ? What constraints hinder innovation? How is technology being used to address the Executive Orders, comply to standards, and other meet other mandates? What areas still need resources, ideas and innovation? Join us to hear advances in cyber security technology and ways to protect and monitor systems that will provide for resilient infrastructures and incorporate new solutions.
Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access
IDC developed a set of cybersecurity case studies of US commercial organizations in order to learn: What security problems they have experienced, changes that they have made to address them, and new underlying security procedures that they are exploring.
Accountability for Corporate Cybersecurity - Who Owns What?Henry Draughon
Â
Data breaches have progressed from low probability, high consequence events to high probability, high consequence events. This shift requires that senior executives become more involved to help reduce financial impact and protect their companiesâ reputation and brand.
Cybersecurity frameworks like NIST, HITRUST, PCI DSS, COBIT, and OSI provide the structure to facilitate senior executive participation. The technical perspective, sophistication, and complexity of frameworks can lead to silos of cybersecurity management. Cross-functional accountability for effective corporate cybersecurity management is required.
A Responsibility Assignment Matrix within a cybersecurity framework can visually and effectively illustrate cross-functional ownership of the corporate cybersecurity plan. Ownership of the creation and maintenance of the corporate security plan should remain with either the security or IT department. Many aspects of cybersecurity accountability naturally reside outside of the security and IT departments.
Please visit this site and explore how corporate accountability can be incorporated with cybersecurity planning.
http://processdeliverysystems.com/v2pds_nist/index.htm
Click here to download the presentation Accountability for Corporate Cybersecurity, Who Owns What?
http://processdeliverysystems.com/v2pds_nist/documents/PDS_Accountabiliy_NIST_Cybersecurity_Framework.pdf
Click here to download the Responsibility Assignment Matrix for the NIST Cybersecurity Framework.
http://processdeliverysystems.com/v2pds_nist/documents/PDS_NIST_Cybersecurity_Framework_RACI.pdf
We welcome your questions, insights, and comments.
Data Security: Why You Need Data Loss Prevention & How to Justify ItMarc Crudgington, MBA
Â
With the increasing number of cyber-attacks and incidents seeming to occur weeks/months/years before discovery of breach, simply securing your perimeter is no longer enough to protect your most critical assets. Privacy breaches are averaging upwards of $200 per record and studies have shown at intellectual property infringement cost the average company $101.9 million in revenues.
Key points addressed include:
⢠The Impact of Cyber Crime on our Economy
⢠The Cost Companies are incurring due to Cyber Crime and Data Breaches
⢠Who are the threat actors?
⢠What makes up a Data Loss Prevention ecosystem?
⢠What does a Data Loss Prevention strategy do for me?
⢠Hidden Benefits of Data Loss Prevention
⢠Justifying a Data Loss Prevention Strategy
Aon Retail & Wholesale Inperspective Nov 2016Graeme Cross
Â
A rapidly shifting social, business, political and economic environment is placing UK retailers on continuous watch as they adapt and react to new threats and challenges.
Historic risk management norms like crime and security are giving way to external threats in the registers of modern companies; but many of these are intangible such as protecting brand equity and are often considered very hard to measure or mitigate.
Meanwhile the increasing influence of technology affects almost every corner of the industry from distribution and the way shoppers interact with a brand; to the supply chain and its continuing search for peak efficiency.
As a result, technology, rather than store networks or stock, is becoming one of the single greatest assets and vulnerabilities identified by the industryâs risk management community.
6º Resseguro - A Evolução do Risco CibernÊtico e seu Impacto no Seguro - Kara...CNseg
Â
Palestra apresentada por Kara Owens no 6Âş Encontro de Resseguro do Rio de Janeiro, realizado nos dias 5 e 6 de abril de 2017, no hotel Sofitel Copacabana.
Key note in nyc the next breach target and how oracle can help - nyougUlf Mattsson
Â
Old security approaches are based on finding malware and data leaks. This is like "boiling the ocean," since you are âpatchingâ all possible data paths and data stores, and you may not even find a trace of an attack. New security approaches assume that you are under attack and focus instead on protecting the data itself, even in computer memory (the âtargetâ for a growing number of attacks). This session discusses what companies can do now to prevent what happened to Target and others processing PII, PHI and PCI data. The Oracle Big Data Appliance is a critical part of the solution.
EU/US boardsâ approach to cyber risk governance - webinar presentationFERMA
Â
The 4th webinar is being hosted by the European Confederation of Directors' Associations (ecoDa), AIG, and the Federation of European Risk Managers' Associations (FERMA) and in close cooperation with the Internet Security Alliance (ISA).
it includes a Risk Managerâsâ perspective about the necessity to provide organisations with decision-support tools for mitigation and recommendations for risk transfer.
Omlis Data Breaches Report - An Inside Perspective Omlis
Â
The rise in digital and mobile financial services has introduced an onset of increased data breaches over the last few years. The digital revolution has undermined the traditional framework used to regulate financial institutions, which has led to areas of vulnerability within their security systems.
In the report, Data Breaches: An Inside Perspective, Omlis conducted in-depth interviews with experienced cyber security professionals to understand why TFIs (traditional financial institutions) aren't adequately addressing security weaknesses.
In our research, the discussions centered on the types of security systems employed by TFIs, personal and industry-wide attitudes to security, and the types of security measures used to prevent breaches.
The findings indicate that TFIs current preference towards technology creates an increasingly complex system with associated vulnerabilities and ultimately it requires greater manual input for maintenance and updates.
There are also issues related to the attitudes of employees and difficulties implementing comprehensive and in-depth incident strategies.
Taking this into account, the report suggests a new direction for TFI's security systems to provide secure, innovative solutions.
Breaking down the cyber security framework closing critical it security gapsIBM Security
Â
Cyber crime is pervasive and here to stay. Whether you work in the Public Sector, Private Sector, are the CEO for a Fortune 500 Company or trying to sustain a SMB everyone is under attack. This February, President Obama, issued an executive order aimed at protecting critical business and government infrastructure due to the scale and sophistication of IT security threats that have grown at an explosive rate. Organizations and Government agencies have to contend with industrialized attacks, which, in some cases, rival the size and sophistication of the largest legitimate computing efforts. In addition, they also have to guard against a more focused adversary with the resources and capabilities to target highly sensitive information, often through long-term attack campaigns. Many security executives are struggling to answer questions about the most effective approach.
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...PECB
Â
95% of cybersecurity breaches are due to human error. Thatâs what Cybintâs facts and stats article shows.
Seeing this high percentage of risk that might lead to greater loss, organizations should be well aware of their processes and procedures in place. Decisive for avoiding breaches is that everyone in the organization is able to understand and detect potential threats beforehand and react in a quick and effective way.
The webinar will cover:
⢠The most recent attacks such as the supply chain attacks
⢠Trends, and statistics
⢠The impacts of the pandemic on cybersecurity landscapes, closing the gaps on remote workforce security,
⢠How to improve your organizationâs cybersecurity posture by asking the right questions and implementing a tiered approach
Recorded Webinar: https://youtu.be/Q5_2rYjAE8E
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Cristian Garcia G.
Â
El panorama de amenazas en evoluciĂłn basado en nuestro ISTR (Reporte de Anual de Amenazas en Internet Vol. 24) recientemente publicado, refleja las Ăşltimas tendencias y cĂłmo se aplican a Colombia y AmĂŠrica Latina. Las principales tendencias de transformaciĂłn digital, como la nube y la movilidad, junto con los nuevos desafĂos de seguridad han cambiado el panorama de ciberseguridad por lo que la estrategia debe enfocarse en tĂŠrminos de riesgos clave, regulaciones y hallazgos sobre la madurez de la seguridad. Recomendaciones para enfocar y mejorar las posturas de ciberseguridad para abordar estas tendencias, incluidos los marcos clave, las tecnologĂas, los procesos y los cambios culturales son parte integral de los pasos a seguir.
Form Responses 1TimestampUntitled QuestionRisk TableRisk IDID Da.docxalisondakintxt
Â
Form Responses 1TimestampUntitled Question
Risk TableRisk IDID DateCause(s) Risk NameConsequenceRisk DetailsRisk Owner (Responsible Person or Group)ProbabilityImpactRisk ScoreResponse Action TypeResponse Actions111/6/22Internet problemstechnologicalZero access to systemsPoor internet Due to ISP issuesInternet providerLikelyMinorAcceptable Risk: MediumTransfer Automaic recover211/6/22incorrect information/dataData lossincomplete information/dataData in transit is corruptedcloud service providerUnlikelyMajorAcceptable Risk: MediumAvoiduse of software that will check the integrity of data311/6/22Denial of servicevendorrevenue loss/ system outageusers cannot access the systemvendorLikelyMajorAcceptable Risk: MediumTransfer Automaic recover411/6/22Cloud servive management interfaceRemote access to management interfacesince cloud service is public it posses a risk that hackers can access the systems remotelymost of te management activities are connected through the cloud and if hacked can couse major problemscloud service providerVery LikelyMajorUnacceptable Risk: HighAvoidimplement protection mechanisms511/6/22Programming errortechnologicalSofware sizes to workinability to have any work doneBallot OnlineVery LikelyMinorAcceptable Risk: LowAvoidhave a fall back option611/6/22data lossData lossboth company and client data lostoccurs when no back up facility has been initiatedcloud service providerUnlikelyModerateAcceptable Risk: LowMitigate There has to be a back up system put in place711/6/22Information that is stored by the cloud service provider is compromisedData breachcompany data become publicly accesiblecloud service provider does not take breach seriouly by faling to conduct testscloud service providerLikelyMajorUnacceptable Risk: Extremely HighAvoidobtain assurance from the provider that such a risk cannot occur811/6/22password breacheither insider or outsiderunauthorized accesspassword being to weakPersonel or IT departmentVery LikelyMajorUnacceptable Risk: HighMitigate come up with a strict password policy911/6/22data breachhackers/ vendorcompromized dataoccurs when sensitive data has been exposedcloud service providerVery LikelyMajorUnacceptable Risk: Extremely HighTransfer Data monitoring1011/6/22fire/floodenviromentalproperty damageextream weather or distastersBallot Online/ cloud service providerUnlikelyMajorUnacceptable Risk: Extremely HighAcceptDistaster recovery measuresSelect OneSelect OneSelect OneSelect One Select OneSelect OneSelect OneSelect One Select OneSelect OneSelect OneSelect One Select OneSelect OneSelect OneSelect One Select OneSelect OneSelect OneSelect One Select OneSelect OneSelect OneSelect One Select OneSelect OneSelect OneSelect One Select OneSelect OneSelect OneSelect One Select OneSelect OneSelect OneSelect One Select OneSelect OneSelect OneSelect One Select OneSelect OneSelect OneSelect One Select OneSelect OneSelect OneSelect One Select OneSelect OneSelect OneSelect One Select OneSelect OneSelect OneSelect On.
Similar to FORUM 2013 Cyber Risks - not just a domain for IT (20)
FERMA contribution to the French Presidency agendaFERMA
Â
FERMA thought paper highlights the links between its work and the priorities of the French Presidency in three key areas :
Economic recovery (systemic risks and risk transfer, including captives)
Digital issues (cyber risks and cyber insurance)
Ecological transition (sustainability and insurability)
For each of these categories, FERMA presents the challenges faced by European businesses, explains how risk management contributes to the ambitions of the French Presidency and asks European policymakers for specific measures during this period.
The role of risk management in corporate resilienceFERMA
Â
The report presents the views of risk and insurance professionals and senior executives about a post-pandemic view of resilience management in their organisations across sectors globally in the summer of 2021.
Webinar: the role of risk management in corporate resilience FERMA
Â
FERMA and McKinsey will present the findings of our survey into resilience and risk management. The objective is to give risk and insurance professionals a richer understanding of resilience in a strategic and practical way. Two leading risk managers will discuss the results of our survey and will reflect more broadly on the link between risk and resilience. By the end of the webinar, you will be well versed in resilience from an enterprise risk management perspective.
People, Planet & Performance: sustainability guide for risk and insurance man...FERMA
Â
On 31 March, FERMA releases the first guide specifically for European risk managers on sustainability risks.
People, planet, performance â The contribution of Enterprise Risk Management to Sustainability provides practical guidance on incorporating sustainability goals into enterprise-wide risk management.
Collaboration of the Year Award winner 2020: Pim Moerman and Rob van den Eijn...FERMA
Â
Philips Global Resilience Platform: Breaking down silo approach of departments by collaborating in multidomain platform making our company more resilient
Argo Group: entry for emerging risk initiative of the year Award 2020FERMA
Â
Adam Seager, Chief Risk Officer of Argo Group demonstrates the context, challenges and solutions he put in place for Agor Group during the time of crisis like the Covid19 pandemic.
George Ong, Chief Risk Officer, Northern Ireland WaterFERMA
Â
Nominations for the Public Sector Risk Manager of the Year for the European Risk Management Awards 2020.
George Ong is the Chief Risk Officer for Northern Ireland Water (NIW), a Government Owned Company (GoCo). George joined the business in 2006 with a clear remit of implementing a risk and insurance management system given that the âGovernment Protectionâ was to be removed from 1st April 2007. Since then George has worked to adapt, enhance and embed risk management arrangements within NIW, developed partnerships with businesses, communities and institutions to improve resilience for the Company and the community. #euroriskawards
Webinar: Risk management in a global pandemic -Â Early lessons learned, EU â U...FERMA
Â
FERMA's joint webinar with RIMS on 1 December provided insights into the way risk managers have experienced and dealt with the global pandemic and its consequences.
FERMA and RIMSÂ teamed up to bring you content from both sides of the Atlantic Ocean. The webinar began with a presentation of the results from FERMAâs COVID-19 survey, and then took a Transatlantic view on commonalities and differences.
Speakers:
Athina Pehrman, Group Risk Manager at Electrolux Professional Group, a sustainability leader in the appliance industry
Melanie Steiner, Board Member, US Ecology, Inc. a leading provider of environmental services to commercial and government entities. Former CRO
Typhaine BeaupÊrin, CEO of FERMA, moderator.
European Risk managers have helped maintain the continuity of their organisations during the pandemic crisis. They have participated in task forces and crisis units, promoted communication, supported new working practices, pursued insurance recoveries where possible and begun work on recovery, according to a survey published by the Federation of European Risk Management Associations (FERMA): https://www.ferma.eu/publication/covid-19-ferma-survey-shows-risk-managers-contributions-to-response-and-resilience/
GDPR & corporate Governance, Evaluation after 2 years implementationFERMA
Â
FERMAâs live joint webinar with ECIIA on Monday 28 September gathered more than 300 participants
The objective of this joint webinar was to take stock of where we stand after 2 years of GDPR implementation and the practical consequences on businesses. For this, FERMA and ECIIA (European Confederation of Institutes of Internal Auditing) invited the following speakers:
- Olivier Micol, Head of Data Protection Unit at the European Commission, Directorate-General for Justice. He highlighted key elements of the recent GDPR evaluation report of the European Commission, shared the latest data and feedback from companies and civil society. He also gave an overview of future planned initiatives.
- JĂŠrĂ´me Avot, Group Risk Officer and Data Protection Officer at Faurecia, a global leader in automotive technology.âThe GDPR served as a common thread from the start to the end of the project. We feel we have turned what might have been perceived as a constraint into an opportunity. â
- Ralf Herold, Senior Vice President, Corporate Audit BASF, a leading chemical company. He is an expert in GDPR as Germany was a pioneer in this piece of legislation.
JĂŠrĂ´me Avot and Ralf Herold shared their experience as a Risk Manager and DPO and as an Internal Auditor by exchanging on the changes that the GDPR involved within their companies.
https://www.ferma.eu/webinar-replay-gdpr-corporate-governance-evaluation-after-2-years-implementation/
The European risk manager report 2020: webinar presentationFERMA
Â
This 2020 edition is the opportunity to deepen four challenges that the Risk Manager is facing today:
his growing role in digital transformation
his contribution to sustainability
tougher insurance market conditions
education and skills evolution
The objective of this report is to launch the discussion on the new challenges posed by the European transition to climate neutrality and digital leadership for Risk Managers. How are the roles and responsibilities of European Risk Managers evolving in the face of this new reality? Are Risk Managers equipped to support their organizations in achieving this double transformation?
Our live webinar was scheduled on Monday 29 June 2020: risk managers from different backgrounds shared their experiences on the below themes and reacted to the results of the survey, in particular before and after the Covid-19 crisis.
The speakers were:
Adriana Cavaliere : Corporate Risk Manager at Skeyes, Belgium
Oliver Wild: Group Chief Risk, Insurance and Internal Control Coordination Officer at Veolia, France
Charlotte Hedemark: Chairman of the 2020 FERMA Survey Committee and Board Member of FERMA
Françoise BergÊ: PwC Partner
FERMA European Risk Manager Report 2020: full set of results FERMA
Â
This 2020 edition is the opportunity to deepen four challenges that the Risk Manager is facing today:
his growing role in digital transformation
his contribution to sustainability
tougher insurance market conditions
education and skills evolution
The objective of this report is to launch the discussion on the new challenges posed by the European transition to climate neutrality and digital leadership for Risk Managers. How are the roles and responsibilities of European Risk Managers evolving in the face of this new reality? Are Risk Managers equipped to support their organizations in achieving this double transformation?
Webinar: Why risk managers should look at Artificial Intelligence now?FERMA
Â
Risk Managers can be key actors in highlighting to the organisation leadership the opportunities and challenges of AI technologies
On 19 May, the objective of this webinar was to discuss:
How AI can be implemented into the risk management practices?
Which opportunities is AI creating for better risk management?
What are the highlights of the European Commissionâs risk-based approach to Artificial Intelligence?
Speakers were:
Philippe Cotelle, Head of Insurance Risk Management at Airbus Defence and Space and FERMA Board member, will highlight the key findings from FERMAâs report on âAI applied to Risk Managementâ.
Irina Orssich and Eric BadiquĂŠ are both working for the European Commission as Team leader and Adviser for Artificial Intelligence in the Unit for Technologies and Systems for Digitising Industry. They will present the Commissionâs White Paper on AI and the other EU initiatives which aim at strengthening the EU legal framework regarding AI applications, especially in the field of privacy.
GDPR & corporate governance: the role of risk management and internal audit o...FERMA
Â
The webinar discussed the full results and recommendations of a joint project between FERMA and the European Confederation of Institutes of Internal Auditing (ECIIA), to assess how the EU General Data Protection Regulation (GDPR) impacted our professions, one year after its enforcement. This webinar helped to know:
- To which extent the risk manager and the internal auditor are involved in the GDPR corporate implementation
- How GDPR has affected the interactions between risk management, internal audit and Data Protection Officer (DPO)
- What are the best practices and recommendations to embed personal data protection in the risk and audit governance of your organisation
After one year of GDPR implementation, FERMA and ECIIA sent in May a common basis of five questions to their risk and internal audit members.
The objectives were to:
- Evaluate the roles of the risk management and internal audit functions regarding the GDPR and personal data related risks
- Provide a unique insight into the implementation of the GDPR by companies to the European policymakers
GDPR & corporate governance: The Role of Internal Audit and Risk Management O...FERMA
Â
This paper is a collaboration between FERMA and the European Confederation of Internal Audit Institutes ECIIA and focuses on the impacts of the GDPR on corporate governance practices in the year following its implementation. Most specifically, it looks at the roles played by internal audit departments and risk management functions.
Ferma report: Artificial Intelligence applied to Risk Management FERMA
Â
FERMA brought together a group of experts from within and beyond the risk management community to develop the first thought paper about AI applied to risk management.
Their aim was to perform an initial assessment of the potential value of AI to improve enterprise risk management (ERM), and second, to understand how risk managers can be key actors in highlighting to the organisation leadership the opportunities and challenges of AI technologies.
The working group expects that corporate risk management will benefit from AI in several areas. âFrom its ability to process large amounts of data to the automation of certain risk management repetitive and burdensome steps, AI could allow risk managers to respond faster to new and emerging exposures. By acting in real time and with some predictive capabilities, risk management could reach a new level in supporting better decision making for senior management.â
This paper aims to guide risk managers on applying AI from a basic understanding to developing their own strategy on the implementation of AI. It includes an action guide and a template for risk managers to develop their own AI risk management roadmap.
Webinar: how risk management can contribute to sustainable growth?FERMA
Â
This webinar will help risk management and sustainability practitioners apply enterprise risk management (ERM) concepts and processes to environmental, social and governance-related risks (ESG)
How to Make a Field invisible in Odoo 17Celine George
Â
It is possible to hide or invisible some fields in odoo. Commonly using âinvisibleâ attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
Normal Labour/ Stages of Labour/ Mechanism of LabourWasim Ak
Â
Normal labor is also termed spontaneous labor, defined as the natural physiological process through which the fetus, placenta, and membranes are expelled from the uterus through the birth canal at term (37 to 42 weeks
Model Attribute Check Company Auto PropertyCeline George
Â
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
Embracing GenAI - A Strategic ImperativePeter Windle
Â
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
A Strategic Approach: GenAI in EducationPeter Windle
Â
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Â
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Â
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
⢠The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
⢠The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate âany matterâ at âany timeâ under House Rule X.
⢠The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
Â
FORUM 2013 Cyber Risks - not just a domain for IT
1. Cyber Risks â Not Just a Domain for IT
The Evolving Threat to Companies in Europe and Risk Transfer
Tracie Grella
Global Head of Professional Liability
AIG Property Casualty
1
2. Client Perception
How Concerned are you about this type
of risk for your company?
1
Cyber Risks
86%
2
Loss of Income
82%
3
Property Damage
80%
4
Workers Compensation
78%
5
Utility Interruption
76%
6
Securities and Investment Risk
76%
7
Auto/Fleet Risk
65%
All audiences agree:
Clients who believe
human error is a
significant source
of cyber risk
74%
Hackers are the
primary
source of cyber
threats
82%
IT is difficult to
keep up with cyber
threats because
they are evolving
so quickly
80%
8/10/2013
2
3. Cyber Crime Attacks
43%
of organizations in the
EuroZone experienced more
than 3 attacks
65%
of companies across 62 countries
are extremely concerned about
cyber attacks
Causes of a Data Breach
â˘
Top banks in the UK claims that
cyber attacks now represents a
major threat to their stability
Cyber Trends
â˘
â˘
4 of 5
â˘
Threat Actions: Hacking 52%, Social Tactics 29%
Threat Agents: Organized Crime 52%, State
Sponsored 19%, Insiders 14%
50% of insiders who committed sabotage were former
employees taking advantage of security that was not
disabled
(Verizon Data Breach Report 2013 and AIG)
â˘
â˘
â˘
70% of breaches were spotted by an external party,
9% were spotted by customers
76% of network intrusions exploited week or stolen
credentials
Claim volume up by 67% in 2012 and 71% in 2013
(AIG)
Only 20% of middle market and large organizations
purchase cyber (AIG)
(Verizon Data Breach Report 2013)
DLA Piper CIO Daniel Pollick
âThere has been a change in atmosphere in the past 18
months. Governments are taking cyber security more
seriously and are pushing it to the top of business agendasâ
3
4. Country Exposure
Italy:
16,456 hacks against
organizations in 1st
half of 2013, up 57%
from same time
last year
UK: Cost of Cyber Crime is
ÂŁ27bn
Belgium:
Cost of Cyber
Crime EUR5bn
⢠Cost to UK Business estimated
ÂŁ21bn
⢠Average cost of resolving a data
breach is ÂŁ2.04m
⢠Ireland: 37 breaches in 2012 with
68 over last 3 years
Russia: number
of cyber crimes
grew 33% in
2012
8/10/2013
Germany:
Cost to German
business
EUR43bn
⢠Scotland: total cost of cyber
Crime is ÂŁ5bn every min lose
ÂŁ158
4
5. Business Enterprise Risk
Typical Hourly Cost of Downtime by Industry (in US Dollars)
The
6.48 million
Brokerage Service
Accounting
ďą Employees canât access systems
Energy
2.8million
ďą Consumers canât access your product
Telecom
2.0You disrupt a 3rd partyâs supply chain
million
ďą
Manufacturing
ďą million
1.6Unexpected costs
Typical Hourly Cost of Downtime by Industry (in US Dollars)
Brokerage
RetailService
Energy
Telecom
Healthcare
Manufacturing
Retail
Healthcare
Media
Media
6.48 million
2.8million
2.0 million
1.6 million
1.1 million
636,000
ďą Reputation damage
1.1 million
ďą Stock drops
636,000
ďą Investigations
90,000
90,000
*Source: Network Computing, the Meta Group and Contingency Planning Research
*Source: Network Computing, the Meta Group and Contingency Planning Research
8/10/2013
5
6. Business Enterprise Risk
Employees canât access systems
⢠Down for an extended period
Consumers canât access your product
⢠Loss in Net sales
⢠Infrastructure
⢠Breach of service agreements
Reputation Damage
⢠Cost to your Brand
⢠Consumer churn
⢠Loss of contracts or other business
ďąopportunities access systems
Employees canât
⢠Business lost to competitors
â˘ďąCoupons and discounts product
Consumers canât access your
You disrupt a 3rd partyâs supply chain
⢠Inability for upstream production or delivery
⢠Legal Penalties for breach of contractual obligations
Stock drops a 3rd partyâs supply chain
ďą You disrupt
⢠Average stock drop related to a cyber
event 5%
Typical Hourly Cost
Unexpected of Downtime by Industry (in US Dollars)
costs
Brokerage Service continuation costs million
6.48
⢠Business
2.8million
⢠Energy
Critical computer components damaged
⢠Telecom
Re-uploading and patching of system critical
2.0 million
software
Manufacturing
1.6 million
⢠Retail
Replacing lost or destroyed data sets
1.1 million
Investigations
Reputation damage
â˘ďąOwn internal
⢠Regulatory
Stock drops
â˘ďąShareholder Discovery
Healthcare
ďą Unexpected costs
ďą Investigations
636,000
Media
The Accounting
90,000
*Source: Network Computing, the Meta Group and Contingency Planning Research
8/10/2013
6
7. How Insurance Can Respond
FINES
PRE BIND
SOLUTIONS
INCIDENT /
BREACH
INVESTIGATION
NOTIFICATION
FORENSICS
LEGAL / PR
8/10/2013
7
8. How Insurance Can Respond
FINES
PRE BIND
SOLUTIONS
Awareness & Education
Loss Mitigation Tools
INCIDENT /
BREACH
INVESTIGATION
NOTIFICATION
FORENSICS
LEGAL / PR
8/10/2013
8
9. How Insurance Can Respond
FINES
PRE BIND
SOLUTIONS
INCIDENT /
BREACH
INVESTIGATION
NOTIFICATION
FORENSICS
Cyber Extortion
Business Interruption
Crisis Management
Loss of Clients
Stock Drop
LEGAL / PR
8/10/2013
9
10. How Insurance Can Respond
FINES
PRE BIND
SOLUTIONS
INCIDENT /
BREACH
INVESTIGATION
NOTIFICATION
FORENSICS
LEGAL / PR
8/10/2013
Costs to Identify Exposed Records
Contain the Breach
Restore Data
10
11. How Insurance Can Respond
FINES
PRE BIND
SOLUTIONS
INCIDENT /
BREACH
INVESTIGATION
NOTIFICATION
FORENSICS
Breach Coach and Legal Defense
LEGAL
8/10/2013
Legal Costs to Aid Victims of ID Theft
11
12. How Insurance Can Respond
Austria
Germany
Norway
FINES
PRE BIND
SOLUTIONS
Spain
⢠Mandatory
Notification
Telecomm
⢠Countries
INCIDENT /
BREACH
INVESTIGATION
Voluntary Notification
Regulators
FORENSICS
NOTIFICATION
Individuals
Credit Monitoring
8/10/2013
LEGAL / PR
12
13. How Insurance Can Respond
FINES
PRE BIND
SOLUTIONS
3rd Party Liability
INCIDENT /
BREACH
INVESTIGATION
Shareholders
Client
Regulatory
NOTIFICATION
FORENSICS
LEGAL / PR
8/10/2013
13
14. How Insurance Can Respond
Administrative
FINES
Industry Standards
PRE BIND
SOLUTIONS
PCI
INCIDENT /
BREACH
INVESTIGATION
NOTIFICATION
FORENSICS
LEGAL / PR
8/10/2013
14
15. Cyber risks â not just a domain for IT
October 1, 2013
Kevin P. Kalinich, J.D.
Global Practice Leader â Cyber Insurance
Aon plc
Kevin.Kalinich@aon.com
8/10/2013
15
16. Cyber Insurance Outline
â˘
2013 Evolving Trends
o Financial Statement
Impact
o Board of Directors Issue
o All Industries Impacted
â˘
Cyber Risk Identification
o Classify, Qualify &
Quantify
â˘
Risk Mitigation
â˘
Existing Insurance Policy Gap
Analysis
8/10/2013
16
17. 2013 Evolving Trends
ď§
â˘
â˘
â˘
â˘
EU Organizations increasing reliance on
ďś Hacker steals data of 2 million Vodafone Germany
evolving technologies
clients
o Mobile (including payments)
ďś British police arrest eight over cyber theft at Barclays
o Cloud Computing
o Social Media
o Data Analytics (âBig Dataâ)
o Third Party Vendor Issues
Payment Card Industry Data Security Standards:
Fines & Penalties
Data transfers to US in wake of NSA
Cyber Risks Financial Statement Impact
o Actuarial Modeling
o Board of Directors Liability?
Managing Cyber Security as Business Risk:
Cyber Insurance in the Digital Age (August 2013:
http://assets.fiercemarkets.com/public/newsletter
/fiercehealthit/experian-ponemonreport.pdf)
http://www.emwllp.com/news/confidentialinformation-theft-cases-reach-record-high/
Aon Risk Solutions EMEA
Proprietary & Confidential |
17
21. Proprietary Cyber Risk Discovery Process
ď§ Procurement
Process
ď§ Vendor
Diligence
ď§ Limitation of
Liability
ď§ Cloud
Customized
Ongoing
Services
ď§ New Products
and/or
Services
ď§ Quality
Controls
ď§ Employee
Training
ď§ Contract
Management
ď§ Dispute
Risk
Transfer
Resolution
Needs
Diagnostic
Program Design &
Marketing
ď§ Content
development/
clearance
ď§ Intellectual
Property
Review
Aon Risk Solutions EMEA
Proprietary & Confidential |
ď§ Data Risks
ď§ Privacy
Policy
ď§ Security
Controls
ď§ Data
Breach
Response
Plan
21
22. Cyber Risk Actuarial Analysis growing
ď§ RISK vs. UNCERTAINTY
ď§ RISK = Something you can put a
price on
ď§ (e.g. exactly 1 chance in 11 to hit
an inside straight in Texas
HoldâEm)
ď§ UNCERTAINTY = risk that is
hard to measure (e.g. Cyber
exposure frequency & severity)
ď§ âWe ignore the risks that are
hardest to measure, even when
they pose the greatest threats
to our well-beingâ
ď§
-- Nate Silver, The Signal
And The Noise: Why So Many
Predictions Fail â But Some Donât
Aon Risk Solutions EMEA
Proprietary & Confidential |
ď Review Comparable Cyber
Losses
ď Peer Benchmarking
ď Monte Carlo Simulations
ď Financial Impact Options
ď Risk Acceptance
ď Risk Avoidance
ď Risk Retention
ď Risk Transfer
ď Contractual Allocation
ď Cyber Insurance
ďś Risk mitigation is key in all cases
ďś Board of Directors Liability?????
ďś Integrate with Enterprise Risk
Management
22
23. Risk Mitigation
â˘
â˘
â˘
â˘
â˘
â˘
â˘
Comprehensive Cyber Risk Mitigation Program: Need Management Support
Although IT Security & Use policies are important ----------------it is MUCH MORE THAN AN IT
SECURITY ISSUE
Engage inter-departmental coordination and cooperation
⢠Risk Management
⢠Finance/Treasury
⢠Legal
⢠Human Resources
⢠CIO, CPO, CISO, etc.
⢠IT Security
Education on Legal Exposures: train & monitor employees & all others
Ensure Compliance with Organizationâs Privacy Policy regarding 3rd party Personally Identifiable
Information
Data Breach Management Policy â continuously update
Third Party Exposures
⢠Vendor/Supplier Management
⢠Contractual Considerations
⢠Vendor/Supplier Audits
Aon Risk Solutions EMEA
Proprietary & Confidential |
23
24. Sample 10 Questions To Ask
Question
Takeaways/Possible Conclusion
Do you have an Information Security Policy ?
Most will say yes.
If no, it would suggest a lack of awareness of the issues and therefore
would be unlikely to be ready for the product.
Is it based on any Information Security
Standard?
Ideal answer would be ISO27002 as this is well understood and recognised
by the market.
What is the Governance Structure for
management IS Risk & Controls?
Presence of a structure is an indicator of a mature organisation who
understands and is looking to manage the risks.
How do you maintain assurance of your internal
IT controls ?
If there is an indication that a robust regime in place â a free scan should be
positioned as additional assurance. No evidence is an opportunity for a free
scan, but may also indicate a high risk.
Do you use third party suppliers?
Need for the product is increased if yes; need to find out the scope of
services â if critical, need for cyber risk transfer is increased.
Do you obtain assurance of their Data/Security
Controls?
Ideal answer is yes via a recognised method i.e. SSAE 16/SAS 70 or other
auditing standard. These will be readily accepted as evidence.
What is your approach to the management of
mobile devices?
Every client will have this issue; Laptop and device encryption are key
controls. Lack of an informed response is not a good indicator.
What are your key controls to determine if are
being subject to a cyber attack?
This provides an insight to the monitoring capability of the organisation.
Most have poor levels of control unless they have outsourced a service.
Do you have a Cyber response team or plan?
Key area for extra service sales â most do not and failure to response
quickly enough drives up and final incident cost.
Have you ever needed to complete a forensic
examination of your IT equipment?
As above â often key evidence is destroyed through lack of awareness
Aon Risk Solutions EMEA
Proprietary & Confidential |
24
25. Canât âtraditionalâ insurance help?
Property
General
Liability
Malware and
Denial-ofService attacks
do not constitute
âphysical perilsâ
and do not
damage
âtangible
propertyâ
CGL Privacy
coverage limited
to âpublication
or utteranceâ
resulting in one
of traditional
privacy torts.
Unauthorized
access
exclusions.
E&O
Requires
negligence in
provision of
defined
business
activities.
Crime
Crime policies
require intentâŚ
theft of money,
securities, or
tangible
property.
Generally
Intentional acts
and insured vs.
insured issues.
No coverage for
expensive
crisis
expenses
required by law
or to protect
reputation.
Potential Elements of Coverage in Commercial Property, General Liability, Crime, and Kidnap &
Ransom Policies
Aon Risk Solutions EMEA
Proprietary & Confidential |
25
27. Existing Insurance Policy Claims Trends
ď§
Zurich v. Sony Declaratory Judgment Action: Over 55 class action lawsuits alleging billions of dollars in damages
(Sept. 2011 new service agreement enforceable: mandatory arbitration and no class action?). Direct costs to companies
impacted by cyber breaches, such as forensics, notification, credit monitoring and public relations costs, âare basic costs
we would cover under our Zurich Security and Privacy Protection policy,â says Zurich. Then if a claim is filed, âwe have a
liability coverage part that would cover the affected entity for defense costs and indemnity they have to pay out as a
result.â
ď§
State National Insurance Co. v. Global Payments April 2013 $84 Million Declaratory Judgment Action regarding
excess Professional Liability policy: Card association claims do not arise out of negligence from âprofessional servicesâ
or âtechnology-based servicesâ
ď§
Hartford v. Crate & Barrel and Childrenâs retail Stores (Declaratory Judgment Action with respect to GL Policy):
â Over 125 Class Actions in California, lead by: Pineda v. Williams Sonoma, 51, Cal.4th 524, 246 P.3rd 612 (Cal.
2011) (Zip codes are personal identification information protected by Californiaâs Song-Beverly Act)
â Massachusetts Class Action: Tyler v. Michaels Stores, Inc., No. 1:111-cv-10920-WGY (D. Mass. Filed May 23,
2011);.
ď§
Colorado Casualty Insurance Company vs. Perpetual Storage and the University of Utah (GL Policy) -- Negligence
suit against insurance broker for not placing proper coverage
ď§
Tornado Technologies Inc. v. Quality Control Inspection, Inc. (OhioCt. App. August 2, 2012) â no negligence of
insurer for not warning insured to purchase special cyber policy
ď§
Retail Ventures v. National Union Fire Ins. (August 23, 2012) Crime Policy Endorsement Applies
ď§
Liberty v. Schnucks (August , 2013) Declaratory Judgment filed regarding General Liability policy
Aon Risk Solutions EMEA
Proprietary & Confidential |
27
28. Scope of Available Coverage
Breac
h
Mitigation
Regulator
y
Liability
⢠Regulatory
⢠Individual
⢠Notification
Investigations
Actions
Costs
⢠Consumer
⢠Consumer
⢠IT Forensics
⢠Online and offline
Redress Funds
Class Actions
⢠PR +
breaches
⢠Civil Penalties
⢠Suits from
Advertising
⢠Accidental or ârogueâ
⢠PCI â DSS
business
⢠Credit
employee actions
Fines
partners
Monitoring
⢠Breaches caused by
⢠UK & EU
⢠Suits from
⢠âTurnkeyâ
vendors or
country specific
financial
breach
outsourcers
laws
institutions
response from
⢠Coverage should be customized based on the nature of the business
carrier partners
o For example, FI consumer facing businesses can face a different liability chain (see recent
ATMâs)
⢠Additional coverage available:
o 1st Party Business Interruption: Lost revenue due to failed network security
o Information Asset: Loss or costs associated with restoring destroyed data
o Cyber Extortion: Pays an extortion demand to a party that holds the Insuredâs system or data
hostage
o Media: Content based injuries (online and may include offline)
Aon Risk Solutions EMEA
Proprietary & Confidential |
28
29. Insurance Underwriter Issues To Address
I.
Contractual Allocation of liability and hold harmless and indemnity between Insured and each of each counterparties
II.
Are all subsidiaries 100% wholly owned or are there joint ventures?
III. Does Insured comply with regulatory guidelines regarding disclosure of Cyber exposures, mitigation and risk transfer insurance
(ADRâs)?
IV. Review sample contracts from its suppliers as to allocation of liability, hold harmless and indemnity and insurance (name
Insured as âAdditional Insured?â) We have set up âaffinityâ type programs for large players in the Financial Institutions space
where a supplier of the FI can obtain a $1 MM E & O policy for the benefit of the Insured FI
V.
Does Insured have any products or services that are protected from liability due to regulation? If so, what are the services and
products and what are the revenues compared to total revenues?
V.
Do we have a breakdown of revenue by each product/service as the exposures from each are different in both frequency and
severity?
VII.
What percentage of the products and services have been provided for over five years (at least 5 yearâs worth of Loss History)?
VIII. What percentage of products and services have been provided for less than one year?
IX.
What type of internal or third party IT security assessments have been conducted? ISO 27001? SSAE 16?
X.
What is the QA process for new products and services?
XI.
What is the escalation process to approve contractual changes with customers?
XII.
What is the escalation process to address and remedy complaints from customers?
XIII.
What percentage of customers are business (B2B) vs. Individuals (B2C)?
Aon Risk Solutions EMEA
Proprietary & Confidential |
29
31. LIMITING THE IMPACT OF CYBER INCIDENTS
Presented by Ben Van Erck
EMEA RISK team
PID#
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
32. PROPRIETARY STATEMENT
This document and any attached materials are the sole property
of Verizon and are not to be used by you other than to evaluate
Verizonâs service.
This document and any attached materials are not to be disseminated,
distributed, or otherwise conveyed throughout your organization to
employees without a need for this information or to any third parties
without the express written permission of Verizon.
Š 2013 Verizon. All Rights Reserved. The Verizon and Verizon Business names and logos and all other names, logos, and slogans identifying Verizonâs products and services
are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries.
All other trademarks and service marks are the property of their respective owners.
Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement.
Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement.
32
33. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
33
34. UNDERSTANDING THE WHO
VARIED MOTIVATIONS
VARIED TACTICS
⢠Aim is to maximize disruption
and embarrass victims from
both public and private sector.
⢠Use very basic methods and are
opportunistic.
⢠Rely on sheer numbers.
⢠Motivated by financial gain,
so will take any data that might
have financial value.
⢠More calculated and complex in
how they chose their targets.
⢠Criminals are now trading
information for cash.
⢠Often state-sponsored.
⢠Driven to get exactly what
they want, from intellectual
property to insider information.
⢠Often state-sponsored, use most
sophisticated tools to commit
most targeted attacks.
⢠Tend to be relentless.
Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement.
Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement.
34
35. ESPIONAGE
STATE-AFFILIATED
ESPIONAGE.
⢠STATE-AFFILIATED ACTORS PERPETRATED
19% OF ATTACKS LAST YEAR.
⢠TARGETS ARE NOT JUST GOVERNMENT AGENCIES,
AND NOT JUST MILITARY CONTRACTORS.
⢠BE AWARE OF THE âKNOCK-ON EFFECTâ IN
YOUR SUPPLY CHAIN.
Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement.
Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement.
35
36. DIFFICULTY OF ATTACK
Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement.
Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement.
36
37. WHAT TO WORRY ABOUT
THIS YEARâS BIGGEST THREATS?
SAME AS LAST YEARâS.
⢠Very few surprises, mostly variations on theme.
⢠75% of breaches were driven by financial motives.
⢠95% of espionage relied on
plain old phishing.
⢠Well-established threats
shouldnât be ignored.
Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement.
Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement.
37
38. WHAT TO WORRY ABOUT
WHAT DO ATTACKERS TARGET?
STILL THE TRADITIONAL ASSETS.
⢠The weak links havenât changed much:
âDesktops 25%
âFile servers 22%
âLaptops 22%
⢠Unapproved hardware accounts
for 43% of misuse cases.
Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement.
Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement.
38
39. ATTACK VELOCITY
QUICK TO COMPROMISE
⢠In 84% of cases, initial compromise took hours or less.
Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement.
Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement.
39
40. DETECTION VELOCITY
QUICK TO COMPROMISE
SLOW TO DISCOVERY
⢠66% of breaches went undiscovered for monthsâŚ
⌠Or even years.
Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement.
Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement.
40
42. INCIDENT RESPONSE PLAN
ITâS NOT ABOUT THE PLAN,
ITâS ABOUT THE PLANNING!
⢠Develop an IR plan (people, process, technology)
⢠Mock incident testing
â Table-top
â Fake incident
â Red vs Blue team
⢠Most important step in your IR process: learning from mistakes (yours and other peopleâs)
⢠Stakeholders
⢠Decision makers
Confidential and proprietary materials for for authorized Verizon personnel and outside agencies only. Use, disclosure distribution of this material is notnot permitted any unauthorized persons or third parties except by by written agreement.
Confidential and proprietary materials authorized Verizon personnel and outside agencies only. Use, disclosure or or distribution of this material is permitted to to any unauthorized persons or third parties except written agreement.
42
43. Additional Information
⢠Download DBIR â www.verizonenterprise.com/dbir
⢠Learn about VERIS - www.veriscommunity.net and
http://github.com/vz-risk/veris
⢠Explore the VERIS Community Database:
http://public.tableausoftware.com/views/vcdb/Overview and learn
more about this data http://veriscommunity.net/doku.php?id=public
⢠Ask a question â DBIR@verizon.com
⢠Read our blog - http://www.verizonenterprise.com/security/blog/
⢠Follow on Twitter - @vzdbir and hashtag #dbir
43