SlideShare una empresa de Scribd logo

4th Digital Finance Forum, Simon Brady

Starttech Ventures
Starttech Ventures

Ομιλία - Παρουσίαση: Simon Brady, Editorial Director, AKJ Associates «The dark heart of digital transformation Cybersecurity»

Presentaciones y charlas públicas
1 de 25
Descargar para leer sin conexión
The dark heart of digital transformation Cybersecurity
The list is endless • In November last year, hackers stole £2.5m from 9,000 Tesco Bank customers in a raid the UK's Financial Conduct Authority described as "unprecedented". • In December 2016 Hackers stole more than 2 billion rubles ($31 million) from correspondent accounts at the Russian central bank and from accounts in commercial banks, the bank said on Friday, the latest example of an escalation of cyber attacks on financial institutions around the globe. • Prof Richard Benham, chairman of the National Cyber Management Centre, gives a dire warning: "A major bank will fail as a result of a cyber-attack in 2017 leading to a loss of confidence and a run on that bank.”
The great cyber-security disconnect • If it’s so serious why does no-one take it seriously? • If cybercrime is expected to cost the world more than $6 trillion by 2021, why do projections for the size of the global cybersecurity market predict revenues of just $170 billion by 2020? • Why do the world’s biggest cyber-security vendors only have global revenues in the $1bn - $1.5bn range, growing at mid-single digit rates? • If governments are serious about cyber-security, then where are its ministries? Why are cyber-security resources vanishingly small relative to other forms of law enforcement?
….more disconnect • If companies take cyber-security seriously, why does it not look the same as other things they take seriously (board access/representation, funding, seniority) • If collaboration is key then why so few industry information sharing groups and why don’t they really share? • If collaboration is key then transparency is key – so why the emphasis on secrecy? PS: A secret: secrecy is not a viable strategy in a new era of scrutiny. “The more secretive [a company] is, the more leaks induce fear and paranoia in its leadership and planning coterie. This must result in minimization of efficient internal communications mechanisms (an increase in cognitive ‘secrecy tax’)
• Only 5 per cent of FTSE 100 companies have disclosed having a director responsible for cyber risks despite fears that corporations are increasingly in danger of becoming targets of hacking. • nine in 10 of the FTSE 100 companies identified “one or more” elements of cyber risk in their disclosures, according to a study by professional services firm Deloitte. • 71 per cent of corporations identified IT systems failure in the principal concerns and 72 per cent highlighted a cyber attack as a risk. • 11 per cent of the reports mentioned the creation of a new role or body to take overall accountability for cyber risk. • More than half of companies mentioned cyber contingency, crisis management or disaster recovery plans in their annual report. However, only 58 per cent disclosed that these plans had been simulated in test scenarios over the year. • “The vast majority of FTSE 100 reports acknowledge the principal risk, but there are wide variations in the disclosure of cyber risk management and mitigation strategies.” Phil Everson, head of cyber risk services at Deloitte UK.
Seriously? Advert from LinkedIN XXXX, from XX Recruitment Headhunter - Cyber Security Head of Information Security - Experienced leader with battle scars required for £2bn London based organisation immediately. The client will consider contract or permanent members Day Rate £650 Contract length - Min 6 months. You have a strong track record in building information security teams, understand business risk and have operated in companies with 50,000 + employees
CISO symbolic? • Why do so few companies have CISOs? • Why is the role so random? • Why do so many CISOs quickly jump ship to the sell-side or no- where? • Why do CISOs find it so difficult to get hold of the levers of real change? • How can the role be fulfilled equally well by policemen, spies, tecchies, heads of training, compliance, project managers…….?
What kind of CISO do you have? Risk CISO: Assess risk, the business decides what to do and buy Compliance CISO: Write stuff into policy, actions are made by others on the basis of that policy Project CISO: Brought in to do PCI DSS and manage that Threat CISO: There because the business knows it’s a target and has to do something, but no-one has a clear idea of what IT Security CISO: Actually a manager in charge of doing low level technical stuff 18-month CISO: Hired to take the fall (the board knows a train is about to crash) or hired to tick a box – 18 months in they’ve no power, no budget, no point. Visionary CISO: Experimenting as knows status quo is broken but probably still floundering.
The industrialisation of cybercrime • The OVH DDoS attack used 150,000 IoT devices. Imagine what a Smart City could do. Internet threats will be transformed from attacks on confidentiality to damaging attacks on the availability and integrity of digital and physical systems. • IoT hacks will become disasters in the real world. And traditional computer and network security isn’t prepared to deal with them. • Artificial intelligence and machine learning are the latest buzzwords among solution vendors. But what happens when the malware developers use the same technologies to attack? How do we prepare for machine versus machine and increased automation? • Are you really ready for the future? The IoT? AI malware? Automated security?
Scale changes everything (and it’s only just begun) • It raises the probability of attack and of loss for everyone which means it becomes a risk boards start to look at. • It increases third-party scrutiny, which creates the kinds of financial effects that boards respond to. • It makes cyber-security a proper enterprise risk-management problem, not a niche tech/training problem. • It means that the role of CISO (or whatever it comes to be called) becomes better defined It means cyber-security will be transformed as it becomes a fully accepted part of enterprise business management. • It means the vendor landscape will dramatically alter because the problem is dramatically changing.
Underestimating scrutiny • Hedge funds are now publicly shorting companies they see as cyber-weak. Cyber-security will drive share prices regardless of sector. • Asset managers lobby for compulsory cyber-audits of investee companies • Insurers are demanding full disclosure as the first step in providing cyber insurance. • Ratings agencies and specialist cyber-security raters are scoring your cyber-security efforts in public and you can’t stop them. How do you work with them to preserve your reputation and access to markets? • M&A deals stand or fall on cyber-due diligence. Verizon wants a billion-dollar discount after the Yahoo data breach. • Cyber-security is a political football: witness the senators calling for investigations into the Yahoo data breach, which has also attracted the attention of the SEC.
In a recent survey report NYSE Governance Services and Veracode reported that 85% of directors believe discovery of a major vulnerability during due diligence would impact their final decision on a merger or acquisition. Meanwhile a Freshfields Bruckhaus Deringer survey of global deal- makers reported that 51% of North American respondents had seen cyber security becoming a key part of due diligence in the past year, compared to only 39% in Europe. That figure is likely to be lower still in New Zealand. It appears that directors are recognizing the issue, but perhaps not yet addressing it. Cyber-security in M&A
• Cybersecurity companies and investment firms publicly announce cybersecurity vulnerabilities as a part of a short selling strategy • Public disclosure of security flaws by companies looking to make a profit. • Companies may also face additional security threats if they learn of security vulnerabilities at the same time as hackers, eliminating their ability to fix the bugs before they are announced to public. Shorting cyber-incompetence
More Regulation • GDPR: fines are material; re-regulation has made cyber-security a financial variable. • The governor of New York State has announced sweeping new cybersecurity regulations for the financial service industry, designed to improve resilience to online attacks and keep customer data safe. Came into force March 1 2017. It demands a cybersecurity program that “is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization.” Firms also have to notify the Department of Financial Services (DFS).” of any “material events” and scrutinize security procedures at third party providers – often a weak link when it comes to protecting data and systems from attack. A DFS poll of 40 banks back in 2015 revealed that only around a third mandate that their partners notify them of any breaches.
Ratings scrutiny • How do you measure the exposure and report on cyber-risk? • Do you have a robust, well-documented program to monitor cyber-risks? • How many times was the business the target of a high-level attack during the past year, and how far did it reach in the system? • What areas does the bank feel are still vulnerable to attack? • Does the bank have any third-party vendor oversight? If so, what kind and how much? • What is the bank’s readiness with respect to the NIST framework? • How does the bank ward off phishing and diminish the likelihood of having data compromised from an internal
breach?
…. wait, there’s more • What’s the internal phishing success rate? • How long has it typically taken to detect a cyberattack? • What containment procedures are in place if the bank is breached? • Are emergency scenarios test-run? • What software or other techniques are used to monitor attacks? • What kind of expertise about cyberattacks exists on the board of directors? • How much does the bank spend on cybersecurity, and what resources does it devote? What is the total tech budget this year versus last? • What are banks’ capabilities vs peers, and how are they assessed? Is information shared with peers? • Does the bank have any insurance to compensate for a cyberattack?
Institutional Investors • Equity investors – pension funds, mutual funds, insurance companies…. • Debt investors – banks, pension funds, mutual funds, insurance companies…. "Cyber security is a significant risk to our investee companies. It is incumbent of us to discuss how company boards are managing cyber security and their digital infrastructure throughout the corporate year," said David Patt, senior analyst for corporate governance and public policy at LGIM. "We are concerned that many responses we receive to this major corporate risk are insufficient. Boards need to be more aware of their operational environment and emerging threats to their business. Simply put, it can affect a company's value."
Governance, CSR, ESG, transparency • Corporate and social responsiblity • Environmental, social and corporate governance • Dow Jones Sustainability Index, Borsa Istanbul Sustainability Index • Remember L&G? CVC Capital Partners takes into account the ten principles of corporate governance enshrined in the UN Global Compact and is in the process of putting comprehensive mechanisms in place to incorporate ESG issues into investment analysis and decision-making processes. We are aware that there is significant opportunity to influence corporate behaviour to achieve improved ESG/sustainability performance through the ownership of its portfolio companies. CVC believes that best practice on ESG issues both mitigates risk and captures opportunities that enhances the long-term value of the portfolio companies.
Who else? • Debt and equity analysts at banks, investment banks and brokerage firms • Independent debt and equity research firms • Insurance underwriters and brokers who provide traditional and cyber insurance • Brand valuation consultants • Private cyber ratings companies • The press
Solutions failing “The old world is dying, and the new world struggles to be born; now is the time of monsters,” Antonio Gramsci “We’ve done a lot over the past five years and spent quite a lot of money … it hasn’t worked,” Alex Dewedney, director of cybersecurity at CESG (the info-sec arm of GCHQ ) "The cyber-security industry is fundamentally broken," Amit Yoran, President RSA "Our industry has really failed our market," Orion Hindawi, co-founder and CEO, Tanium Valuing cyber-risk is key to addressing "market failure" around cyber-security, James Snook, deputy director for business, crime and skills, Office of Cyber Security and Information Assurance, UK Cabinet Office
"This is not a different type of attacker," said Tanium co-founder and CEO Orion Hindawi. "It's the same type of stuff we've been seeing for 20 years, just more of it.” "Our industry has really failed our market," he told CNBC. "We have, as an industry, been distracting people and have them focus on advanced threat and nation-states.” Hindawi said the cybersecurity industry needs to take a back-to-the-basics approach. The recent spate of cyberattacks in the headlines don't reflect the nature of most hacks. And everyone knows it
So can FIs fix it? • Structure of information technology at banks • Contractors • Consultants • Multiple, scattered, teams • Complex reporting • Staff quality issues • The politics of deadlines and promises • Culture • Structure of cyber security at banks • All of the above • Cyber security says no versus business says yes • True management commitment?
Conclusion • Cyber security is a critical issue - you knew that but It's more critical than anyone realises - if we judge by the current standard • It's an existential risk and it's a core business continuity risk • And it's a core business value risk • You have to take it seriously • Your board has to take it seriously • And that means the whole structure and way you do digital transformation has to change

Recomendados

4th Digital Finance Forum, Dr. Markos Zachariadis
4th Digital Finance Forum, Dr. Markos Zachariadis4th Digital Finance Forum, Dr. Markos Zachariadis
4th Digital Finance Forum, Dr. Markos Zachariadis
Starttech Ventures
 
4th Digital Finance Forum, Ξενοφών Λιαπάκης
4th Digital Finance Forum, Ξενοφών Λιαπάκης4th Digital Finance Forum, Ξενοφών Λιαπάκης
4th Digital Finance Forum, Ξενοφών Λιαπάκης
Starttech Ventures
 
François-Eric Perquel, 5th Digital Banking Forum
François-Eric Perquel, 5th Digital Banking ForumFrançois-Eric Perquel, 5th Digital Banking Forum
François-Eric Perquel, 5th Digital Banking Forum
Starttech Ventures
 
Fintech and other things are coming to Town
Fintech and other things are coming to TownFintech and other things are coming to Town
Fintech and other things are coming to Town
Pietro Leo
 
CxO Roadmap: Designing a Fintech Strategy Around Your Legacy Core IT Supplier
CxO Roadmap: Designing a Fintech Strategy Around Your Legacy Core IT SupplierCxO Roadmap: Designing a Fintech Strategy Around Your Legacy Core IT Supplier
CxO Roadmap: Designing a Fintech Strategy Around Your Legacy Core IT Supplier
Kelli Wilkinson
 
Webinar: The Future of FinTech: Insights for 2021 | Intellectsoft
Webinar: The Future of FinTech: Insights for 2021 | IntellectsoftWebinar: The Future of FinTech: Insights for 2021 | Intellectsoft
Webinar: The Future of FinTech: Insights for 2021 | Intellectsoft
Intellectsoft
 
Big Risks Requires Big Data Thinking
Big Risks Requires Big Data ThinkingBig Risks Requires Big Data Thinking
Big Risks Requires Big Data Thinking
Tableau Software
 
The Face of Supply Chain in 2025
The Face of Supply Chain in 2025The Face of Supply Chain in 2025
The Face of Supply Chain in 2025
San Diego Center for International Trade Development
 

Recomendados

4th Digital Finance Forum, Dr. Markos Zachariadis
4th Digital Finance Forum, Dr. Markos Zachariadis4th Digital Finance Forum, Dr. Markos Zachariadis
4th Digital Finance Forum, Dr. Markos Zachariadis
Starttech Ventures
 
4th Digital Finance Forum, Ξενοφών Λιαπάκης
4th Digital Finance Forum, Ξενοφών Λιαπάκης4th Digital Finance Forum, Ξενοφών Λιαπάκης
4th Digital Finance Forum, Ξενοφών Λιαπάκης
Starttech Ventures
 
François-Eric Perquel, 5th Digital Banking Forum
François-Eric Perquel, 5th Digital Banking ForumFrançois-Eric Perquel, 5th Digital Banking Forum
François-Eric Perquel, 5th Digital Banking Forum
Starttech Ventures
 
Fintech and other things are coming to Town
Fintech and other things are coming to TownFintech and other things are coming to Town
Fintech and other things are coming to Town
Pietro Leo
 
CxO Roadmap: Designing a Fintech Strategy Around Your Legacy Core IT Supplier
CxO Roadmap: Designing a Fintech Strategy Around Your Legacy Core IT SupplierCxO Roadmap: Designing a Fintech Strategy Around Your Legacy Core IT Supplier
CxO Roadmap: Designing a Fintech Strategy Around Your Legacy Core IT Supplier
Kelli Wilkinson
 
Webinar: The Future of FinTech: Insights for 2021 | Intellectsoft
Webinar: The Future of FinTech: Insights for 2021 | IntellectsoftWebinar: The Future of FinTech: Insights for 2021 | Intellectsoft
Webinar: The Future of FinTech: Insights for 2021 | Intellectsoft
Intellectsoft
 
Big Risks Requires Big Data Thinking
Big Risks Requires Big Data ThinkingBig Risks Requires Big Data Thinking
Big Risks Requires Big Data Thinking
Tableau Software
 
The Face of Supply Chain in 2025
The Face of Supply Chain in 2025The Face of Supply Chain in 2025
The Face of Supply Chain in 2025
San Diego Center for International Trade Development
 
Crypto and Financial Disruption and Innovation
Crypto and Financial Disruption and InnovationCrypto and Financial Disruption and Innovation
Crypto and Financial Disruption and Innovation
karenwendt4
 
Global FinTech Trends
Global FinTech TrendsGlobal FinTech Trends
Global FinTech Trends
John Owens
 
Fintech o2o digital hybrid finance presentation by Grow VC Group
Fintech o2o digital hybrid finance presentation by Grow VC GroupFintech o2o digital hybrid finance presentation by Grow VC Group
Fintech o2o digital hybrid finance presentation by Grow VC Group
Grow VC Group
 
FinTech ecosystem playbook
FinTech ecosystem playbookFinTech ecosystem playbook
FinTech ecosystem playbook
EY
 
Financial Technology (Fintech)
Financial Technology (Fintech)Financial Technology (Fintech)
Financial Technology (Fintech)
Chintu@life
 
FinTech, from 'Nice to Know' to 'Need to Know'
FinTech, from 'Nice to Know' to 'Need to Know'FinTech, from 'Nice to Know' to 'Need to Know'
FinTech, from 'Nice to Know' to 'Need to Know'
Robi Dattatreya
 
01 introduction-to-digital-finance
01 introduction-to-digital-finance01 introduction-to-digital-finance
01 introduction-to-digital-finance
innov-acts-ltd
 
AI in Fintech
AI in FintechAI in Fintech
AI in Fintech
Tathagat Varma
 
Banking industry trends 2016
Banking industry trends 2016Banking industry trends 2016
Banking industry trends 2016
Admin @ MANIPAL DIGITAL SYSTEMS Pvt Ltd
 
Influence of fintech on the banking sector - Webinar on 18 June 2021
Influence of fintech on the banking sector - Webinar on 18 June 2021Influence of fintech on the banking sector - Webinar on 18 June 2021
Influence of fintech on the banking sector - Webinar on 18 June 2021
Prabhas Abhayakumar, PMP
 
Protecting the bank
Protecting the bankProtecting the bank
Protecting the bank
CGI Suomi
 
Mercer Capital's Value Focus: FinTech Industry | Second Half 2016
Mercer Capital's Value Focus: FinTech Industry | Second Half 2016Mercer Capital's Value Focus: FinTech Industry | Second Half 2016
Mercer Capital's Value Focus: FinTech Industry | Second Half 2016
Mercer Capital
 
Yablon - Blockchain
Yablon - BlockchainYablon - Blockchain
Yablon - Blockchain
OECD CFE
 
Top Ten Trends in Lending and Leasing 2017
Top Ten Trends in Lending and Leasing 2017Top Ten Trends in Lending and Leasing 2017
Top Ten Trends in Lending and Leasing 2017
Capgemini
 
Hid finextra-digital-transformation-in-the-data-economy-to-improve-threat-det...
Hid finextra-digital-transformation-in-the-data-economy-to-improve-threat-det...Hid finextra-digital-transformation-in-the-data-economy-to-improve-threat-det...
Hid finextra-digital-transformation-in-the-data-economy-to-improve-threat-det...
Sarin Yuok
 
Blockchain and tokenization are coming to all asset classes and instruments
Blockchain and tokenization are coming to all asset classes and instrumentsBlockchain and tokenization are coming to all asset classes and instruments
Blockchain and tokenization are coming to all asset classes and instruments
Grow VC Group
 
5 Predictions for Finance, FinTech and Blockchain Market
5 Predictions for Finance, FinTech and Blockchain Market5 Predictions for Finance, FinTech and Blockchain Market
5 Predictions for Finance, FinTech and Blockchain Market
Grow VC Group
 
The future of Banking @ Social Media Week 2015
The future of Banking @ Social Media Week 2015The future of Banking @ Social Media Week 2015
The future of Banking @ Social Media Week 2015
Lars Markull
 
We bank digital banking decoded for bnm 0618 v1.9(3)
We bank digital banking decoded for bnm 0618 v1.9(3)We bank digital banking decoded for bnm 0618 v1.9(3)
We bank digital banking decoded for bnm 0618 v1.9(3)
Chris Skinner
 
New Paradigm Banking
New Paradigm BankingNew Paradigm Banking
New Paradigm Banking
Derrydean Dadzie
 
Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
Livingstone Advisory
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB
 

Más contenido relacionado

La actualidad más candente

Top Ten Trends in Lending and Leasing 2017
Top Ten Trends in Lending and Leasing 2017Top Ten Trends in Lending and Leasing 2017
Top Ten Trends in Lending and Leasing 2017
Capgemini
 
Hid finextra-digital-transformation-in-the-data-economy-to-improve-threat-det...
Hid finextra-digital-transformation-in-the-data-economy-to-improve-threat-det...Hid finextra-digital-transformation-in-the-data-economy-to-improve-threat-det...
Hid finextra-digital-transformation-in-the-data-economy-to-improve-threat-det...
Sarin Yuok
 

La actualidad más candente (20)

Crypto and Financial Disruption and Innovation
Crypto and Financial Disruption and InnovationCrypto and Financial Disruption and Innovation
Crypto and Financial Disruption and Innovation
 
Global FinTech Trends
Global FinTech TrendsGlobal FinTech Trends
Global FinTech Trends
 
Fintech o2o digital hybrid finance presentation by Grow VC Group
Fintech o2o digital hybrid finance presentation by Grow VC GroupFintech o2o digital hybrid finance presentation by Grow VC Group
Fintech o2o digital hybrid finance presentation by Grow VC Group
 
FinTech ecosystem playbook
FinTech ecosystem playbookFinTech ecosystem playbook
FinTech ecosystem playbook
 
Financial Technology (Fintech)
Financial Technology (Fintech)Financial Technology (Fintech)
Financial Technology (Fintech)
 
FinTech, from 'Nice to Know' to 'Need to Know'
FinTech, from 'Nice to Know' to 'Need to Know'FinTech, from 'Nice to Know' to 'Need to Know'
FinTech, from 'Nice to Know' to 'Need to Know'
 
01 introduction-to-digital-finance
01 introduction-to-digital-finance01 introduction-to-digital-finance
01 introduction-to-digital-finance
 
AI in Fintech
AI in FintechAI in Fintech
AI in Fintech
 
Banking industry trends 2016
Banking industry trends 2016Banking industry trends 2016
Banking industry trends 2016
 
Influence of fintech on the banking sector - Webinar on 18 June 2021
Influence of fintech on the banking sector - Webinar on 18 June 2021Influence of fintech on the banking sector - Webinar on 18 June 2021
Influence of fintech on the banking sector - Webinar on 18 June 2021
 
Protecting the bank
Protecting the bankProtecting the bank
Protecting the bank
 
Mercer Capital's Value Focus: FinTech Industry | Second Half 2016
Mercer Capital's Value Focus: FinTech Industry | Second Half 2016Mercer Capital's Value Focus: FinTech Industry | Second Half 2016
Mercer Capital's Value Focus: FinTech Industry | Second Half 2016
 
Yablon - Blockchain
Yablon - BlockchainYablon - Blockchain
Yablon - Blockchain
 
Top Ten Trends in Lending and Leasing 2017
Top Ten Trends in Lending and Leasing 2017Top Ten Trends in Lending and Leasing 2017
Top Ten Trends in Lending and Leasing 2017
 
Hid finextra-digital-transformation-in-the-data-economy-to-improve-threat-det...
Hid finextra-digital-transformation-in-the-data-economy-to-improve-threat-det...Hid finextra-digital-transformation-in-the-data-economy-to-improve-threat-det...
Hid finextra-digital-transformation-in-the-data-economy-to-improve-threat-det...
 
Blockchain and tokenization are coming to all asset classes and instruments
Blockchain and tokenization are coming to all asset classes and instrumentsBlockchain and tokenization are coming to all asset classes and instruments
Blockchain and tokenization are coming to all asset classes and instruments
 
5 Predictions for Finance, FinTech and Blockchain Market
5 Predictions for Finance, FinTech and Blockchain Market5 Predictions for Finance, FinTech and Blockchain Market
5 Predictions for Finance, FinTech and Blockchain Market
 
The future of Banking @ Social Media Week 2015
The future of Banking @ Social Media Week 2015The future of Banking @ Social Media Week 2015
The future of Banking @ Social Media Week 2015
 
We bank digital banking decoded for bnm 0618 v1.9(3)
We bank digital banking decoded for bnm 0618 v1.9(3)We bank digital banking decoded for bnm 0618 v1.9(3)
We bank digital banking decoded for bnm 0618 v1.9(3)
 
New Paradigm Banking
New Paradigm BankingNew Paradigm Banking
New Paradigm Banking
 

Similar a 4th Digital Finance Forum, Simon Brady

Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
Livingstone Advisory
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respond
Lydia Shepherd
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
Daren Dunkel
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
Sarah Jarvis
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 

Similar a 4th Digital Finance Forum, Simon Brady (20)

Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respond
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firm
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
 
Let's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
Let's TOC: Navigate the Cybersecurity Conversation with Dominique SingerLet's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
Let's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimension
 
BIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionBIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special Edition
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the Boardroom
 
Quantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal DataQuantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal Data
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
 
How to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
How to Connect Your Server Room to the Board Room – Before a Data Breach OccursHow to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
How to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
 
NextLevel Cyber Security Executive Briefing
NextLevel Cyber Security Executive BriefingNextLevel Cyber Security Executive Briefing
NextLevel Cyber Security Executive Briefing
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
 

Más de Starttech Ventures

Más de Starttech Ventures (20)

Γιάννης Χονδρέλης, 11th Clinical Research Conference
Γιάννης Χονδρέλης, 11th Clinical Research ConferenceΓιάννης Χονδρέλης, 11th Clinical Research Conference
Γιάννης Χονδρέλης, 11th Clinical Research Conference
 
Γιώργος Βαρδαμίδης, 11th Clinical Research Conference
Γιώργος Βαρδαμίδης, 11th Clinical Research ConferenceΓιώργος Βαρδαμίδης, 11th Clinical Research Conference
Γιώργος Βαρδαμίδης, 11th Clinical Research Conference
 
Θανάσης Κώτσανης, 11th Clinical Research Conference
Θανάσης Κώτσανης, 11th Clinical Research ConferenceΘανάσης Κώτσανης, 11th Clinical Research Conference
Θανάσης Κώτσανης, 11th Clinical Research Conference
 
Παναγιώτης Παπαναγιώτου, 8th MedTech Conference
Παναγιώτης Παπαναγιώτου, 8th MedTech ConferenceΠαναγιώτης Παπαναγιώτου, 8th MedTech Conference
Παναγιώτης Παπαναγιώτου, 8th MedTech Conference
 
Θεοδόσιος Μπίσδας, 8th MedTech Conference
Θεοδόσιος Μπίσδας, 8th MedTech ConferenceΘεοδόσιος Μπίσδας, 8th MedTech Conference
Θεοδόσιος Μπίσδας, 8th MedTech Conference
 
Γιώργος Μοσχοβάκης, 8th MedTech Conference
Γιώργος Μοσχοβάκης, 8th MedTech ConferenceΓιώργος Μοσχοβάκης, 8th MedTech Conference
Γιώργος Μοσχοβάκης, 8th MedTech Conference
 
Θανάσης Πετμεζάς, 8th MedTech Conference
Θανάσης Πετμεζάς, 8th MedTech ConferenceΘανάσης Πετμεζάς, 8th MedTech Conference
Θανάσης Πετμεζάς, 8th MedTech Conference
 
Λεωνίδας Βαλάσας, 8th MedTech Conference
Λεωνίδας Βαλάσας, 8th MedTech ConferenceΛεωνίδας Βαλάσας, 8th MedTech Conference
Λεωνίδας Βαλάσας, 8th MedTech Conference
 
Νικόλαος Κουρεντζής, 8th MedTech Conference
Νικόλαος Κουρεντζής, 8th MedTech ConferenceΝικόλαος Κουρεντζής, 8th MedTech Conference
Νικόλαος Κουρεντζής, 8th MedTech Conference
 
Στέργιος Μπακάλης & Γεώργιος Μπήτρος, 4o Συνέδριο Επαγγελματικής Ασφάλισης
Στέργιος Μπακάλης & Γεώργιος Μπήτρος, 4o Συνέδριο Επαγγελματικής ΑσφάλισηςΣτέργιος Μπακάλης & Γεώργιος Μπήτρος, 4o Συνέδριο Επαγγελματικής Ασφάλισης
Στέργιος Μπακάλης & Γεώργιος Μπήτρος, 4o Συνέδριο Επαγγελματικής Ασφάλισης
 
Ηλίας Γεωργουλέας, 4o Συνέδριο Επαγγελματικής Ασφάλισης
Ηλίας Γεωργουλέας, 4o Συνέδριο Επαγγελματικής ΑσφάλισηςΗλίας Γεωργουλέας, 4o Συνέδριο Επαγγελματικής Ασφάλισης
Ηλίας Γεωργουλέας, 4o Συνέδριο Επαγγελματικής Ασφάλισης
 
Ηλίας Λεκκός, 4o Συνέδριο Επαγγελματικής Ασφάλισης
Ηλίας Λεκκός, 4o Συνέδριο Επαγγελματικής ΑσφάλισηςΗλίας Λεκκός, 4o Συνέδριο Επαγγελματικής Ασφάλισης
Ηλίας Λεκκός, 4o Συνέδριο Επαγγελματικής Ασφάλισης
 
Ανδρέας Χατζηκύρου, 4o Συνέδριο Επαγγελματικής Ασφάλισης
Ανδρέας Χατζηκύρου, 4o Συνέδριο Επαγγελματικής ΑσφάλισηςΑνδρέας Χατζηκύρου, 4o Συνέδριο Επαγγελματικής Ασφάλισης
Ανδρέας Χατζηκύρου, 4o Συνέδριο Επαγγελματικής Ασφάλισης
 
Dr. Thorsten Guthke, 4o Συνέδριο Επαγγελματικής Ασφάλισης
Dr. Thorsten Guthke, 4o Συνέδριο Επαγγελματικής ΑσφάλισηςDr. Thorsten Guthke, 4o Συνέδριο Επαγγελματικής Ασφάλισης
Dr. Thorsten Guthke, 4o Συνέδριο Επαγγελματικής Ασφάλισης
 
Μάνος Δροσατάκης, 4o Συνέδριο Επαγγελματικής Ασφάλισης
Μάνος Δροσατάκης, 4o Συνέδριο Επαγγελματικής ΑσφάλισηςΜάνος Δροσατάκης, 4o Συνέδριο Επαγγελματικής Ασφάλισης
Μάνος Δροσατάκης, 4o Συνέδριο Επαγγελματικής Ασφάλισης
 
Βύρων Κοτζαμάνης, 4o Συνέδριο Επαγγελματικής Ασφάλισης
Βύρων Κοτζαμάνης, 4o Συνέδριο Επαγγελματικής ΑσφάλισηςΒύρων Κοτζαμάνης, 4o Συνέδριο Επαγγελματικής Ασφάλισης
Βύρων Κοτζαμάνης, 4o Συνέδριο Επαγγελματικής Ασφάλισης
 
Tim Currell, 4o Συνέδριο Επαγγελματικής Ασφάλισης
Tim Currell, 4o Συνέδριο Επαγγελματικής ΑσφάλισηςTim Currell, 4o Συνέδριο Επαγγελματικής Ασφάλισης
Tim Currell, 4o Συνέδριο Επαγγελματικής Ασφάλισης
 
Ilias E. Xirouhakis
Ilias E. XirouhakisIlias E. Xirouhakis
Ilias E. Xirouhakis
 
Δημήτρης Αλεξάνδρου
Δημήτρης ΑλεξάνδρουΔημήτρης Αλεξάνδρου
Δημήτρης Αλεξάνδρου
 
Δημήτριος Τσεκούρας
Δημήτριος ΤσεκούραςΔημήτριος Τσεκούρας
Δημήτριος Τσεκούρας
 

Último

Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
Kayode Fayemi
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
amilabibi1
 
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verifiedSector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Delhi Call girls
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Delhi Call girls
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
raffaeleoman
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
Kayode Fayemi
 

Último (18)

Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verifiedSector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
Digital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalDigital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of Drupal
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptx
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
 
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 

4th Digital Finance Forum, Simon Brady

  • 1. The dark heart of digital transformation Cybersecurity
  • 2. The list is endless • In November last year, hackers stole £2.5m from 9,000 Tesco Bank customers in a raid the UK's Financial Conduct Authority described as "unprecedented". • In December 2016 Hackers stole more than 2 billion rubles ($31 million) from correspondent accounts at the Russian central bank and from accounts in commercial banks, the bank said on Friday, the latest example of an escalation of cyber attacks on financial institutions around the globe. • Prof Richard Benham, chairman of the National Cyber Management Centre, gives a dire warning: "A major bank will fail as a result of a cyber-attack in 2017 leading to a loss of confidence and a run on that bank.”
  • 3. The great cyber-security disconnect • If it’s so serious why does no-one take it seriously? • If cybercrime is expected to cost the world more than $6 trillion by 2021, why do projections for the size of the global cybersecurity market predict revenues of just $170 billion by 2020? • Why do the world’s biggest cyber-security vendors only have global revenues in the $1bn - $1.5bn range, growing at mid-single digit rates? • If governments are serious about cyber-security, then where are its ministries? Why are cyber-security resources vanishingly small relative to other forms of law enforcement?
  • 4. ….more disconnect • If companies take cyber-security seriously, why does it not look the same as other things they take seriously (board access/representation, funding, seniority) • If collaboration is key then why so few industry information sharing groups and why don’t they really share? • If collaboration is key then transparency is key – so why the emphasis on secrecy? PS: A secret: secrecy is not a viable strategy in a new era of scrutiny. “The more secretive [a company] is, the more leaks induce fear and paranoia in its leadership and planning coterie. This must result in minimization of efficient internal communications mechanisms (an increase in cognitive ‘secrecy tax’)
  • 5. • Only 5 per cent of FTSE 100 companies have disclosed having a director responsible for cyber risks despite fears that corporations are increasingly in danger of becoming targets of hacking. • nine in 10 of the FTSE 100 companies identified “one or more” elements of cyber risk in their disclosures, according to a study by professional services firm Deloitte. • 71 per cent of corporations identified IT systems failure in the principal concerns and 72 per cent highlighted a cyber attack as a risk. • 11 per cent of the reports mentioned the creation of a new role or body to take overall accountability for cyber risk. • More than half of companies mentioned cyber contingency, crisis management or disaster recovery plans in their annual report. However, only 58 per cent disclosed that these plans had been simulated in test scenarios over the year. • “The vast majority of FTSE 100 reports acknowledge the principal risk, but there are wide variations in the disclosure of cyber risk management and mitigation strategies.” Phil Everson, head of cyber risk services at Deloitte UK.
  • 6. Seriously? Advert from LinkedIN XXXX, from XX Recruitment Headhunter - Cyber Security Head of Information Security - Experienced leader with battle scars required for £2bn London based organisation immediately. The client will consider contract or permanent members Day Rate £650 Contract length - Min 6 months. You have a strong track record in building information security teams, understand business risk and have operated in companies with 50,000 + employees
  • 7. CISO symbolic? • Why do so few companies have CISOs? • Why is the role so random? • Why do so many CISOs quickly jump ship to the sell-side or no- where? • Why do CISOs find it so difficult to get hold of the levers of real change? • How can the role be fulfilled equally well by policemen, spies, tecchies, heads of training, compliance, project managers…….?
  • 8. What kind of CISO do you have? Risk CISO: Assess risk, the business decides what to do and buy Compliance CISO: Write stuff into policy, actions are made by others on the basis of that policy Project CISO: Brought in to do PCI DSS and manage that Threat CISO: There because the business knows it’s a target and has to do something, but no-one has a clear idea of what IT Security CISO: Actually a manager in charge of doing low level technical stuff 18-month CISO: Hired to take the fall (the board knows a train is about to crash) or hired to tick a box – 18 months in they’ve no power, no budget, no point. Visionary CISO: Experimenting as knows status quo is broken but probably still floundering.
  • 9. The industrialisation of cybercrime • The OVH DDoS attack used 150,000 IoT devices. Imagine what a Smart City could do. Internet threats will be transformed from attacks on confidentiality to damaging attacks on the availability and integrity of digital and physical systems. • IoT hacks will become disasters in the real world. And traditional computer and network security isn’t prepared to deal with them. • Artificial intelligence and machine learning are the latest buzzwords among solution vendors. But what happens when the malware developers use the same technologies to attack? How do we prepare for machine versus machine and increased automation? • Are you really ready for the future? The IoT? AI malware? Automated security?
  • 10. Scale changes everything (and it’s only just begun) • It raises the probability of attack and of loss for everyone which means it becomes a risk boards start to look at. • It increases third-party scrutiny, which creates the kinds of financial effects that boards respond to. • It makes cyber-security a proper enterprise risk-management problem, not a niche tech/training problem. • It means that the role of CISO (or whatever it comes to be called) becomes better defined It means cyber-security will be transformed as it becomes a fully accepted part of enterprise business management. • It means the vendor landscape will dramatically alter because the problem is dramatically changing.
  • 11. Underestimating scrutiny • Hedge funds are now publicly shorting companies they see as cyber-weak. Cyber-security will drive share prices regardless of sector. • Asset managers lobby for compulsory cyber-audits of investee companies • Insurers are demanding full disclosure as the first step in providing cyber insurance. • Ratings agencies and specialist cyber-security raters are scoring your cyber-security efforts in public and you can’t stop them. How do you work with them to preserve your reputation and access to markets? • M&A deals stand or fall on cyber-due diligence. Verizon wants a billion-dollar discount after the Yahoo data breach. • Cyber-security is a political football: witness the senators calling for investigations into the Yahoo data breach, which has also attracted the attention of the SEC.
  • 12.
  • 13. In a recent survey report NYSE Governance Services and Veracode reported that 85% of directors believe discovery of a major vulnerability during due diligence would impact their final decision on a merger or acquisition. Meanwhile a Freshfields Bruckhaus Deringer survey of global deal- makers reported that 51% of North American respondents had seen cyber security becoming a key part of due diligence in the past year, compared to only 39% in Europe. That figure is likely to be lower still in New Zealand. It appears that directors are recognizing the issue, but perhaps not yet addressing it. Cyber-security in M&A
  • 14. • Cybersecurity companies and investment firms publicly announce cybersecurity vulnerabilities as a part of a short selling strategy • Public disclosure of security flaws by companies looking to make a profit. • Companies may also face additional security threats if they learn of security vulnerabilities at the same time as hackers, eliminating their ability to fix the bugs before they are announced to public. Shorting cyber-incompetence
  • 15.
  • 16. More Regulation • GDPR: fines are material; re-regulation has made cyber-security a financial variable. • The governor of New York State has announced sweeping new cybersecurity regulations for the financial service industry, designed to improve resilience to online attacks and keep customer data safe. Came into force March 1 2017. It demands a cybersecurity program that “is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization.” Firms also have to notify the Department of Financial Services (DFS).” of any “material events” and scrutinize security procedures at third party providers – often a weak link when it comes to protecting data and systems from attack. A DFS poll of 40 banks back in 2015 revealed that only around a third mandate that their partners notify them of any breaches.
  • 17. Ratings scrutiny • How do you measure the exposure and report on cyber-risk? • Do you have a robust, well-documented program to monitor cyber-risks? • How many times was the business the target of a high-level attack during the past year, and how far did it reach in the system? • What areas does the bank feel are still vulnerable to attack? • Does the bank have any third-party vendor oversight? If so, what kind and how much? • What is the bank’s readiness with respect to the NIST framework? • How does the bank ward off phishing and diminish the likelihood of having data compromised from an internal
breach?
  • 18. …. wait, there’s more • What’s the internal phishing success rate? • How long has it typically taken to detect a cyberattack? • What containment procedures are in place if the bank is breached? • Are emergency scenarios test-run? • What software or other techniques are used to monitor attacks? • What kind of expertise about cyberattacks exists on the board of directors? • How much does the bank spend on cybersecurity, and what resources does it devote? What is the total tech budget this year versus last? • What are banks’ capabilities vs peers, and how are they assessed? Is information shared with peers? • Does the bank have any insurance to compensate for a cyberattack?
  • 19. Institutional Investors • Equity investors – pension funds, mutual funds, insurance companies…. • Debt investors – banks, pension funds, mutual funds, insurance companies…. "Cyber security is a significant risk to our investee companies. It is incumbent of us to discuss how company boards are managing cyber security and their digital infrastructure throughout the corporate year," said David Patt, senior analyst for corporate governance and public policy at LGIM. "We are concerned that many responses we receive to this major corporate risk are insufficient. Boards need to be more aware of their operational environment and emerging threats to their business. Simply put, it can affect a company's value."
  • 20. Governance, CSR, ESG, transparency • Corporate and social responsiblity • Environmental, social and corporate governance • Dow Jones Sustainability Index, Borsa Istanbul Sustainability Index • Remember L&G? CVC Capital Partners takes into account the ten principles of corporate governance enshrined in the UN Global Compact and is in the process of putting comprehensive mechanisms in place to incorporate ESG issues into investment analysis and decision-making processes. We are aware that there is significant opportunity to influence corporate behaviour to achieve improved ESG/sustainability performance through the ownership of its portfolio companies. CVC believes that best practice on ESG issues both mitigates risk and captures opportunities that enhances the long-term value of the portfolio companies.
  • 21. Who else? • Debt and equity analysts at banks, investment banks and brokerage firms • Independent debt and equity research firms • Insurance underwriters and brokers who provide traditional and cyber insurance • Brand valuation consultants • Private cyber ratings companies • The press
  • 22. Solutions failing “The old world is dying, and the new world struggles to be born; now is the time of monsters,” Antonio Gramsci “We’ve done a lot over the past five years and spent quite a lot of money … it hasn’t worked,” Alex Dewedney, director of cybersecurity at CESG (the info-sec arm of GCHQ ) "The cyber-security industry is fundamentally broken," Amit Yoran, President RSA "Our industry has really failed our market," Orion Hindawi, co-founder and CEO, Tanium Valuing cyber-risk is key to addressing "market failure" around cyber-security, James Snook, deputy director for business, crime and skills, Office of Cyber Security and Information Assurance, UK Cabinet Office
  • 23. "This is not a different type of attacker," said Tanium co-founder and CEO Orion Hindawi. "It's the same type of stuff we've been seeing for 20 years, just more of it.” "Our industry has really failed our market," he told CNBC. "We have, as an industry, been distracting people and have them focus on advanced threat and nation-states.” Hindawi said the cybersecurity industry needs to take a back-to-the-basics approach. The recent spate of cyberattacks in the headlines don't reflect the nature of most hacks. And everyone knows it
  • 24. So can FIs fix it? • Structure of information technology at banks • Contractors • Consultants • Multiple, scattered, teams • Complex reporting • Staff quality issues • The politics of deadlines and promises • Culture • Structure of cyber security at banks • All of the above • Cyber security says no versus business says yes • True management commitment?
  • 25. Conclusion • Cyber security is a critical issue - you knew that but It's more critical than anyone realises - if we judge by the current standard • It's an existential risk and it's a core business continuity risk • And it's a core business value risk • You have to take it seriously • Your board has to take it seriously • And that means the whole structure and way you do digital transformation has to change