Partnership for Cyber Resilience

Partnership for Cyber Resilience

Principles for Cyber Resilience 1. Recognition of interdependence: All parties have a role in fostering a resilient shared digital space 2. Role of leadership: Encourage executive-level awareness and leadership of cyber risk management 3. Integrated risk management: Develop a practical and effective implementation program 4. Promote uptake: Where appropriate, encourage suppliers and customers to develop a similar level of awareness and commitment 2

Risk and Responsibility in a Hyperconnected World Final Report 2014 Key Outputs: Findings: understanding Cyber Risks and Response Readiness For most companies across sectors and regions, cyber resilience is a strategic risk Executives believe they are losing ground to attackers Large companies lack the facts and processes to make effective decisions about cyber resilience Concerns about cyberattacks are starting to have measurable negative business implications in some areas and could account for upwards of US$ 3 trillion by 2020 Substantial actions are required from all players in the cyber resilience ecosystem Future Scenarios Muddling into the future. Organizations move forward with status quo. Backlash decelerates digitization. The attacker get more sophistication and organizations do not keep pace Cyber Resilience Accelerates Digitization.. Organizations are able to adapt and make the change necessary to comb at the evolving threat. Conclusions and Roadmap for Collaborative Action Collaborative action is needed though a joint framework for global cooperation 3

Framework and Recommendations Select: Select Industry Select: Select Region Stage 1 Stage 2 Stage 3 Stage 4 Stage 5 Maturity curve from current Principles and Guidelines Institutional Readiness Governance Program Development Network Development Maturity levels: attributes and recommendations Governance: 1. Prioritize information assets based on business risks 2. Integrate cyber-resilience into enterprise-wide risk management and governance processes Program Development 1. Provide differentiated protection based on importance of assets 2. Develop deep integration of security into technology environment to drive scalability 3. Deploy active defenses to uncover attacks proactively 4. Continuous testing to improve incident response 5. Enlist front-line personnel helping them understand value of information assets Public and international Policy National strategy Criminal Justice (law enforcement) Regulatory policy Foreign policy Public goods Legal code Criminal Justice: 1. Disrupt supply chain for attack vectors Public Good: 1. Increase investments in cyber-security technical education 2. Fund a cyber-security research agenda 3. Create standards for federated identity Foreign Policy: 1. Create interoperability amongst cyber-security regulations globally Community Research Information sharing Knowledge transfer Community Selfgovernance Shared resources for capability building Mutual aid Research: 1. Increase investments in cyber-security technical education 2. Encourage research on economic impact of cyber security to prioritize and focus policies Information Sharing: 1. Private and public dialogue to develop appropriate legislation 2. Where legally feasible, institutions find venues for legal information sharing 3. Improve the quality of the ISACs/ CERTS/ CIERTs 4. Provide safe harbor protection for limited sharing of information across companies with government 5. Reporting standards to companies to inform of cyber-attacks Systemic Risk Markets Embedded security Risk Markets: 1. Expand reach and breadth of cyber-security insurance markets Embedded Security: 1. Build a secure internet without user anonymity 4

Final report Key Findings: 80% of businesses believe cyber security is a strategic risk for their businesses 69% of executives interviewed believe the sophistication or pace of attackers will increase somewhat more quickly than institutions ability to defend themselves Concerns about cyber-attacks are starting to have measurable business implications in some areas: slow value capture from cloud computing, mobile technologies and health care technologies 78% of companies said that security concerns delayed adoption of public cloud computing by a year or more 43% said such concerns delayed enterprise mobility capabilities by a year or more 50% of companies overall said that controls had at least a moderate impact on end use productivity Substantial actions are required from all the players in the cyber-security ecosystem: Most of the executives interviewed believe they need to improve on their own capabilities 5

Potential Impact of Cyberrisks to Global Economy