Opening Remarks. David Bradford President, Research & Editorial Division Advisen

Transcription

1 Welcome!

2 Opening Remarks David Bradford President, Research & Editorial Division Advisen

3 Thank you to our sponsors

4 Keynote Address Summer Fowler Deputy Technical Director of the CERT Cyber Security Solutions Directorate in the CERT Program at the Software Engineering Institute (SEI) of Carnegie Mellon

5 Cyber Risk Insights Summer Craze Fowler Deputy Technical Director Carnegie Mellon University May Carnegie Mellon University 2013 Carnegie Mellon University

6 Super long title indicates importance, right? Background in software/systems engineering and technical project management Have worked at CERT for almost 7 years (no itch, I love it!) Fun Facts: I grew up in WV but the part at the top with no southern accent Same house as Lady Gaga s mom wondering which of my kids will wear a meat dress 2014 Carnegie Mellon University 6

7 CERT Software Engineering Institute Carnegie Mellon U Software Engineering Institute (SEI) Federally funded research and development center based at Carnegie Mellon University Basic and applied research in partnership with government and private organizations CERT Anticipating and solving our nation s cybersecurity challenges Focused on information security, digital investigation and forensics, building secure systems and software, insider threat, operational resilience, vulnerability analysis, network situational awareness, and coordinated response 2014 Carnegie Mellon University 7

8 Trends in Cyber Security Banking Trojans: appear to be legitimate function and trick user into installing malicious code Zero Day Attack: exploits a previously unknown vulnerability expensive to acquire Botnet: network of compromised machines that can communicate and act together PoS & Card skimming: steal info at time of legitimate purchase 2014 Carnegie Mellon University 8

9 2014 Carnegie Mellon University 9

10 I m not in the business of fear these stories sell newspapers (or hits on websites) but they don t solve anything unless we learn from them Threat Consequence 2014 Carnegie Mellon University 10

11 Moving from Threat Consequence CERT has over a decade of experience in cyber risk management Codified in the CERT-RMM Start with identification of critical assets People, Process, Technology, Supply Chain Cyber risk is unique to each organization But perimeter defense is standard (would/could you buy a car without seat belts or airbags?) To gain critical Senior buy-in getting to dollars and cents is essential 2014 Carnegie Mellon University 11

12 Moving from Threat Consequence Start with assets to be protected Top-down: value chain (e.g., safety, reputation) Bottom-up: critical assets prioritized by CONSEQUENCE Understand vulnerabilities (scenarios) Based on threat sophistication, likelihood, imminence Create risk index for each asset Institutionalize cyber risk How am I doing today? Can I sustain high performance? Threat is ever-changing (and out of our control), but assets are more stable and can be prioritized/monetized 2014 Carnegie Mellon University 12

13 Where Can You Get Assistance? DHS engaging community and releasing third report soon Google DHS cybersecurity insurance Tom Finan is engaging industry Investigating development of cross-sector cyber incident database Voluntary program self-assessment for cybersecurity baseline CERT has a team focused on cyber risk management working in the cyber insurance space Summer Fowler: sfowler@cert.org Austin Montgomery: amontgom@sei.cmu.edu 2014 Carnegie Mellon University 13

14 Cyber Market Metrics David Bradford President, Research & Editorial Division Advisen Slides are available for members only

15 Wrap-up Cyber risk insurance market growing rapidly $5 billion potential U.S. market Nature of the threats is evolving Though lost/stolen paper remains a risk No sector is immune Liability threat is growing globally

16 Risk Intelligence: Cyber Aware Enterprise

17 Risk Intelligence: Cyber Aware Enterprise Mary Beth Borgwing Global Executive Director, Risk Network & Cyber Risk Practice Advisen Moderator

18 Risk Intelligence: Cyber Aware Enterprise Mary Beth Borgwing, Global Executive Director, Risk Network & Cyber Risk Practice, Advisen (Moderator) Evelyn de Souza, Data Privacy and Compliance Leader, Cisco Systems Sandeep Dhameja, Risk Management Team Leader, Federal Reserve Bank of Chicago Renee Guttmann, CISO, The Coca-Cola Company Melissa Ventrone, Partner, Wilson Elser

19 Panel Objectives Provide background on Cyber Risk How do Companies Manage Cyber Risk Role of Insurance and Risk Intelligence

20 High Level Definitions Information Security Cyber Security Cyber Risk Program to protect: confidentiality, integrity and availability of data and systems (CIA). Includes data on paper. Focuses on protecting computers, networks, programs and data from unintended or unauthorized access, change or destruction. Management and Governance of Information Security/Cyber Security generally at enterprise level

21 Notable Cyber Events Nation-State attributed to attack on Google/others. Mandiant makes public 100 companies breached from Chinese Military. Credit Card Theft Makes Headlines in Secret Service arrests 20 year sentence. Computer Security Company Attacked leads to loss in customer confidence and potentially weakens their security Recent security breach of credit cards and personal data. CEO terminated. Attackers used a third party provider (HVAC) to gain access.

22 2014 Public Data # Companies Reporting Breach by Geographic Location

23 What s A Company To Do?

24 IDENTIFY AND MANAGE RISKS 1. EXTERNAL THREATS Includes attack by individuals, problems with software or systems 2. INTERNAL THREATS Includes employee or Third party Attack or Error 3. ACTIONABLE RISK MANAGEMENT Implement an Information Security Program Appropriate for Business and Risk. Adopt Industry Standards, Map Controls to Business Risks Where There is Not Yet a Standard of Due Care. BECOME INFORMED. 4. REPEAT 1 3 AT LEAST ANNUALLY Incorporate review as part of Enterprise Risk Management Program and Ensure Executive Awareness

25 Common Public & Private Sector Risks Information Technology Supply Chain Backbone of the Internet, Satellites, Communication providers, Packet Traffic, Public Private Internet Technology Providers Software, Hardware, Vendors, Service Providers

26 Role of Cyber Insurance US risk managers perceive that 54% of board members and 64% of c-suite execs view cyber risks as a significant threat to their organizations. Among US risk managers, 97% of large company RMs and 91% of small company RMs view cyber risks as at least a moderate threat to their organizations. Damage to your organization's reputation resulting from a data breach was the biggest concern of respondents 80% said that information security risks are a specific risk management focus within their organization. 56 percent of organizations have a multi-departmental information security risk management team or committee. Risk managers have a seat on 76% of those teams/committees. 52% of respondents said their organization purchases cyber insurance, up from 44% in 2012.

27 Role of Cyber Risk Intelligence in Managing Risk Offense VS. Defense In Managing Cyber Risk For The Enterprise Tables Have Turned Standard Operating Procedures For the Internet of Things Enterprise Definitions and Deep Understanding of Interactions On What is Dependent on Connected Devices Identifying, Prioritizing & Assessing Cyber Risk Develop Case Scenario For Cybergeddon Business Continuity Plan & Financial Consequences Role of Risk Transfer & Insurance Reputation Risk & Brand Management Shareholder Confidence & Trust Globalization of Cyber Risk & Economic Impacts

28 Key Take Aways Identify and get to know the individuals in charge of Information Security, Privacy, Fraud etc. Ask how Information Security/Cyber Risks are Identified and Managed Determine Enterprise/Executive Support Help set Tone at the Top Analyze Benefit of Cyber Insurance and Cyber Risk Intelligence Increase Understanding Join IN

29 Questions?

30 Risk Intelligence: Cyber Aware Enterprise Evelyn de Souza Cisco Systems Sandeep Dhameja Federal Reserve Bank of Chicago Renee Guttmann The Coca- Cola Company Melissa Ventrone Wilson Elser Mary Beth Borgwing Advisen

31 Cyber Risk Ecosystem

32 Cyber Risk Ecosystem David Bradford President, Research & Editorial Division Advisen Moderator

33 Cyber Risk Ecosystem David Bradford, President, Research & Editorial Division, Advisen (Moderator) Nancy Bewlay, Managing Director, Head of Underwriting Casualty, US and Canada, Swiss Re Steve Bridges, Senior Vice President, Aon John Merchant, Associate Vice President, Cyber & Professional Liability, Freedom Specialty

34 Cyber Risk Ecosystem Nancy Bewlay Swiss Re Steve Bridges Aon John Merchant Freedom Specialty David Bradford Advisen

35 Mock Data Breach Table Top

36 Mock Data Breach Table Top Nick Economidis Professional Liability Underwriter Beazley Moderator

37 Mock Data Breach Table Top Nick Economidis, Professional Liability Underwriter, Beazley (Moderator) Warren Daniel, Director, PricewaterhouseCoopers LLP Lara Forde, Response Team Manager, AllClear ID Renee Guttmann, CISO, The Coca-Cola Company Molly McGinnis Stine, Partner, Cyber Insurance Group, Locke Lord LLP George Pagano, Complex Claim Director, Cyber/Media/Technology, Financial Lines, AIG Property Casualty

38 Mock Data Breach Table Top Warren Daniel PwC Lara Forde AllClear ID Renee Guttmann The Coca-Cola Company Molly McGinnis Stine Locke Lord George Pagano AIG Nick Economidis Beazley

39 Sponsored by For more information about subscriptions contact Jim Delaney at

40 Closing Remarks David Bradford President, Research & Editorial Division Advisen

41 Thank you to our sponsors

42

43