EU/US boards’ approach to cyber risk governance - webinar presentation
Transcript of EU/US boards’ approach to cyber risk governance - webinar presentation
Philippe CotelleHead of Insurance Risk ManagementAirbus Defence and Space
Mark CamilloHead of Cyber EMEAAIG
The Honorable John P. CarlinAssistant Attorney General for National SecurityU.S. Department of Justice
Mark HughesPresidentBT SecurityBT Global Services
The Honorable John P. CarlinAssistant Attorney General for National SecurityUnited States Department of Justice
A European perspective on the security landscape.
Mark Hughes, BT Security
14th October 2016.
Mark Hughes, CEO of BT Security.
The European threat and how to counter it.
Traditional security is not enough.
• Lack of preparation for new technological challenges such as cloud, Big data and shadow IT.
We need to… focus on the protection of data.
Complexity is growing.
• The threat, the countermeasures and the technologies are all growing in complexity.
We need to... forge strategic alliances with peers and security partners.
Scarcity of skills.
• Cyber skills shortage across the EU.
We need to… develop strong recruitment and training programmes.
A lack of focus on EU needs.
• Uncertainty over future legal and commercial frameworks.
We need to…invest in EU relevant solutions.
• Sets the highest standards globally.
• Requires European companies, and non-EU companies operating in the EU region to mobilise leading security professionals and resources to comply with these new requirements.
• European security vendors and service providers will have to quickly adapt to demanding customer requirements.
The EU Digital Single Market – enabling digital transformation.
Embedding security
in the early stages of new product or
service development.
What will make a difference?
Influencing key business
stakeholders.
Having a holistic view of company
risk.
Developing vendor/supplier partnerships to build reference architectures.
Getting full collaboration of
internal and external
stakeholders.
Move to predictive vs.
reactive.
8
Risk Managers contribution to business valuation with digital risk management
Benefits for the Boards and external stakeholders: investors, shareholders, public, regulators…
Philippe Cotelle,Head of Insurance and Risk Management of Airbus Defence & Space
VP of AMRAE IT Commission
9
Cybersecurity and business valuation
One of the key concerns for Boards• Business valuation• Trust and reputation
Digital risks are affecting both business valuation and trust by the public• Fast-paced and evolving, impact across functions• Once disclosed, high sensitivity of investors and public opinion• Regulatory pressure in Europe to disclose more transparently on incidents: NIS directive,
Data Protection regulation
Digital risks are therefore also a key concern for the Boards
10
Risk managers proposition on digital risk management 1/2
• Boards should be able to find and support internally the capabilities to respond to this challenge
• Boards should send a key message towards external stakeholders
Once aware of possible impacts
on business valuation
• Risk managers need to link their work to Boards preoccupation
• Risk managers need to propose solutions relevant for Boards and talk the same language across functions
To move towards a
strategic advisor role
11
Risk managers proposition on digital risk management 2/2
• Is currently evolving to propose a cross-function digital risk management…• Gathering representatives of all functions…
• To start an open dialogue on scenarios and exposure
The Risk Management profession…
• Identify the scenarios linked to cyber-event (risk identification)• Assess their financial costs and likelihood (risk assessment)• Justify the prevention plan with IT investments and protection
plan with captive and insurance which is complementary and not competitive (risk response)
Provide a rationale for a
mitigation strategy with a
methodology to…
12
Challenges ahead for the professionDevelopment of high-quality
indicators and metrics to support the investment decisions on cyber
security
• Accepted indicators and metrics across functions (accounting, IT, legal) and partners (insurance, loss adjuster, public authorities)
• Accepted scenario analysis and possible damages, converted into financial terms
• Accepted terminology and definitions across functions
Proposed research projects on a new digital risk management
methodology
• At EU (Horizon2020 public fundings, cyber public-private partnerships) and OECD level (within specialised working parties)
• Gathering academics, businesses like AIRBUS and professional organisations like FERMA
• Possible start in 2017
13
1 thing to remember
We are convinced that a high-quality digital risk management will contribute to business valuation
Thank you!
Risk Transfer: Managing Cyber as a Peril Mark CamilloHead of Cyber, [email protected]
16
Develop & Quantify Cyber Loss Scenarios
Identify several high-impact, notional, feasible cyber loss scenarios specific to your organization/operations
Estimate impact for selected scenarios using a structured impact taxonomy
• Four quadrant model
• All impacts from any cyber event can be categorized into these quadrants
Exposure Quantification
1st Party
FinancialDamages
Tangible Damages
3rd Party
ImpactFramework
17
Four Generic Starter Scenarios
Customer & employee bank account info (ACH), credit cards, &other identity information is stolen (SSNs, address)
Proprietary exploration & financial data is also suspected to be stolen
A Shamoon-style attack deletes hard drive contents on every desktop and laptop computer in the enterprise overnight
Business operations are severely impacted for 2 (or more) weeks while machines are either replaced/restored
Attacker compromises network communications used to control field assets
Production operations are impacted due to inability to control remote assets
Stuxnet-like malware infects industrial control systems
Attacker overtakes control of key valves and pressurization equipment leading to disruption in operation and major spill of petroleum products
Data Theft Data Destruction
Network Disruption ICS Attack
18
Top Quadrants: Financial DamagesSome of these impacts are data-breach centric; many could apply to any event
1st PartyFi
nanc
ial D
amag
es
Tangible Damages
3rd Parties may seek to recover:
• Consequential revenue losses• Restoration expenses• Legal expenses• Shareholder losses• Other financial damages
3rd Party Entities may issue or be awarded civil fines and penalties
• Response costs: forensics, notifications, credit monitoring
• Legal: advice and defense
• Public Relations: minimizing brand damage
• Revenue losses from network or computer outages, including cloud
• Cost of restoring lost data• Cyber extortion expenses
• Value of intellectual property
3rd Party
19
Bottom Quadrants: Tangible DamagesThese impacts are of increasing concern to all companies, especially critical infrastructure
Financial Damages
• Mechanical breakdown of others’ equipment
• Destruction or damage to others’ facilities or other property
• Environmental cleanup of others’ property
• Bodily injury to others
• Mechanical breakdown of your equipment
• Destruction or damage to your facilities or other property
• Environmental cleanup of your property
• Lost revenues from physical damage to your (or dependent) equipment or facilities (business interruption)
• Bodily injury to your employees
Tang
ible
Dam
ages
1st Party 3rd Party
20
Review & Stress Test Insurance Portfolio
Review all insurance policies to understand cyber coverage or exclusion
Stress test insurance portfolio with the loss scenarios
Exposure Quantification
Insurance Analysis and Stress Test
1st Party
Fina
ncia
lTa
ngib
le
3rd Party
UncertaintyPolicy
Language Review
CyberInclusion
CyberExclusion
Affirmative (favorable)
None
None
Partial
Strong/clear (i.e., CL-380)
21
Traditional Policies May Cover Cyber Impacts
Analysis is required to fully understand how such policies are likely to respond
Affirming language or cyber is a listed peril
All risk and no cyber exclusions (silence)
Debatable cyber or electronic data exclusions
Definitive cyber exclusion (NMA-2914 or CL-380)
1st Party
Fina
ncia
lTa
ngib
le
• Crime• Fidelity• Kidnap & Ransom
• Technology E&O• Miscellaneous E&O• Product Recall• Directors & Officers
• Property• Workers Comp• Terrorism• Umbrella• Auto
• General Liability• Excess Liability• Umbrella• Pollution• Terrorism• Product Liability
3rd Party
AIG CyberEdge
AIG CyberEdge PC/Plus
Any Questions?
Please use the GoTo Webinar Dashboard to send a
question to the Moderator