Philippe CotelleHead of Insurance Risk ManagementAirbus Defence and Space

Mark CamilloHead of Cyber EMEAAIG

The Honorable John P. CarlinAssistant Attorney General for National SecurityU.S. Department of Justice

Mark HughesPresidentBT SecurityBT Global Services

The Honorable John P. CarlinAssistant Attorney General for National SecurityUnited States Department of Justice

A European perspective on the security landscape.

Mark Hughes, BT Security

14th October 2016.

Mark Hughes, CEO of BT Security.

The European threat and how to counter it.

Traditional security is not enough.

• Lack of preparation for new technological challenges such as cloud, Big data and shadow IT.

We need to… focus on the protection of data.

Complexity is growing.

• The threat, the countermeasures and the technologies are all growing in complexity.

We need to... forge strategic alliances with peers and security partners.

Scarcity of skills.

• Cyber skills shortage across the EU.

We need to… develop strong recruitment and training programmes.

A lack of focus on EU needs.

• Uncertainty over future legal and commercial frameworks.

We need to…invest in EU relevant solutions.

• Sets the highest standards globally.

• Requires European companies, and non-EU companies operating in the EU region to mobilise leading security professionals and resources to comply with these new requirements.

• European security vendors and service providers will have to quickly adapt to demanding customer requirements.

The EU Digital Single Market – enabling digital transformation.

Embedding security

in the early stages of new product or

service development.

What will make a difference?

Influencing key business

stakeholders.

Having a holistic view of company

risk.

Developing vendor/supplier partnerships to build reference architectures.

Getting full collaboration of

internal and external

stakeholders.

Move to predictive vs.

reactive.

8

Risk Managers contribution to business valuation with digital risk management

Benefits for the Boards and external stakeholders: investors, shareholders, public, regulators…

Philippe Cotelle,Head of Insurance and Risk Management of Airbus Defence & Space

VP of AMRAE IT Commission

9

Cybersecurity and business valuation

One of the key concerns for Boards• Business valuation• Trust and reputation

Digital risks are affecting both business valuation and trust by the public• Fast-paced and evolving, impact across functions• Once disclosed, high sensitivity of investors and public opinion• Regulatory pressure in Europe to disclose more transparently on incidents: NIS directive,

Data Protection regulation

Digital risks are therefore also a key concern for the Boards

10

Risk managers proposition on digital risk management 1/2

• Boards should be able to find and support internally the capabilities to respond to this challenge

• Boards should send a key message towards external stakeholders

Once aware of possible impacts

on business valuation

• Risk managers need to link their work to Boards preoccupation

• Risk managers need to propose solutions relevant for Boards and talk the same language across functions

To move towards a

strategic advisor role

11

Risk managers proposition on digital risk management 2/2

• Is currently evolving to propose a cross-function digital risk management…• Gathering representatives of all functions…

• To start an open dialogue on scenarios and exposure

The Risk Management profession…

• Identify the scenarios linked to cyber-event (risk identification)• Assess their financial costs and likelihood (risk assessment)• Justify the prevention plan with IT investments and protection

plan with captive and insurance which is complementary and not competitive (risk response)

Provide a rationale for a

mitigation strategy with a

methodology to…

12

Challenges ahead for the professionDevelopment of high-quality

indicators and metrics to support the investment decisions on cyber

security

• Accepted indicators and metrics across functions (accounting, IT, legal) and partners (insurance, loss adjuster, public authorities)

• Accepted scenario analysis and possible damages, converted into financial terms

• Accepted terminology and definitions across functions

Proposed research projects on a new digital risk management

methodology

• At EU (Horizon2020 public fundings, cyber public-private partnerships) and OECD level (within specialised working parties)

• Gathering academics, businesses like AIRBUS and professional organisations like FERMA

• Possible start in 2017

13

1 thing to remember

We are convinced that a high-quality digital risk management will contribute to business valuation

Thank you!

Risk Transfer: Managing Cyber as a Peril Mark CamilloHead of Cyber, EMEAMark.Camillo@AIG.com

16

Develop & Quantify Cyber Loss Scenarios

Identify several high-impact, notional, feasible cyber loss scenarios specific to your organization/operations

Estimate impact for selected scenarios using a structured impact taxonomy

• Four quadrant model

• All impacts from any cyber event can be categorized into these quadrants

Exposure Quantification

1st Party

FinancialDamages

Tangible Damages

3rd Party

ImpactFramework

17

Four Generic Starter Scenarios

Customer & employee bank account info (ACH), credit cards, &other identity information is stolen (SSNs, address)

Proprietary exploration & financial data is also suspected to be stolen

A Shamoon-style attack deletes hard drive contents on every desktop and laptop computer in the enterprise overnight

Business operations are severely impacted for 2 (or more) weeks while machines are either replaced/restored

Attacker compromises network communications used to control field assets

Production operations are impacted due to inability to control remote assets

Stuxnet-like malware infects industrial control systems

Attacker overtakes control of key valves and pressurization equipment leading to disruption in operation and major spill of petroleum products

Data Theft Data Destruction

Network Disruption ICS Attack

18

Top Quadrants: Financial DamagesSome of these impacts are data-breach centric; many could apply to any event

1st PartyFi

nanc

ial D

amag

es

Tangible Damages

3rd Parties may seek to recover:

• Consequential revenue losses• Restoration expenses• Legal expenses• Shareholder losses• Other financial damages

3rd Party Entities may issue or be awarded civil fines and penalties

• Response costs: forensics, notifications, credit monitoring

• Legal: advice and defense

• Public Relations: minimizing brand damage

• Revenue losses from network or computer outages, including cloud

• Cost of restoring lost data• Cyber extortion expenses

• Value of intellectual property

3rd Party

19

Bottom Quadrants: Tangible DamagesThese impacts are of increasing concern to all companies, especially critical infrastructure

Financial Damages

• Mechanical breakdown of others’ equipment

• Destruction or damage to others’ facilities or other property

• Environmental cleanup of others’ property

• Bodily injury to others

• Mechanical breakdown of your equipment

• Destruction or damage to your facilities or other property

• Environmental cleanup of your property

• Lost revenues from physical damage to your (or dependent) equipment or facilities (business interruption)

• Bodily injury to your employees

Tang

ible

Dam

ages

1st Party 3rd Party

20

Review & Stress Test Insurance Portfolio

Review all insurance policies to understand cyber coverage or exclusion

Stress test insurance portfolio with the loss scenarios

Exposure Quantification

Insurance Analysis and Stress Test

1st Party

Fina

ncia

lTa

ngib

le

3rd Party

UncertaintyPolicy

Language Review

CyberInclusion

CyberExclusion

Affirmative (favorable)

None

None

Partial

Strong/clear (i.e., CL-380)

21

Traditional Policies May Cover Cyber Impacts

Analysis is required to fully understand how such policies are likely to respond

Affirming language or cyber is a listed peril

All risk and no cyber exclusions (silence)

Debatable cyber or electronic data exclusions

Definitive cyber exclusion (NMA-2914 or CL-380)

1st Party

Fina

ncia

lTa

ngib

le

• Crime• Fidelity• Kidnap & Ransom

• Technology E&O• Miscellaneous E&O• Product Recall• Directors & Officers

• Property• Workers Comp• Terrorism• Umbrella• Auto

• General Liability• Excess Liability• Umbrella• Pollution• Terrorism• Product Liability

3rd Party

AIG CyberEdge

AIG CyberEdge PC/Plus

Any Questions?

Please use the GoTo Webinar Dashboard to send a

question to the Moderator