SlideShare a Scribd company logo
Meeting the Cyber Risk Challenge
Mark Fishleigh
Director, Detica
Jérôme Gossé
Financial Lines Underwriter, Zurich Global Corporate France
Julia Graham
Chief Risk Officer, DLA Piper International LLP
Andrew Horrocks
Partner, Clyde & Co
NOVEMBER 27, 2012
Sponsored by
Questions?
OCTOBER 17, 2012
To ask a question
… click on the
“question icon” in
the lower-right
corner of your
screen.
Mark Fishleigh
Director
Detica
Meeting the Cyber Risk Challenge
Sponsored by
NOVEMBER 27, 2012
Jérôme Gossé
Financial Lines Underwriter
Zurich Global Corporate France
Meeting the Cyber Risk Challenge
Sponsored by
NOVEMBER 27, 2012
Julia Graham
Chief Risk Officer
DLA Piper International LLP
Meeting the Cyber Risk Challenge
Sponsored by
NOVEMBER 27, 2012
Andrew Horrocks
Partner
Clyde & Co
Meeting the Cyber Risk Challenge
Sponsored by
NOVEMBER 27, 2012
What Is Cyber Risk?
Sponsored by
Setting the scene
• Information and the Information Age
• An asset like no other – the Digital Revolution
• Privacy
• Personally identifiable information is collected and
stored. Improper control can cause issues which may
arise from a range of information sources, such as
healthcare records and financial institution
transactions
• Confidentiality
– Different Categories of information
• Cyber
– Third party risks
– First party risks
• The Challenge
– As technology advances the desire for data privacy
increases
Tim Berners-Lee, left, and Robert Cailliau, right, inventors of
the World Wide Web, pose next to the first Web server
8
• Three-quarter of respondents report growing concern around
information security and privacy
• Only 16.3% have a chief information security officer: 40% say
CIO head of IT is most likely to be in charge
• More than half said board involvement is growing.
• Majority said government and business must work together.
But 55% half cited concerns about restrictive data protection
rules: 48.7% about adoption of breach notification.
• Thirty six percent said training is conducted at enterprise level
for all employees: only 36.3% said training occurs either
annually or biannually.
• Less than half – 44.1% – said their company's budget for
managing cyber risk has increased
Cyber Risk Survey Results
Sponsored by
Agenda
Sponsored by
• Challenges in Regulation and
Compliance
• Who Leads the Efforts Around Managing
Cyber Risk
• Mobilizing to Meet the Challenges
• The role of Insurance and Insurers
• What Happens in the Aftermath of an
Incident
Challenges in Legislation and
Compliance
Sponsored by
NOVEMBER 27, 2012
Data Protection Act 1998 (DPA)
• Eight data protection principles:
1. Processed fairly and lawfully
2. Obtained only for specified
lawful purposes
3. Adequate, relevant and not
excessive
4. Accurate
5. Not kept for longer than is
necessary
6. Processed in accordance with
individual’s rights
7. Secure
8. Not transferred to countries
outside the EEA without
adequate protection
• Sanctions and enforcement
– Information
Commissioner’s Office
(ICO)
– Enforcement notices
– Fines (up to £500,000)
– Criminal offences
– Civil claims
• Rights
– Rights of access
– Right to object to
processing
• Notification to ICO?
Data Protection Act 1998 (DPA)
The Draft European Regulation on Data
Protection
– Fines of up to £2million of annual worldwide
turnover for companies and administrative
sanctions of up to £1million for individuals
– The “right to be forgotten”
– Reporting and notification requirements
– Private rights of action
– Requires large businesses to appoint a Data
Protection Officer
– Applies to businesses – including those based
outside the EU
Fines and Penalties
– FSA sanctions
– ICO fines
• s.55 Data Protection Act 1988
• Safeway Stores Ltd v Twigger
(2010) CA
• Griffin v Hacker Young (2010)
Cyber Risk is an Enterprise-wide risk
• Enterprise-Wide Risk Management (“ERM”)
– a strategic business discipline that supports the achievement of the organization's
objectives by addressing the full spectrum of its risks and managing the combined impact
of those risks as an interrelated risk portfolio
• ERM reflects current practice in that it:
– encompasses all areas of risk
– prioritizes and manages exposures as a risk portfolio
– evaluates the portfolio in the context of significant internal and external environments,
systems, circumstances, and stakeholders
– recognizes individual risks are interrelated and can create a combined exposure that
differs from the sum of the individual risks
– provides a structured process for the management of all risks
– views the effective management of risk as a competitive advantage; and
– seeks to embed risk management as a management discipline
• Why should cyber risks be treated differently?
16
A rising tide in Regulation and Compliance
• Business operations – Shorter term / tactical / often cyclical
• Strategic – Longer term / deeper / wider / less cyclical
• Technology enables many of the systems that result in tactical risks
• Business leaders deluded in information strategy and execution?
• Information security spend justified by the "stick" of:
– laws and regulations
– client requirements
– potential liability
– Industry practice
• Most important information:
– customer
– financial
– IP and trade secrets
– corporate
– employee
17
Who Leads the Efforts to
Manage Cyber Risk?
How Will You Mobilize to
Meet the Challenges?
Sponsored by
NOVEMBER 27, 2012
Who Is Leading the Efforts Around
Managing Cyber Risk
• All are applying pressure to IS budgets
– Strategists more than most
– Lack of vision
– Lack of an effective information security strategy
• Articulate in their own "languages"
• Focus
– Prevention
– Detection
– Web-related technologies
• Knowledge of breaches has improved
• APT a driver of government focus
19
Integrating to Meet the Challenges
• Confidentiality of information
1. Contracts
2. Policies
3. Training
4. Monitoring
5. Restricting access
• Information security
– Governance
– Risk
– Compliance
– People
– Process
– Technology
20
Governance
Governance Advisory Board
• Core set of Principles defined by the organization and owned by
leadership and stakeholders including:
– HR
– Finance
– Marketing.
– Relevant legal expert/s
– Information Security
– Information Technology
– Knowledge Management
– Risk Management
– Compliance and Audit
Ten Steps - Raising Board Awareness and
Setting the Tone
1. Home and mobile working
2. User education and awareness
3. Incident management
4. Information risk management regime
5. Managing use privileges
6. Removable media controls
7. Monitoring
8. Secure configuration
9. Malware protection
10. Network security
….. Cover 80% of the ground
Key steps in cyber loss prevention and
control
Prepare
Understand cyber risks and
plan their mitigation
Protect
Protect information and IT
from attack and reduce the
potential impacts of
incidents
Monitor
Monitor systems to detect
and prevent incipient
incidents
Respond
Manage the consequences
of an incident to minimise
its impact
23
Key steps in cyber loss prevention and
control
Prepare
Understand cyber risks and
plan their mitigation
Protect
Protect information and IT
from attack and reduce the
potential impacts of
incidents
Monitor
Monitor systems to detect
and prevent incipient
incidents
Respond
Manage the consequences
of an incident to minimise
its impact
24
The cyber threat is multi-faceted
Threats
Commercial malware
Denial of Service (Dos)
External hacking of internal
systems (targeted attacks)
SCADA and Industrial Control Insider-assisted data loss
Website hacking (information
theft, vandalism)
Organised Crime
Activists
Script Kids
Industrial Espionage
State Sponsored
Sophistication/Scope
Technological
Vulnerabilities
exploitation
Thrill/Bragging
Rights
Reputational
Damage
Financial Gain/Fraud
Commercial
Advantage
Economic and
Political Advantage
Attackers Intent
Social vulnerabilities
exploitation
A number of actors are
motivated to user cyber
attacks to meet their
goals
The most sophisticated
actors have a range of
capabilities available
Attacks tend to exhibit a
stable set of behaviours
25
Align security strategy to your risk
position
Identify threat
Assess probability
Assess impact
Assess
vulnerability
Identify
mitigation
options
Decide Plan
Data asset registers
Supply chain
Economic analysis
Security experience
Systems,
processes,
operating
procedures,
organisation,
training,
management,
resilience
Residual riskUnmitigated risk
Business priorities
Risk tolerance
Risk
management
objectives
Costed business
case
Risk mitigation
improvement plan
Threat
intelligence
Risk
mitigation
strategy
INPUTS
OUTPUTS
Security
improvement
options
Security
strategy
26
Key steps in cyber loss prevention and
control
Prepare
Understand cyber risks and
plan their mitigation
Protect
Protect information and IT
from attack and reduce the
potential impacts of
incidents
Monitor
Monitor systems to detect
and prevent incipient
incidents
Respond
Manage the consequences
of an incident to minimise
its impact
27
Key steps in cyber loss prevention and
control
Prepare
Understand cyber risks and
plan their mitigation
Protect
Protect information and IT
from attack and reduce the
potential impacts of
incidents
Monitor
Monitor systems to detect
and prevent incipient
incidents
Respond
Manage the consequences
of an incident to minimise
its impact
28
Key steps in cyber loss prevention and
control
Prepare
Understand cyber risks and
plan their mitigation
Protect
Protect information and IT
from attack and reduce the
potential impacts of
incidents
Monitor
Monitor systems to detect
and prevent incipient
incidents
Respond
Manage the consequences
of an incident to minimise
its impact
29
The Role of Insurance and Insurers
Sponsored by
31
The role of Insurance and Insurers
Why the interest?
• Frequency and costs are escalating
• Data breaches are well publicized
• Companies are increasingly reliance on new technologies (cloud
computing, mobile devices, digital wallets, etc…)
• Regulatory environment complex and becoming more
demanding
• Fill the gaps of traditional insurance policies
The role of Insurance and Insurers
Potential incident
Traditional
policy
Cyber policy
Legal liability resulting from computer security
breaches or data breaches
Partial cover Full cover
Costs related to a data breach: notification
costs, call centres, credit monitoring, etc.
No cover
Full cover
Loss or destruction of data / information* Partial cover Full cover
Extra expenses to continue the activity
following a cyber attack*
No cover Full cover
Loss of revenues resulting from a cyber attack*
No cover Full cover
Loss or damage to reputation No cover Partial cover
Cyber extortion Partial cover Full cover
* Without any material damage
33 33
Transferable Costs of a Cyber incident
Crisis Management / Cost to Restore Reputation (Direct Expenses)
• Legal, public relations or other service fees
• Advertising or related communications
Forensics Investigation
Cost of Notification / Call Center Services
• Printing, postage or other communications to customers
• Cost to engage call center
Credit/Identity monitoring, fraud remediation services
Business Interruption Losses
• Loss of Income
• Costs to Recreate Lost or Stolen Data or determine whether data can be restored
• Extra Expenses
Regulatory: Data Protection Agencies: CNIL, OIC, FSA, FTC, SEC, etc…
PCI DSS Fines and Penalties
Legal Liability
• Suits from customers and vendors (including class actions)
• Suits from business partners (breach of NDA)
1st
Party
Expenses
3rd
Party
Liability
Financial Impact
34
Financial Impact (cont.)
34
Additional Costs of a Cyber incident
Damage to Reputation
Customer Churn/Loss of consumer confidence
Stock Devaluation
Cost to implement a comprehensive written information security program (WISP)
Overtime pay for staff
Cost to upgrade network security
Cost to repair or upgrade damaged property
Devaluation of intellectual property and trade secrets
Redesign/engineering of critical infrastructure
Personnel reclassification
Medical bills for physically injured parties
1st
Party
Expenses
3rd
Party
Liability
The role of Insurance and Insurers
• Insurance does not replace but can enhance risk management
• Underwriting of cyber risks demands professional competence
–As it should for a buyer ………
• Incident / breach response should form part of the process
35
What Happens in the Aftermath of An
Incident?
Sponsored by
Commercial in Confidence 37 June 2012
Responding to an incident
“Is this a real incident?”
“Are my clients likely to find out?”
“How do we stop it?”
“How long has this been going on for?”
“Who is doing this to us?”
“How did they do it?”
“What have they done?”
“How do we stop it happening again?”
?
?
?
38
Speed of understanding is key to loss
mitigation
Time
Attacker
activity
Understanding
Informed decision
1 2
3
1
2
3
Time taken to identify an attack
Speed of understanding
Level of understanding
3
Commercial in Confidence 39 June 2012
Incident response approach
Establish the
facts
Establish the
facts
Immediate actionImmediate action
Investigate the incidentInvestigate the incident RemediateRemediate
Assess the impact and vulnerabilitiesAssess the impact and vulnerabilities
Improve security
posture
Improve security
posture
1. Rapid response
2. Remediation
3. Incident analysis
Questions?
OCTOBER 17, 2012
To ask a question
… click on the
“question icon” in
the lower-right
corner of your
screen.
Thank you for joining us!
Sponsored by

More Related Content

What's hot

Ferma European Risk Manager Report 2018
Ferma European Risk Manager Report 2018Ferma European Risk Manager Report 2018
Ferma European Risk Manager Report 2018
FERMA
 
FERMA Webinar: At the Junction of Corporate Governance and Cyber Security
FERMA Webinar: At the Junction of Corporate Governance and Cyber SecurityFERMA Webinar: At the Junction of Corporate Governance and Cyber Security
FERMA Webinar: At the Junction of Corporate Governance and Cyber Security
FERMA
 
FERMA information paper to OECD in order to propose captive (re)insurance gui...
FERMA information paper to OECD in order to propose captive (re)insurance gui...FERMA information paper to OECD in order to propose captive (re)insurance gui...
FERMA information paper to OECD in order to propose captive (re)insurance gui...
FERMA
 
Executive Summary on Leadership in Risk Management Webinar
Executive Summary on Leadership in Risk Management WebinarExecutive Summary on Leadership in Risk Management Webinar
Executive Summary on Leadership in Risk Management Webinar
FERMA
 
Webinar: the role of risk management in corporate resilience
Webinar: the role of risk management in corporate resilience Webinar: the role of risk management in corporate resilience
Webinar: the role of risk management in corporate resilience
FERMA
 
FERMA Newsletter 47
FERMA Newsletter 47FERMA Newsletter 47
FERMA Newsletter 47
FERMA
 
Risk management recovery and resilience covid 19 survey report 2020 2020.12.0...
Risk management recovery and resilience covid 19 survey report 2020 2020.12.0...Risk management recovery and resilience covid 19 survey report 2020 2020.12.0...
Risk management recovery and resilience covid 19 survey report 2020 2020.12.0...
FERMA
 
Preparing for cyber insurance - FERMA - Insurance Europe - BIPAR
Preparing for cyber insurance - FERMA - Insurance Europe - BIPARPreparing for cyber insurance - FERMA - Insurance Europe - BIPAR
Preparing for cyber insurance - FERMA - Insurance Europe - BIPAR
FERMA
 
Ferma survey part 2 - governance enterprise risk mnagement and key risks for...
Ferma survey part 2  - governance enterprise risk mnagement and key risks for...Ferma survey part 2  - governance enterprise risk mnagement and key risks for...
Ferma survey part 2 - governance enterprise risk mnagement and key risks for...
FERMA
 
Ferma PwC European Risk Manager Report_ full set results 2018
Ferma PwC European Risk Manager Report_ full set results 2018Ferma PwC European Risk Manager Report_ full set results 2018
Ferma PwC European Risk Manager Report_ full set results 2018
FERMA
 
European Risk Management Seminar 2018 - Sustainability Report
European Risk Management Seminar 2018 - Sustainability ReportEuropean Risk Management Seminar 2018 - Sustainability Report
European Risk Management Seminar 2018 - Sustainability Report
FERMA
 
The European risk manager report 2020: webinar presentation
The European risk manager report 2020: webinar presentationThe European risk manager report 2020: webinar presentation
The European risk manager report 2020: webinar presentation
FERMA
 
FERMA Survey Part 1 - The Maturity of Risk Management in Europe
FERMA Survey Part 1 - The Maturity of Risk Management in EuropeFERMA Survey Part 1 - The Maturity of Risk Management in Europe
FERMA Survey Part 1 - The Maturity of Risk Management in Europe
FERMA
 
Argo Group: entry for emerging risk initiative of the year Award 2020
Argo Group: entry for emerging risk initiative of the year Award 2020Argo Group: entry for emerging risk initiative of the year Award 2020
Argo Group: entry for emerging risk initiative of the year Award 2020
FERMA
 
FERMA European Risk Manager Report 2020: full set of results
FERMA European Risk Manager Report 2020: full set of results  FERMA European Risk Manager Report 2020: full set of results
FERMA European Risk Manager Report 2020: full set of results
FERMA
 
GDPR & corporate governance: The Role of Internal Audit and Risk Management O...
GDPR & corporate governance: The Role of Internal Audit and Risk Management O...GDPR & corporate governance: The Role of Internal Audit and Risk Management O...
GDPR & corporate governance: The Role of Internal Audit and Risk Management O...
FERMA
 
What is hr doing in covid crisis
What is hr doing in covid crisisWhat is hr doing in covid crisis
What is hr doing in covid crisis
Yasmeen Imran Khan
 
People, Planet & Performance: sustainability guide for risk and insurance man...
People, Planet & Performance: sustainability guide for risk and insurance man...People, Planet & Performance: sustainability guide for risk and insurance man...
People, Planet & Performance: sustainability guide for risk and insurance man...
FERMA
 
Facts and figures about our risk management associations in Europe 2019
Facts and figures about our risk management associations in Europe 2019Facts and figures about our risk management associations in Europe 2019
Facts and figures about our risk management associations in Europe 2019
FERMA
 
Argo Group: operationalizing emerging risk 2020
Argo Group: operationalizing emerging risk 2020Argo Group: operationalizing emerging risk 2020
Argo Group: operationalizing emerging risk 2020
FERMA
 

What's hot (20)

Ferma European Risk Manager Report 2018
Ferma European Risk Manager Report 2018Ferma European Risk Manager Report 2018
Ferma European Risk Manager Report 2018
 
FERMA Webinar: At the Junction of Corporate Governance and Cyber Security
FERMA Webinar: At the Junction of Corporate Governance and Cyber SecurityFERMA Webinar: At the Junction of Corporate Governance and Cyber Security
FERMA Webinar: At the Junction of Corporate Governance and Cyber Security
 
FERMA information paper to OECD in order to propose captive (re)insurance gui...
FERMA information paper to OECD in order to propose captive (re)insurance gui...FERMA information paper to OECD in order to propose captive (re)insurance gui...
FERMA information paper to OECD in order to propose captive (re)insurance gui...
 
Executive Summary on Leadership in Risk Management Webinar
Executive Summary on Leadership in Risk Management WebinarExecutive Summary on Leadership in Risk Management Webinar
Executive Summary on Leadership in Risk Management Webinar
 
Webinar: the role of risk management in corporate resilience
Webinar: the role of risk management in corporate resilience Webinar: the role of risk management in corporate resilience
Webinar: the role of risk management in corporate resilience
 
FERMA Newsletter 47
FERMA Newsletter 47FERMA Newsletter 47
FERMA Newsletter 47
 
Risk management recovery and resilience covid 19 survey report 2020 2020.12.0...
Risk management recovery and resilience covid 19 survey report 2020 2020.12.0...Risk management recovery and resilience covid 19 survey report 2020 2020.12.0...
Risk management recovery and resilience covid 19 survey report 2020 2020.12.0...
 
Preparing for cyber insurance - FERMA - Insurance Europe - BIPAR
Preparing for cyber insurance - FERMA - Insurance Europe - BIPARPreparing for cyber insurance - FERMA - Insurance Europe - BIPAR
Preparing for cyber insurance - FERMA - Insurance Europe - BIPAR
 
Ferma survey part 2 - governance enterprise risk mnagement and key risks for...
Ferma survey part 2  - governance enterprise risk mnagement and key risks for...Ferma survey part 2  - governance enterprise risk mnagement and key risks for...
Ferma survey part 2 - governance enterprise risk mnagement and key risks for...
 
Ferma PwC European Risk Manager Report_ full set results 2018
Ferma PwC European Risk Manager Report_ full set results 2018Ferma PwC European Risk Manager Report_ full set results 2018
Ferma PwC European Risk Manager Report_ full set results 2018
 
European Risk Management Seminar 2018 - Sustainability Report
European Risk Management Seminar 2018 - Sustainability ReportEuropean Risk Management Seminar 2018 - Sustainability Report
European Risk Management Seminar 2018 - Sustainability Report
 
The European risk manager report 2020: webinar presentation
The European risk manager report 2020: webinar presentationThe European risk manager report 2020: webinar presentation
The European risk manager report 2020: webinar presentation
 
FERMA Survey Part 1 - The Maturity of Risk Management in Europe
FERMA Survey Part 1 - The Maturity of Risk Management in EuropeFERMA Survey Part 1 - The Maturity of Risk Management in Europe
FERMA Survey Part 1 - The Maturity of Risk Management in Europe
 
Argo Group: entry for emerging risk initiative of the year Award 2020
Argo Group: entry for emerging risk initiative of the year Award 2020Argo Group: entry for emerging risk initiative of the year Award 2020
Argo Group: entry for emerging risk initiative of the year Award 2020
 
FERMA European Risk Manager Report 2020: full set of results
FERMA European Risk Manager Report 2020: full set of results  FERMA European Risk Manager Report 2020: full set of results
FERMA European Risk Manager Report 2020: full set of results
 
GDPR & corporate governance: The Role of Internal Audit and Risk Management O...
GDPR & corporate governance: The Role of Internal Audit and Risk Management O...GDPR & corporate governance: The Role of Internal Audit and Risk Management O...
GDPR & corporate governance: The Role of Internal Audit and Risk Management O...
 
What is hr doing in covid crisis
What is hr doing in covid crisisWhat is hr doing in covid crisis
What is hr doing in covid crisis
 
People, Planet & Performance: sustainability guide for risk and insurance man...
People, Planet & Performance: sustainability guide for risk and insurance man...People, Planet & Performance: sustainability guide for risk and insurance man...
People, Planet & Performance: sustainability guide for risk and insurance man...
 
Facts and figures about our risk management associations in Europe 2019
Facts and figures about our risk management associations in Europe 2019Facts and figures about our risk management associations in Europe 2019
Facts and figures about our risk management associations in Europe 2019
 
Argo Group: operationalizing emerging risk 2020
Argo Group: operationalizing emerging risk 2020Argo Group: operationalizing emerging risk 2020
Argo Group: operationalizing emerging risk 2020
 

Similar to Meeting the cyber risk challenge

Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
FERMA
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
Donald Tabone
 
Item46763
Item46763Item46763
Item46763
madunix
 
ISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptxISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptx
Napoleon NV
 
ISO27k Awareness presentation.pptx
ISO27k Awareness presentation.pptxISO27k Awareness presentation.pptx
ISO27k Awareness presentation.pptx
harigopala
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2
Graham Mann
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & Responsibilities
Kroll
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
Donald Tabone
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve Howse
CGTI
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and Controls
Rd. R. Agung Trimanda
 
Boards' Eye View of Digital Risk & GDPR
Boards' Eye View of Digital Risk & GDPRBoards' Eye View of Digital Risk & GDPR
Boards' Eye View of Digital Risk & GDPR
Graham Mann
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
AIIM International
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital Presence
SurfWatch Labs
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security Risk
Murray Security Services
 
Managing Security Risks in Manufacturing
Managing Security Risks in ManufacturingManaging Security Risks in Manufacturing
Managing Security Risks in Manufacturing
William McBorrough
 
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Cristian Garcia G.
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
SurfWatch Labs
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
SandeepK707540
 

Similar to Meeting the cyber risk challenge (20)

Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
 
Item46763
Item46763Item46763
Item46763
 
ISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptxISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptx
 
ISO27k Awareness presentation.pptx
ISO27k Awareness presentation.pptxISO27k Awareness presentation.pptx
ISO27k Awareness presentation.pptx
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & Responsibilities
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve Howse
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and Controls
 
Boards' Eye View of Digital Risk & GDPR
Boards' Eye View of Digital Risk & GDPRBoards' Eye View of Digital Risk & GDPR
Boards' Eye View of Digital Risk & GDPR
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital Presence
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security Risk
 
Managing Security Risks in Manufacturing
Managing Security Risks in ManufacturingManaging Security Risks in Manufacturing
Managing Security Risks in Manufacturing
 
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
 

More from FERMA

Collaboration of the Year Award winner 2020: Pim Moerman and Rob van den Eijn...
Collaboration of the Year Award winner 2020: Pim Moerman and Rob van den Eijn...Collaboration of the Year Award winner 2020: Pim Moerman and Rob van den Eijn...
Collaboration of the Year Award winner 2020: Pim Moerman and Rob van den Eijn...
FERMA
 
George Ong, Chief Risk Officer, Northern Ireland Water
George Ong, Chief Risk Officer, Northern Ireland WaterGeorge Ong, Chief Risk Officer, Northern Ireland Water
George Ong, Chief Risk Officer, Northern Ireland Water
FERMA
 
Webinar: Risk management in a global pandemic - Early lessons learned, EU – U...
Webinar: Risk management in a global pandemic - Early lessons learned, EU – U...Webinar: Risk management in a global pandemic - Early lessons learned, EU – U...
Webinar: Risk management in a global pandemic - Early lessons learned, EU – U...
FERMA
 
GDPR & corporate Governance, Evaluation after 2 years implementation
GDPR & corporate Governance, Evaluation after 2 years implementationGDPR & corporate Governance, Evaluation after 2 years implementation
GDPR & corporate Governance, Evaluation after 2 years implementation
FERMA
 
Webinar: Why risk managers should look at Artificial Intelligence now?
Webinar: Why risk managers should look at Artificial Intelligence now?Webinar: Why risk managers should look at Artificial Intelligence now?
Webinar: Why risk managers should look at Artificial Intelligence now?
FERMA
 
GDPR & corporate governance: the role of risk management and internal audit o...
GDPR & corporate governance: the role of risk management and internal audit o...GDPR & corporate governance: the role of risk management and internal audit o...
GDPR & corporate governance: the role of risk management and internal audit o...
FERMA
 
Ferma report: Artificial Intelligence applied to Risk Management
Ferma report: Artificial Intelligence applied to Risk Management Ferma report: Artificial Intelligence applied to Risk Management
Ferma report: Artificial Intelligence applied to Risk Management
FERMA
 
Risk Manager European Profile 2018
Risk Manager European Profile 2018Risk Manager European Profile 2018
Risk Manager European Profile 2018
FERMA
 
Webinar: how risk management can contribute to sustainable growth?
Webinar: how risk management can contribute to sustainable growth?Webinar: how risk management can contribute to sustainable growth?
Webinar: how risk management can contribute to sustainable growth?
FERMA
 
European risk management sustainability seminar report
European risk management sustainability seminar reportEuropean risk management sustainability seminar report
European risk management sustainability seminar report
FERMA
 
Fer008 ferma risk-mangmt_18_sem_sustainabiity_report_v15_07_nov18 (1)
Fer008 ferma risk-mangmt_18_sem_sustainabiity_report_v15_07_nov18 (1)Fer008 ferma risk-mangmt_18_sem_sustainabiity_report_v15_07_nov18 (1)
Fer008 ferma risk-mangmt_18_sem_sustainabiity_report_v15_07_nov18 (1)
FERMA
 
1st international edition of the RMIS Panorama with the support of FERMA network
1st international edition of the RMIS Panorama with the support of FERMA network1st international edition of the RMIS Panorama with the support of FERMA network
1st international edition of the RMIS Panorama with the support of FERMA network
FERMA
 

More from FERMA (12)

Collaboration of the Year Award winner 2020: Pim Moerman and Rob van den Eijn...
Collaboration of the Year Award winner 2020: Pim Moerman and Rob van den Eijn...Collaboration of the Year Award winner 2020: Pim Moerman and Rob van den Eijn...
Collaboration of the Year Award winner 2020: Pim Moerman and Rob van den Eijn...
 
George Ong, Chief Risk Officer, Northern Ireland Water
George Ong, Chief Risk Officer, Northern Ireland WaterGeorge Ong, Chief Risk Officer, Northern Ireland Water
George Ong, Chief Risk Officer, Northern Ireland Water
 
Webinar: Risk management in a global pandemic - Early lessons learned, EU – U...
Webinar: Risk management in a global pandemic - Early lessons learned, EU – U...Webinar: Risk management in a global pandemic - Early lessons learned, EU – U...
Webinar: Risk management in a global pandemic - Early lessons learned, EU – U...
 
GDPR & corporate Governance, Evaluation after 2 years implementation
GDPR & corporate Governance, Evaluation after 2 years implementationGDPR & corporate Governance, Evaluation after 2 years implementation
GDPR & corporate Governance, Evaluation after 2 years implementation
 
Webinar: Why risk managers should look at Artificial Intelligence now?
Webinar: Why risk managers should look at Artificial Intelligence now?Webinar: Why risk managers should look at Artificial Intelligence now?
Webinar: Why risk managers should look at Artificial Intelligence now?
 
GDPR & corporate governance: the role of risk management and internal audit o...
GDPR & corporate governance: the role of risk management and internal audit o...GDPR & corporate governance: the role of risk management and internal audit o...
GDPR & corporate governance: the role of risk management and internal audit o...
 
Ferma report: Artificial Intelligence applied to Risk Management
Ferma report: Artificial Intelligence applied to Risk Management Ferma report: Artificial Intelligence applied to Risk Management
Ferma report: Artificial Intelligence applied to Risk Management
 
Risk Manager European Profile 2018
Risk Manager European Profile 2018Risk Manager European Profile 2018
Risk Manager European Profile 2018
 
Webinar: how risk management can contribute to sustainable growth?
Webinar: how risk management can contribute to sustainable growth?Webinar: how risk management can contribute to sustainable growth?
Webinar: how risk management can contribute to sustainable growth?
 
European risk management sustainability seminar report
European risk management sustainability seminar reportEuropean risk management sustainability seminar report
European risk management sustainability seminar report
 
Fer008 ferma risk-mangmt_18_sem_sustainabiity_report_v15_07_nov18 (1)
Fer008 ferma risk-mangmt_18_sem_sustainabiity_report_v15_07_nov18 (1)Fer008 ferma risk-mangmt_18_sem_sustainabiity_report_v15_07_nov18 (1)
Fer008 ferma risk-mangmt_18_sem_sustainabiity_report_v15_07_nov18 (1)
 
1st international edition of the RMIS Panorama with the support of FERMA network
1st international edition of the RMIS Panorama with the support of FERMA network1st international edition of the RMIS Panorama with the support of FERMA network
1st international edition of the RMIS Panorama with the support of FERMA network
 

Recently uploaded

Test Bank For Principles Of Cost Accounting, 17th Edition Edward J. Vander...
Test Bank For Principles Of Cost Accounting, 	  17th Edition Edward J. Vander...Test Bank For Principles Of Cost Accounting, 	  17th Edition Edward J. Vander...
Test Bank For Principles Of Cost Accounting, 17th Edition Edward J. Vander...
kevinkariuki227
 
Managing Customer & User Experience of Customers
Managing Customer & User Experience of CustomersManaging Customer & User Experience of Customers
Managing Customer & User Experience of Customers
SalmanTahir60
 
MEA Union Budget 2024-25 Final Presentation
MEA Union Budget 2024-25 Final PresentationMEA Union Budget 2024-25 Final Presentation
MEA Union Budget 2024-25 Final Presentation
PhysicsUtu
 
brojjeddah Home Services Company in Saudi Arabia
brojjeddah Home Services Company in Saudi Arabiabrojjeddah Home Services Company in Saudi Arabia
brojjeddah Home Services Company in Saudi Arabia
brojjeddah
 
A STUDY OF MUTUAL FUND OF BANK OF INDIA .pdf
A STUDY OF MUTUAL FUND  OF BANK OF INDIA .pdfA STUDY OF MUTUAL FUND  OF BANK OF INDIA .pdf
A STUDY OF MUTUAL FUND OF BANK OF INDIA .pdf
rsonics22
 
Connected Small Boat Protection Solution | July 2024
Connected Small Boat Protection Solution | July  2024Connected Small Boat Protection Solution | July  2024
Connected Small Boat Protection Solution | July 2024
Hector Del Castillo, CPM, CPMM
 
21stcenturyskillsframeworkfinalpresentation2-240509214747-71edb7ee.pdf
21stcenturyskillsframeworkfinalpresentation2-240509214747-71edb7ee.pdf21stcenturyskillsframeworkfinalpresentation2-240509214747-71edb7ee.pdf
21stcenturyskillsframeworkfinalpresentation2-240509214747-71edb7ee.pdf
emmanuelpulido003
 
KineMaster Diamond APK v7.3.11.32200 (4K HD, No Watermark)
KineMaster Diamond APK v7.3.11.32200 (4K HD, No Watermark)KineMaster Diamond APK v7.3.11.32200 (4K HD, No Watermark)
KineMaster Diamond APK v7.3.11.32200 (4K HD, No Watermark)
APKs Pure
 
Top Digital Marketing Strategy in 2024.pdf
Top Digital Marketing Strategy in 2024.pdfTop Digital Marketing Strategy in 2024.pdf
Top Digital Marketing Strategy in 2024.pdf
Top IT Marketing
 
Case study on Indian Ecommerce logistics
Case study on Indian Ecommerce logisticsCase study on Indian Ecommerce logistics
Case study on Indian Ecommerce logistics
UnheardShayari
 
Don’t Get Left Behind: Leveraging Modern Product Management Across the Organi...
Don’t Get Left Behind: Leveraging Modern Product Management Across the Organi...Don’t Get Left Behind: Leveraging Modern Product Management Across the Organi...
Don’t Get Left Behind: Leveraging Modern Product Management Across the Organi...
Aggregage
 
Navigating Change Strategies for Effective Transition and Operational Plannin...
Navigating Change Strategies for Effective Transition and Operational Plannin...Navigating Change Strategies for Effective Transition and Operational Plannin...
Navigating Change Strategies for Effective Transition and Operational Plannin...
Brian Frerichs
 
Mandated reporting powerpoint to help with understanding your role
Mandated reporting powerpoint to help with understanding your roleMandated reporting powerpoint to help with understanding your role
Mandated reporting powerpoint to help with understanding your role
khidalgo2
 
PAWFESSIONAL ELVA MAX.pdfAAAAAAAAAAAAAAAAAAA
PAWFESSIONAL ELVA MAX.pdfAAAAAAAAAAAAAAAAAAAPAWFESSIONAL ELVA MAX.pdfAAAAAAAAAAAAAAAAAAA
PAWFESSIONAL ELVA MAX.pdfAAAAAAAAAAAAAAAAAAA
lawrenceads01
 
1234567891011121314151617181920212223242
12345678910111213141516171819202122232421234567891011121314151617181920212223242
1234567891011121314151617181920212223242
fauzanal343
 
Staffan Canback - The 18 Rays of Project Management
Staffan Canback - The 18 Rays of Project ManagementStaffan Canback - The 18 Rays of Project Management
Staffan Canback - The 18 Rays of Project Management
Tellusant, Inc.
 
You Get Me! Leveraging Communication Styles in Virtual Trainingpptx
You Get Me! Leveraging Communication Styles in Virtual TrainingpptxYou Get Me! Leveraging Communication Styles in Virtual Trainingpptx
You Get Me! Leveraging Communication Styles in Virtual Trainingpptx
Cynthia Clay
 
TALENT ACQUISITION AND MANAGEMENT LECTURE 5
TALENT ACQUISITION AND MANAGEMENT LECTURE 5TALENT ACQUISITION AND MANAGEMENT LECTURE 5
TALENT ACQUISITION AND MANAGEMENT LECTURE 5
projectseasy
 
PETAVIT SIP-05.pdfAAAAAAAAAAAAAAAAAAAAAAAAA
PETAVIT SIP-05.pdfAAAAAAAAAAAAAAAAAAAAAAAAAPETAVIT SIP-05.pdfAAAAAAAAAAAAAAAAAAAAAAAAA
PETAVIT SIP-05.pdfAAAAAAAAAAAAAAAAAAAAAAAAA
lawrenceads01
 
Growth Buyouts - The Dawn of the GBO (Slow Ventures)
Growth Buyouts - The  Dawn of the GBO (Slow Ventures)Growth Buyouts - The  Dawn of the GBO (Slow Ventures)
Growth Buyouts - The Dawn of the GBO (Slow Ventures)
Razin Mustafiz
 

Recently uploaded (20)

Test Bank For Principles Of Cost Accounting, 17th Edition Edward J. Vander...
Test Bank For Principles Of Cost Accounting, 	  17th Edition Edward J. Vander...Test Bank For Principles Of Cost Accounting, 	  17th Edition Edward J. Vander...
Test Bank For Principles Of Cost Accounting, 17th Edition Edward J. Vander...
 
Managing Customer & User Experience of Customers
Managing Customer & User Experience of CustomersManaging Customer & User Experience of Customers
Managing Customer & User Experience of Customers
 
MEA Union Budget 2024-25 Final Presentation
MEA Union Budget 2024-25 Final PresentationMEA Union Budget 2024-25 Final Presentation
MEA Union Budget 2024-25 Final Presentation
 
brojjeddah Home Services Company in Saudi Arabia
brojjeddah Home Services Company in Saudi Arabiabrojjeddah Home Services Company in Saudi Arabia
brojjeddah Home Services Company in Saudi Arabia
 
A STUDY OF MUTUAL FUND OF BANK OF INDIA .pdf
A STUDY OF MUTUAL FUND  OF BANK OF INDIA .pdfA STUDY OF MUTUAL FUND  OF BANK OF INDIA .pdf
A STUDY OF MUTUAL FUND OF BANK OF INDIA .pdf
 
Connected Small Boat Protection Solution | July 2024
Connected Small Boat Protection Solution | July  2024Connected Small Boat Protection Solution | July  2024
Connected Small Boat Protection Solution | July 2024
 
21stcenturyskillsframeworkfinalpresentation2-240509214747-71edb7ee.pdf
21stcenturyskillsframeworkfinalpresentation2-240509214747-71edb7ee.pdf21stcenturyskillsframeworkfinalpresentation2-240509214747-71edb7ee.pdf
21stcenturyskillsframeworkfinalpresentation2-240509214747-71edb7ee.pdf
 
KineMaster Diamond APK v7.3.11.32200 (4K HD, No Watermark)
KineMaster Diamond APK v7.3.11.32200 (4K HD, No Watermark)KineMaster Diamond APK v7.3.11.32200 (4K HD, No Watermark)
KineMaster Diamond APK v7.3.11.32200 (4K HD, No Watermark)
 
Top Digital Marketing Strategy in 2024.pdf
Top Digital Marketing Strategy in 2024.pdfTop Digital Marketing Strategy in 2024.pdf
Top Digital Marketing Strategy in 2024.pdf
 
Case study on Indian Ecommerce logistics
Case study on Indian Ecommerce logisticsCase study on Indian Ecommerce logistics
Case study on Indian Ecommerce logistics
 
Don’t Get Left Behind: Leveraging Modern Product Management Across the Organi...
Don’t Get Left Behind: Leveraging Modern Product Management Across the Organi...Don’t Get Left Behind: Leveraging Modern Product Management Across the Organi...
Don’t Get Left Behind: Leveraging Modern Product Management Across the Organi...
 
Navigating Change Strategies for Effective Transition and Operational Plannin...
Navigating Change Strategies for Effective Transition and Operational Plannin...Navigating Change Strategies for Effective Transition and Operational Plannin...
Navigating Change Strategies for Effective Transition and Operational Plannin...
 
Mandated reporting powerpoint to help with understanding your role
Mandated reporting powerpoint to help with understanding your roleMandated reporting powerpoint to help with understanding your role
Mandated reporting powerpoint to help with understanding your role
 
PAWFESSIONAL ELVA MAX.pdfAAAAAAAAAAAAAAAAAAA
PAWFESSIONAL ELVA MAX.pdfAAAAAAAAAAAAAAAAAAAPAWFESSIONAL ELVA MAX.pdfAAAAAAAAAAAAAAAAAAA
PAWFESSIONAL ELVA MAX.pdfAAAAAAAAAAAAAAAAAAA
 
1234567891011121314151617181920212223242
12345678910111213141516171819202122232421234567891011121314151617181920212223242
1234567891011121314151617181920212223242
 
Staffan Canback - The 18 Rays of Project Management
Staffan Canback - The 18 Rays of Project ManagementStaffan Canback - The 18 Rays of Project Management
Staffan Canback - The 18 Rays of Project Management
 
You Get Me! Leveraging Communication Styles in Virtual Trainingpptx
You Get Me! Leveraging Communication Styles in Virtual TrainingpptxYou Get Me! Leveraging Communication Styles in Virtual Trainingpptx
You Get Me! Leveraging Communication Styles in Virtual Trainingpptx
 
TALENT ACQUISITION AND MANAGEMENT LECTURE 5
TALENT ACQUISITION AND MANAGEMENT LECTURE 5TALENT ACQUISITION AND MANAGEMENT LECTURE 5
TALENT ACQUISITION AND MANAGEMENT LECTURE 5
 
PETAVIT SIP-05.pdfAAAAAAAAAAAAAAAAAAAAAAAAA
PETAVIT SIP-05.pdfAAAAAAAAAAAAAAAAAAAAAAAAAPETAVIT SIP-05.pdfAAAAAAAAAAAAAAAAAAAAAAAAA
PETAVIT SIP-05.pdfAAAAAAAAAAAAAAAAAAAAAAAAA
 
Growth Buyouts - The Dawn of the GBO (Slow Ventures)
Growth Buyouts - The  Dawn of the GBO (Slow Ventures)Growth Buyouts - The  Dawn of the GBO (Slow Ventures)
Growth Buyouts - The Dawn of the GBO (Slow Ventures)
 

Meeting the cyber risk challenge

  • 1. Meeting the Cyber Risk Challenge Mark Fishleigh Director, Detica Jérôme Gossé Financial Lines Underwriter, Zurich Global Corporate France Julia Graham Chief Risk Officer, DLA Piper International LLP Andrew Horrocks Partner, Clyde & Co NOVEMBER 27, 2012 Sponsored by
  • 2. Questions? OCTOBER 17, 2012 To ask a question … click on the “question icon” in the lower-right corner of your screen.
  • 3. Mark Fishleigh Director Detica Meeting the Cyber Risk Challenge Sponsored by NOVEMBER 27, 2012
  • 4. Jérôme Gossé Financial Lines Underwriter Zurich Global Corporate France Meeting the Cyber Risk Challenge Sponsored by NOVEMBER 27, 2012
  • 5. Julia Graham Chief Risk Officer DLA Piper International LLP Meeting the Cyber Risk Challenge Sponsored by NOVEMBER 27, 2012
  • 6. Andrew Horrocks Partner Clyde & Co Meeting the Cyber Risk Challenge Sponsored by NOVEMBER 27, 2012
  • 7. What Is Cyber Risk? Sponsored by
  • 8. Setting the scene • Information and the Information Age • An asset like no other – the Digital Revolution • Privacy • Personally identifiable information is collected and stored. Improper control can cause issues which may arise from a range of information sources, such as healthcare records and financial institution transactions • Confidentiality – Different Categories of information • Cyber – Third party risks – First party risks • The Challenge – As technology advances the desire for data privacy increases Tim Berners-Lee, left, and Robert Cailliau, right, inventors of the World Wide Web, pose next to the first Web server 8
  • 9. • Three-quarter of respondents report growing concern around information security and privacy • Only 16.3% have a chief information security officer: 40% say CIO head of IT is most likely to be in charge • More than half said board involvement is growing. • Majority said government and business must work together. But 55% half cited concerns about restrictive data protection rules: 48.7% about adoption of breach notification. • Thirty six percent said training is conducted at enterprise level for all employees: only 36.3% said training occurs either annually or biannually. • Less than half – 44.1% – said their company's budget for managing cyber risk has increased Cyber Risk Survey Results Sponsored by
  • 10. Agenda Sponsored by • Challenges in Regulation and Compliance • Who Leads the Efforts Around Managing Cyber Risk • Mobilizing to Meet the Challenges • The role of Insurance and Insurers • What Happens in the Aftermath of an Incident
  • 11. Challenges in Legislation and Compliance Sponsored by NOVEMBER 27, 2012
  • 12. Data Protection Act 1998 (DPA) • Eight data protection principles: 1. Processed fairly and lawfully 2. Obtained only for specified lawful purposes 3. Adequate, relevant and not excessive 4. Accurate 5. Not kept for longer than is necessary 6. Processed in accordance with individual’s rights 7. Secure 8. Not transferred to countries outside the EEA without adequate protection
  • 13. • Sanctions and enforcement – Information Commissioner’s Office (ICO) – Enforcement notices – Fines (up to £500,000) – Criminal offences – Civil claims • Rights – Rights of access – Right to object to processing • Notification to ICO? Data Protection Act 1998 (DPA)
  • 14. The Draft European Regulation on Data Protection – Fines of up to £2million of annual worldwide turnover for companies and administrative sanctions of up to £1million for individuals – The “right to be forgotten” – Reporting and notification requirements – Private rights of action – Requires large businesses to appoint a Data Protection Officer – Applies to businesses – including those based outside the EU
  • 15. Fines and Penalties – FSA sanctions – ICO fines • s.55 Data Protection Act 1988 • Safeway Stores Ltd v Twigger (2010) CA • Griffin v Hacker Young (2010)
  • 16. Cyber Risk is an Enterprise-wide risk • Enterprise-Wide Risk Management (“ERM”) – a strategic business discipline that supports the achievement of the organization's objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio • ERM reflects current practice in that it: – encompasses all areas of risk – prioritizes and manages exposures as a risk portfolio – evaluates the portfolio in the context of significant internal and external environments, systems, circumstances, and stakeholders – recognizes individual risks are interrelated and can create a combined exposure that differs from the sum of the individual risks – provides a structured process for the management of all risks – views the effective management of risk as a competitive advantage; and – seeks to embed risk management as a management discipline • Why should cyber risks be treated differently? 16
  • 17. A rising tide in Regulation and Compliance • Business operations – Shorter term / tactical / often cyclical • Strategic – Longer term / deeper / wider / less cyclical • Technology enables many of the systems that result in tactical risks • Business leaders deluded in information strategy and execution? • Information security spend justified by the "stick" of: – laws and regulations – client requirements – potential liability – Industry practice • Most important information: – customer – financial – IP and trade secrets – corporate – employee 17
  • 18. Who Leads the Efforts to Manage Cyber Risk? How Will You Mobilize to Meet the Challenges? Sponsored by NOVEMBER 27, 2012
  • 19. Who Is Leading the Efforts Around Managing Cyber Risk • All are applying pressure to IS budgets – Strategists more than most – Lack of vision – Lack of an effective information security strategy • Articulate in their own "languages" • Focus – Prevention – Detection – Web-related technologies • Knowledge of breaches has improved • APT a driver of government focus 19
  • 20. Integrating to Meet the Challenges • Confidentiality of information 1. Contracts 2. Policies 3. Training 4. Monitoring 5. Restricting access • Information security – Governance – Risk – Compliance – People – Process – Technology 20
  • 21. Governance Governance Advisory Board • Core set of Principles defined by the organization and owned by leadership and stakeholders including: – HR – Finance – Marketing. – Relevant legal expert/s – Information Security – Information Technology – Knowledge Management – Risk Management – Compliance and Audit
  • 22. Ten Steps - Raising Board Awareness and Setting the Tone 1. Home and mobile working 2. User education and awareness 3. Incident management 4. Information risk management regime 5. Managing use privileges 6. Removable media controls 7. Monitoring 8. Secure configuration 9. Malware protection 10. Network security ….. Cover 80% of the ground
  • 23. Key steps in cyber loss prevention and control Prepare Understand cyber risks and plan their mitigation Protect Protect information and IT from attack and reduce the potential impacts of incidents Monitor Monitor systems to detect and prevent incipient incidents Respond Manage the consequences of an incident to minimise its impact 23
  • 24. Key steps in cyber loss prevention and control Prepare Understand cyber risks and plan their mitigation Protect Protect information and IT from attack and reduce the potential impacts of incidents Monitor Monitor systems to detect and prevent incipient incidents Respond Manage the consequences of an incident to minimise its impact 24
  • 25. The cyber threat is multi-faceted Threats Commercial malware Denial of Service (Dos) External hacking of internal systems (targeted attacks) SCADA and Industrial Control Insider-assisted data loss Website hacking (information theft, vandalism) Organised Crime Activists Script Kids Industrial Espionage State Sponsored Sophistication/Scope Technological Vulnerabilities exploitation Thrill/Bragging Rights Reputational Damage Financial Gain/Fraud Commercial Advantage Economic and Political Advantage Attackers Intent Social vulnerabilities exploitation A number of actors are motivated to user cyber attacks to meet their goals The most sophisticated actors have a range of capabilities available Attacks tend to exhibit a stable set of behaviours 25
  • 26. Align security strategy to your risk position Identify threat Assess probability Assess impact Assess vulnerability Identify mitigation options Decide Plan Data asset registers Supply chain Economic analysis Security experience Systems, processes, operating procedures, organisation, training, management, resilience Residual riskUnmitigated risk Business priorities Risk tolerance Risk management objectives Costed business case Risk mitigation improvement plan Threat intelligence Risk mitigation strategy INPUTS OUTPUTS Security improvement options Security strategy 26
  • 27. Key steps in cyber loss prevention and control Prepare Understand cyber risks and plan their mitigation Protect Protect information and IT from attack and reduce the potential impacts of incidents Monitor Monitor systems to detect and prevent incipient incidents Respond Manage the consequences of an incident to minimise its impact 27
  • 28. Key steps in cyber loss prevention and control Prepare Understand cyber risks and plan their mitigation Protect Protect information and IT from attack and reduce the potential impacts of incidents Monitor Monitor systems to detect and prevent incipient incidents Respond Manage the consequences of an incident to minimise its impact 28
  • 29. Key steps in cyber loss prevention and control Prepare Understand cyber risks and plan their mitigation Protect Protect information and IT from attack and reduce the potential impacts of incidents Monitor Monitor systems to detect and prevent incipient incidents Respond Manage the consequences of an incident to minimise its impact 29
  • 30. The Role of Insurance and Insurers Sponsored by
  • 31. 31 The role of Insurance and Insurers Why the interest? • Frequency and costs are escalating • Data breaches are well publicized • Companies are increasingly reliance on new technologies (cloud computing, mobile devices, digital wallets, etc…) • Regulatory environment complex and becoming more demanding • Fill the gaps of traditional insurance policies
  • 32. The role of Insurance and Insurers Potential incident Traditional policy Cyber policy Legal liability resulting from computer security breaches or data breaches Partial cover Full cover Costs related to a data breach: notification costs, call centres, credit monitoring, etc. No cover Full cover Loss or destruction of data / information* Partial cover Full cover Extra expenses to continue the activity following a cyber attack* No cover Full cover Loss of revenues resulting from a cyber attack* No cover Full cover Loss or damage to reputation No cover Partial cover Cyber extortion Partial cover Full cover * Without any material damage
  • 33. 33 33 Transferable Costs of a Cyber incident Crisis Management / Cost to Restore Reputation (Direct Expenses) • Legal, public relations or other service fees • Advertising or related communications Forensics Investigation Cost of Notification / Call Center Services • Printing, postage or other communications to customers • Cost to engage call center Credit/Identity monitoring, fraud remediation services Business Interruption Losses • Loss of Income • Costs to Recreate Lost or Stolen Data or determine whether data can be restored • Extra Expenses Regulatory: Data Protection Agencies: CNIL, OIC, FSA, FTC, SEC, etc… PCI DSS Fines and Penalties Legal Liability • Suits from customers and vendors (including class actions) • Suits from business partners (breach of NDA) 1st Party Expenses 3rd Party Liability Financial Impact
  • 34. 34 Financial Impact (cont.) 34 Additional Costs of a Cyber incident Damage to Reputation Customer Churn/Loss of consumer confidence Stock Devaluation Cost to implement a comprehensive written information security program (WISP) Overtime pay for staff Cost to upgrade network security Cost to repair or upgrade damaged property Devaluation of intellectual property and trade secrets Redesign/engineering of critical infrastructure Personnel reclassification Medical bills for physically injured parties 1st Party Expenses 3rd Party Liability
  • 35. The role of Insurance and Insurers • Insurance does not replace but can enhance risk management • Underwriting of cyber risks demands professional competence –As it should for a buyer ……… • Incident / breach response should form part of the process 35
  • 36. What Happens in the Aftermath of An Incident? Sponsored by
  • 37. Commercial in Confidence 37 June 2012 Responding to an incident “Is this a real incident?” “Are my clients likely to find out?” “How do we stop it?” “How long has this been going on for?” “Who is doing this to us?” “How did they do it?” “What have they done?” “How do we stop it happening again?” ? ? ?
  • 38. 38 Speed of understanding is key to loss mitigation Time Attacker activity Understanding Informed decision 1 2 3 1 2 3 Time taken to identify an attack Speed of understanding Level of understanding 3
  • 39. Commercial in Confidence 39 June 2012 Incident response approach Establish the facts Establish the facts Immediate actionImmediate action Investigate the incidentInvestigate the incident RemediateRemediate Assess the impact and vulnerabilitiesAssess the impact and vulnerabilities Improve security posture Improve security posture 1. Rapid response 2. Remediation 3. Incident analysis
  • 40. Questions? OCTOBER 17, 2012 To ask a question … click on the “question icon” in the lower-right corner of your screen.
  • 41. Thank you for joining us! Sponsored by

Editor's Notes

  1. Prepare Risk is the product of threat, impact and vulnerability. While there are many firms in the market that can measure vulnerability and impact, Detica through its experience of protecting the UK’s most sensitive information assets from advanced attacks, has the means to accurately assess the risk of a targeted attack. We review risk in the context of the firm’s existing controls and degree of risk it is willing to tolerate to make a risk assessment and if appropriate, create and blueprint and business case to implement measures for bringing the firm’s security controls in line with the risks it’s prepared to accept. Protect Advise and build secure IT systems, we deploy X-domain technology to provided protected access to highly sensitive data. We enable organisations to integrate IT and physical security, and share intelligence. Monitor Detica Treidan is an enterprise cyber risk management platform developed specifically to detect targeted attacks. Treidan collects network activity data and uses this data, together with data already collected by the firm and data from 3 rd parties’ sources, to detect potentially suspicious activities. Sophisticated analytical techniques employing statistical and behavioural analysis, and our experience of how targeted attacks are perpetrated, are used to spot anomalous activity within the firm’s network and identify the stage of a targeted attacks. We then recommend remedial action based on what we can observe about the attacker’s intent. A managed service providing 24/7 protective monitoring of client networks up to and including IL3 focussed on non-targetted attacks such as virus outbreaks, denial of service attacks and speculative intrusion attempts. > Able to provide global coverage > Near real-time alerting > Cost competitive with others in the SOC market SOC based in Leeds and provides monitoring services to organisations such as HMG and BAE Systems Respond Currently asked to respond to several incidents each month 1 of 3 companies used by Centre for Protection of National Infrastructure to respond to security incidents across commercial base We support major incident response by Confirm: Establish the facts around the initial compromise Capture: Capture logs, network and host agent data for analysis Expose: Fully understand the origin and extent of the compromise Remediate: Safely inhibit the attack and secure the network Resume: Return to normal operations with enhanced security Our aim is to restore the network to a ‘clean’ state in order to resume normal activities We use experienced investigators available for investigations of suspicious activity Catalogue services: Incident review Disk analysis Malware analysis Network and application event log analysis Email analysis We provide actionable intelligence on compromised assets and active threats We have sophisticated tools and proprietary data to help us attribute the attack source.
  2. Prepare Risk is the product of threat, impact and vulnerability. While there are many firms in the market that can measure vulnerability and impact, Detica through its experience of protecting the UK’s most sensitive information assets from advanced attacks, has the means to accurately assess the risk of a targeted attack. We review risk in the context of the firm’s existing controls and degree of risk it is willing to tolerate to make a risk assessment and if appropriate, create and blueprint and business case to implement measures for bringing the firm’s security controls in line with the risks it’s prepared to accept. Protect Advise and build secure IT systems, we deploy X-domain technology to provided protected access to highly sensitive data. We enable organisations to integrate IT and physical security, and share intelligence. Monitor Detica Treidan is an enterprise cyber risk management platform developed specifically to detect targeted attacks. Treidan collects network activity data and uses this data, together with data already collected by the firm and data from 3 rd parties’ sources, to detect potentially suspicious activities. Sophisticated analytical techniques employing statistical and behavioural analysis, and our experience of how targeted attacks are perpetrated, are used to spot anomalous activity within the firm’s network and identify the stage of a targeted attacks. We then recommend remedial action based on what we can observe about the attacker’s intent. A managed service providing 24/7 protective monitoring of client networks up to and including IL3 focussed on non-targetted attacks such as virus outbreaks, denial of service attacks and speculative intrusion attempts. > Able to provide global coverage > Near real-time alerting > Cost competitive with others in the SOC market SOC based in Leeds and provides monitoring services to organisations such as HMG and BAE Systems Respond Currently asked to respond to several incidents each month 1 of 3 companies used by Centre for Protection of National Infrastructure to respond to security incidents across commercial base We support major incident response by Confirm: Establish the facts around the initial compromise Capture: Capture logs, network and host agent data for analysis Expose: Fully understand the origin and extent of the compromise Remediate: Safely inhibit the attack and secure the network Resume: Return to normal operations with enhanced security Our aim is to restore the network to a ‘clean’ state in order to resume normal activities We use experienced investigators available for investigations of suspicious activity Catalogue services: Incident review Disk analysis Malware analysis Network and application event log analysis Email analysis We provide actionable intelligence on compromised assets and active threats We have sophisticated tools and proprietary data to help us attribute the attack source.
  3. Prepare Risk is the product of threat, impact and vulnerability. While there are many firms in the market that can measure vulnerability and impact, Detica through its experience of protecting the UK’s most sensitive information assets from advanced attacks, has the means to accurately assess the risk of a targeted attack. We review risk in the context of the firm’s existing controls and degree of risk it is willing to tolerate to make a risk assessment and if appropriate, create and blueprint and business case to implement measures for bringing the firm’s security controls in line with the risks it’s prepared to accept. Protect Advise and build secure IT systems, we deploy X-domain technology to provided protected access to highly sensitive data. We enable organisations to integrate IT and physical security, and share intelligence. Monitor Detica Treidan is an enterprise cyber risk management platform developed specifically to detect targeted attacks. Treidan collects network activity data and uses this data, together with data already collected by the firm and data from 3 rd parties’ sources, to detect potentially suspicious activities. Sophisticated analytical techniques employing statistical and behavioural analysis, and our experience of how targeted attacks are perpetrated, are used to spot anomalous activity within the firm’s network and identify the stage of a targeted attacks. We then recommend remedial action based on what we can observe about the attacker’s intent. A managed service providing 24/7 protective monitoring of client networks up to and including IL3 focussed on non-targetted attacks such as virus outbreaks, denial of service attacks and speculative intrusion attempts. > Able to provide global coverage > Near real-time alerting > Cost competitive with others in the SOC market SOC based in Leeds and provides monitoring services to organisations such as HMG and BAE Systems Respond Currently asked to respond to several incidents each month 1 of 3 companies used by Centre for Protection of National Infrastructure to respond to security incidents across commercial base We support major incident response by Confirm: Establish the facts around the initial compromise Capture: Capture logs, network and host agent data for analysis Expose: Fully understand the origin and extent of the compromise Remediate: Safely inhibit the attack and secure the network Resume: Return to normal operations with enhanced security Our aim is to restore the network to a ‘clean’ state in order to resume normal activities We use experienced investigators available for investigations of suspicious activity Catalogue services: Incident review Disk analysis Malware analysis Network and application event log analysis Email analysis We provide actionable intelligence on compromised assets and active threats We have sophisticated tools and proprietary data to help us attribute the attack source.
  4. Prepare Risk is the product of threat, impact and vulnerability. While there are many firms in the market that can measure vulnerability and impact, Detica through its experience of protecting the UK’s most sensitive information assets from advanced attacks, has the means to accurately assess the risk of a targeted attack. We review risk in the context of the firm’s existing controls and degree of risk it is willing to tolerate to make a risk assessment and if appropriate, create and blueprint and business case to implement measures for bringing the firm’s security controls in line with the risks it’s prepared to accept. Protect Advise and build secure IT systems, we deploy X-domain technology to provided protected access to highly sensitive data. We enable organisations to integrate IT and physical security, and share intelligence. Monitor Detica Treidan is an enterprise cyber risk management platform developed specifically to detect targeted attacks. Treidan collects network activity data and uses this data, together with data already collected by the firm and data from 3 rd parties’ sources, to detect potentially suspicious activities. Sophisticated analytical techniques employing statistical and behavioural analysis, and our experience of how targeted attacks are perpetrated, are used to spot anomalous activity within the firm’s network and identify the stage of a targeted attacks. We then recommend remedial action based on what we can observe about the attacker’s intent. A managed service providing 24/7 protective monitoring of client networks up to and including IL3 focussed on non-targetted attacks such as virus outbreaks, denial of service attacks and speculative intrusion attempts. > Able to provide global coverage > Near real-time alerting > Cost competitive with others in the SOC market SOC based in Leeds and provides monitoring services to organisations such as HMG and BAE Systems Respond Currently asked to respond to several incidents each month 1 of 3 companies used by Centre for Protection of National Infrastructure to respond to security incidents across commercial base We support major incident response by Confirm: Establish the facts around the initial compromise Capture: Capture logs, network and host agent data for analysis Expose: Fully understand the origin and extent of the compromise Remediate: Safely inhibit the attack and secure the network Resume: Return to normal operations with enhanced security Our aim is to restore the network to a ‘clean’ state in order to resume normal activities We use experienced investigators available for investigations of suspicious activity Catalogue services: Incident review Disk analysis Malware analysis Network and application event log analysis Email analysis We provide actionable intelligence on compromised assets and active threats We have sophisticated tools and proprietary data to help us attribute the attack source.
  5. Prepare Risk is the product of threat, impact and vulnerability. While there are many firms in the market that can measure vulnerability and impact, Detica through its experience of protecting the UK’s most sensitive information assets from advanced attacks, has the means to accurately assess the risk of a targeted attack. We review risk in the context of the firm’s existing controls and degree of risk it is willing to tolerate to make a risk assessment and if appropriate, create and blueprint and business case to implement measures for bringing the firm’s security controls in line with the risks it’s prepared to accept. Protect Advise and build secure IT systems, we deploy X-domain technology to provided protected access to highly sensitive data. We enable organisations to integrate IT and physical security, and share intelligence. Monitor Detica Treidan is an enterprise cyber risk management platform developed specifically to detect targeted attacks. Treidan collects network activity data and uses this data, together with data already collected by the firm and data from 3 rd parties’ sources, to detect potentially suspicious activities. Sophisticated analytical techniques employing statistical and behavioural analysis, and our experience of how targeted attacks are perpetrated, are used to spot anomalous activity within the firm’s network and identify the stage of a targeted attacks. We then recommend remedial action based on what we can observe about the attacker’s intent. A managed service providing 24/7 protective monitoring of client networks up to and including IL3 focussed on non-targetted attacks such as virus outbreaks, denial of service attacks and speculative intrusion attempts. > Able to provide global coverage > Near real-time alerting > Cost competitive with others in the SOC market SOC based in Leeds and provides monitoring services to organisations such as HMG and BAE Systems Respond Currently asked to respond to several incidents each month 1 of 3 companies used by Centre for Protection of National Infrastructure to respond to security incidents across commercial base We support major incident response by Confirm: Establish the facts around the initial compromise Capture: Capture logs, network and host agent data for analysis Expose: Fully understand the origin and extent of the compromise Remediate: Safely inhibit the attack and secure the network Resume: Return to normal operations with enhanced security Our aim is to restore the network to a ‘clean’ state in order to resume normal activities We use experienced investigators available for investigations of suspicious activity Catalogue services: Incident review Disk analysis Malware analysis Network and application event log analysis Email analysis We provide actionable intelligence on compromised assets and active threats We have sophisticated tools and proprietary data to help us attribute the attack source.