Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Meeting the cyber risk challenge
1. Meeting the Cyber Risk Challenge
Mark Fishleigh
Director, Detica
Jérôme Gossé
Financial Lines Underwriter, Zurich Global Corporate France
Julia Graham
Chief Risk Officer, DLA Piper International LLP
Andrew Horrocks
Partner, Clyde & Co
NOVEMBER 27, 2012
Sponsored by
8. Setting the scene
• Information and the Information Age
• An asset like no other – the Digital Revolution
• Privacy
• Personally identifiable information is collected and
stored. Improper control can cause issues which may
arise from a range of information sources, such as
healthcare records and financial institution
transactions
• Confidentiality
– Different Categories of information
• Cyber
– Third party risks
– First party risks
• The Challenge
– As technology advances the desire for data privacy
increases
Tim Berners-Lee, left, and Robert Cailliau, right, inventors of
the World Wide Web, pose next to the first Web server
8
9. • Three-quarter of respondents report growing concern around
information security and privacy
• Only 16.3% have a chief information security officer: 40% say
CIO head of IT is most likely to be in charge
• More than half said board involvement is growing.
• Majority said government and business must work together.
But 55% half cited concerns about restrictive data protection
rules: 48.7% about adoption of breach notification.
• Thirty six percent said training is conducted at enterprise level
for all employees: only 36.3% said training occurs either
annually or biannually.
• Less than half – 44.1% – said their company's budget for
managing cyber risk has increased
Cyber Risk Survey Results
Sponsored by
10. Agenda
Sponsored by
• Challenges in Regulation and
Compliance
• Who Leads the Efforts Around Managing
Cyber Risk
• Mobilizing to Meet the Challenges
• The role of Insurance and Insurers
• What Happens in the Aftermath of an
Incident
12. Data Protection Act 1998 (DPA)
• Eight data protection principles:
1. Processed fairly and lawfully
2. Obtained only for specified
lawful purposes
3. Adequate, relevant and not
excessive
4. Accurate
5. Not kept for longer than is
necessary
6. Processed in accordance with
individual’s rights
7. Secure
8. Not transferred to countries
outside the EEA without
adequate protection
13. • Sanctions and enforcement
– Information
Commissioner’s Office
(ICO)
– Enforcement notices
– Fines (up to £500,000)
– Criminal offences
– Civil claims
• Rights
– Rights of access
– Right to object to
processing
• Notification to ICO?
Data Protection Act 1998 (DPA)
14. The Draft European Regulation on Data
Protection
– Fines of up to £2million of annual worldwide
turnover for companies and administrative
sanctions of up to £1million for individuals
– The “right to be forgotten”
– Reporting and notification requirements
– Private rights of action
– Requires large businesses to appoint a Data
Protection Officer
– Applies to businesses – including those based
outside the EU
15. Fines and Penalties
– FSA sanctions
– ICO fines
• s.55 Data Protection Act 1988
• Safeway Stores Ltd v Twigger
(2010) CA
• Griffin v Hacker Young (2010)
16. Cyber Risk is an Enterprise-wide risk
• Enterprise-Wide Risk Management (“ERM”)
– a strategic business discipline that supports the achievement of the organization's
objectives by addressing the full spectrum of its risks and managing the combined impact
of those risks as an interrelated risk portfolio
• ERM reflects current practice in that it:
– encompasses all areas of risk
– prioritizes and manages exposures as a risk portfolio
– evaluates the portfolio in the context of significant internal and external environments,
systems, circumstances, and stakeholders
– recognizes individual risks are interrelated and can create a combined exposure that
differs from the sum of the individual risks
– provides a structured process for the management of all risks
– views the effective management of risk as a competitive advantage; and
– seeks to embed risk management as a management discipline
• Why should cyber risks be treated differently?
16
17. A rising tide in Regulation and Compliance
• Business operations – Shorter term / tactical / often cyclical
• Strategic – Longer term / deeper / wider / less cyclical
• Technology enables many of the systems that result in tactical risks
• Business leaders deluded in information strategy and execution?
• Information security spend justified by the "stick" of:
– laws and regulations
– client requirements
– potential liability
– Industry practice
• Most important information:
– customer
– financial
– IP and trade secrets
– corporate
– employee
17
18. Who Leads the Efforts to
Manage Cyber Risk?
How Will You Mobilize to
Meet the Challenges?
Sponsored by
NOVEMBER 27, 2012
19. Who Is Leading the Efforts Around
Managing Cyber Risk
• All are applying pressure to IS budgets
– Strategists more than most
– Lack of vision
– Lack of an effective information security strategy
• Articulate in their own "languages"
• Focus
– Prevention
– Detection
– Web-related technologies
• Knowledge of breaches has improved
• APT a driver of government focus
19
20. Integrating to Meet the Challenges
• Confidentiality of information
1. Contracts
2. Policies
3. Training
4. Monitoring
5. Restricting access
• Information security
– Governance
– Risk
– Compliance
– People
– Process
– Technology
20
21. Governance
Governance Advisory Board
• Core set of Principles defined by the organization and owned by
leadership and stakeholders including:
– HR
– Finance
– Marketing.
– Relevant legal expert/s
– Information Security
– Information Technology
– Knowledge Management
– Risk Management
– Compliance and Audit
22. Ten Steps - Raising Board Awareness and
Setting the Tone
1. Home and mobile working
2. User education and awareness
3. Incident management
4. Information risk management regime
5. Managing use privileges
6. Removable media controls
7. Monitoring
8. Secure configuration
9. Malware protection
10. Network security
….. Cover 80% of the ground
23. Key steps in cyber loss prevention and
control
Prepare
Understand cyber risks and
plan their mitigation
Protect
Protect information and IT
from attack and reduce the
potential impacts of
incidents
Monitor
Monitor systems to detect
and prevent incipient
incidents
Respond
Manage the consequences
of an incident to minimise
its impact
23
24. Key steps in cyber loss prevention and
control
Prepare
Understand cyber risks and
plan their mitigation
Protect
Protect information and IT
from attack and reduce the
potential impacts of
incidents
Monitor
Monitor systems to detect
and prevent incipient
incidents
Respond
Manage the consequences
of an incident to minimise
its impact
24
25. The cyber threat is multi-faceted
Threats
Commercial malware
Denial of Service (Dos)
External hacking of internal
systems (targeted attacks)
SCADA and Industrial Control Insider-assisted data loss
Website hacking (information
theft, vandalism)
Organised Crime
Activists
Script Kids
Industrial Espionage
State Sponsored
Sophistication/Scope
Technological
Vulnerabilities
exploitation
Thrill/Bragging
Rights
Reputational
Damage
Financial Gain/Fraud
Commercial
Advantage
Economic and
Political Advantage
Attackers Intent
Social vulnerabilities
exploitation
A number of actors are
motivated to user cyber
attacks to meet their
goals
The most sophisticated
actors have a range of
capabilities available
Attacks tend to exhibit a
stable set of behaviours
25
26. Align security strategy to your risk
position
Identify threat
Assess probability
Assess impact
Assess
vulnerability
Identify
mitigation
options
Decide Plan
Data asset registers
Supply chain
Economic analysis
Security experience
Systems,
processes,
operating
procedures,
organisation,
training,
management,
resilience
Residual riskUnmitigated risk
Business priorities
Risk tolerance
Risk
management
objectives
Costed business
case
Risk mitigation
improvement plan
Threat
intelligence
Risk
mitigation
strategy
INPUTS
OUTPUTS
Security
improvement
options
Security
strategy
26
27. Key steps in cyber loss prevention and
control
Prepare
Understand cyber risks and
plan their mitigation
Protect
Protect information and IT
from attack and reduce the
potential impacts of
incidents
Monitor
Monitor systems to detect
and prevent incipient
incidents
Respond
Manage the consequences
of an incident to minimise
its impact
27
28. Key steps in cyber loss prevention and
control
Prepare
Understand cyber risks and
plan their mitigation
Protect
Protect information and IT
from attack and reduce the
potential impacts of
incidents
Monitor
Monitor systems to detect
and prevent incipient
incidents
Respond
Manage the consequences
of an incident to minimise
its impact
28
29. Key steps in cyber loss prevention and
control
Prepare
Understand cyber risks and
plan their mitigation
Protect
Protect information and IT
from attack and reduce the
potential impacts of
incidents
Monitor
Monitor systems to detect
and prevent incipient
incidents
Respond
Manage the consequences
of an incident to minimise
its impact
29
30. The Role of Insurance and Insurers
Sponsored by
31. 31
The role of Insurance and Insurers
Why the interest?
• Frequency and costs are escalating
• Data breaches are well publicized
• Companies are increasingly reliance on new technologies (cloud
computing, mobile devices, digital wallets, etc…)
• Regulatory environment complex and becoming more
demanding
• Fill the gaps of traditional insurance policies
32. The role of Insurance and Insurers
Potential incident
Traditional
policy
Cyber policy
Legal liability resulting from computer security
breaches or data breaches
Partial cover Full cover
Costs related to a data breach: notification
costs, call centres, credit monitoring, etc.
No cover
Full cover
Loss or destruction of data / information* Partial cover Full cover
Extra expenses to continue the activity
following a cyber attack*
No cover Full cover
Loss of revenues resulting from a cyber attack*
No cover Full cover
Loss or damage to reputation No cover Partial cover
Cyber extortion Partial cover Full cover
* Without any material damage
33. 33 33
Transferable Costs of a Cyber incident
Crisis Management / Cost to Restore Reputation (Direct Expenses)
• Legal, public relations or other service fees
• Advertising or related communications
Forensics Investigation
Cost of Notification / Call Center Services
• Printing, postage or other communications to customers
• Cost to engage call center
Credit/Identity monitoring, fraud remediation services
Business Interruption Losses
• Loss of Income
• Costs to Recreate Lost or Stolen Data or determine whether data can be restored
• Extra Expenses
Regulatory: Data Protection Agencies: CNIL, OIC, FSA, FTC, SEC, etc…
PCI DSS Fines and Penalties
Legal Liability
• Suits from customers and vendors (including class actions)
• Suits from business partners (breach of NDA)
1st
Party
Expenses
3rd
Party
Liability
Financial Impact
34. 34
Financial Impact (cont.)
34
Additional Costs of a Cyber incident
Damage to Reputation
Customer Churn/Loss of consumer confidence
Stock Devaluation
Cost to implement a comprehensive written information security program (WISP)
Overtime pay for staff
Cost to upgrade network security
Cost to repair or upgrade damaged property
Devaluation of intellectual property and trade secrets
Redesign/engineering of critical infrastructure
Personnel reclassification
Medical bills for physically injured parties
1st
Party
Expenses
3rd
Party
Liability
35. The role of Insurance and Insurers
• Insurance does not replace but can enhance risk management
• Underwriting of cyber risks demands professional competence
–As it should for a buyer ………
• Incident / breach response should form part of the process
35
37. Commercial in Confidence 37 June 2012
Responding to an incident
“Is this a real incident?”
“Are my clients likely to find out?”
“How do we stop it?”
“How long has this been going on for?”
“Who is doing this to us?”
“How did they do it?”
“What have they done?”
“How do we stop it happening again?”
?
?
?
38. 38
Speed of understanding is key to loss
mitigation
Time
Attacker
activity
Understanding
Informed decision
1 2
3
1
2
3
Time taken to identify an attack
Speed of understanding
Level of understanding
3
39. Commercial in Confidence 39 June 2012
Incident response approach
Establish the
facts
Establish the
facts
Immediate actionImmediate action
Investigate the incidentInvestigate the incident RemediateRemediate
Assess the impact and vulnerabilitiesAssess the impact and vulnerabilities
Improve security
posture
Improve security
posture
1. Rapid response
2. Remediation
3. Incident analysis
Prepare Risk is the product of threat, impact and vulnerability. While there are many firms in the market that can measure vulnerability and impact, Detica through its experience of protecting the UK’s most sensitive information assets from advanced attacks, has the means to accurately assess the risk of a targeted attack. We review risk in the context of the firm’s existing controls and degree of risk it is willing to tolerate to make a risk assessment and if appropriate, create and blueprint and business case to implement measures for bringing the firm’s security controls in line with the risks it’s prepared to accept. Protect Advise and build secure IT systems, we deploy X-domain technology to provided protected access to highly sensitive data. We enable organisations to integrate IT and physical security, and share intelligence. Monitor Detica Treidan is an enterprise cyber risk management platform developed specifically to detect targeted attacks. Treidan collects network activity data and uses this data, together with data already collected by the firm and data from 3 rd parties’ sources, to detect potentially suspicious activities. Sophisticated analytical techniques employing statistical and behavioural analysis, and our experience of how targeted attacks are perpetrated, are used to spot anomalous activity within the firm’s network and identify the stage of a targeted attacks. We then recommend remedial action based on what we can observe about the attacker’s intent. A managed service providing 24/7 protective monitoring of client networks up to and including IL3 focussed on non-targetted attacks such as virus outbreaks, denial of service attacks and speculative intrusion attempts. > Able to provide global coverage > Near real-time alerting > Cost competitive with others in the SOC market SOC based in Leeds and provides monitoring services to organisations such as HMG and BAE Systems Respond Currently asked to respond to several incidents each month 1 of 3 companies used by Centre for Protection of National Infrastructure to respond to security incidents across commercial base We support major incident response by Confirm: Establish the facts around the initial compromise Capture: Capture logs, network and host agent data for analysis Expose: Fully understand the origin and extent of the compromise Remediate: Safely inhibit the attack and secure the network Resume: Return to normal operations with enhanced security Our aim is to restore the network to a ‘clean’ state in order to resume normal activities We use experienced investigators available for investigations of suspicious activity Catalogue services: Incident review Disk analysis Malware analysis Network and application event log analysis Email analysis We provide actionable intelligence on compromised assets and active threats We have sophisticated tools and proprietary data to help us attribute the attack source.
Prepare Risk is the product of threat, impact and vulnerability. While there are many firms in the market that can measure vulnerability and impact, Detica through its experience of protecting the UK’s most sensitive information assets from advanced attacks, has the means to accurately assess the risk of a targeted attack. We review risk in the context of the firm’s existing controls and degree of risk it is willing to tolerate to make a risk assessment and if appropriate, create and blueprint and business case to implement measures for bringing the firm’s security controls in line with the risks it’s prepared to accept. Protect Advise and build secure IT systems, we deploy X-domain technology to provided protected access to highly sensitive data. We enable organisations to integrate IT and physical security, and share intelligence. Monitor Detica Treidan is an enterprise cyber risk management platform developed specifically to detect targeted attacks. Treidan collects network activity data and uses this data, together with data already collected by the firm and data from 3 rd parties’ sources, to detect potentially suspicious activities. Sophisticated analytical techniques employing statistical and behavioural analysis, and our experience of how targeted attacks are perpetrated, are used to spot anomalous activity within the firm’s network and identify the stage of a targeted attacks. We then recommend remedial action based on what we can observe about the attacker’s intent. A managed service providing 24/7 protective monitoring of client networks up to and including IL3 focussed on non-targetted attacks such as virus outbreaks, denial of service attacks and speculative intrusion attempts. > Able to provide global coverage > Near real-time alerting > Cost competitive with others in the SOC market SOC based in Leeds and provides monitoring services to organisations such as HMG and BAE Systems Respond Currently asked to respond to several incidents each month 1 of 3 companies used by Centre for Protection of National Infrastructure to respond to security incidents across commercial base We support major incident response by Confirm: Establish the facts around the initial compromise Capture: Capture logs, network and host agent data for analysis Expose: Fully understand the origin and extent of the compromise Remediate: Safely inhibit the attack and secure the network Resume: Return to normal operations with enhanced security Our aim is to restore the network to a ‘clean’ state in order to resume normal activities We use experienced investigators available for investigations of suspicious activity Catalogue services: Incident review Disk analysis Malware analysis Network and application event log analysis Email analysis We provide actionable intelligence on compromised assets and active threats We have sophisticated tools and proprietary data to help us attribute the attack source.
Prepare Risk is the product of threat, impact and vulnerability. While there are many firms in the market that can measure vulnerability and impact, Detica through its experience of protecting the UK’s most sensitive information assets from advanced attacks, has the means to accurately assess the risk of a targeted attack. We review risk in the context of the firm’s existing controls and degree of risk it is willing to tolerate to make a risk assessment and if appropriate, create and blueprint and business case to implement measures for bringing the firm’s security controls in line with the risks it’s prepared to accept. Protect Advise and build secure IT systems, we deploy X-domain technology to provided protected access to highly sensitive data. We enable organisations to integrate IT and physical security, and share intelligence. Monitor Detica Treidan is an enterprise cyber risk management platform developed specifically to detect targeted attacks. Treidan collects network activity data and uses this data, together with data already collected by the firm and data from 3 rd parties’ sources, to detect potentially suspicious activities. Sophisticated analytical techniques employing statistical and behavioural analysis, and our experience of how targeted attacks are perpetrated, are used to spot anomalous activity within the firm’s network and identify the stage of a targeted attacks. We then recommend remedial action based on what we can observe about the attacker’s intent. A managed service providing 24/7 protective monitoring of client networks up to and including IL3 focussed on non-targetted attacks such as virus outbreaks, denial of service attacks and speculative intrusion attempts. > Able to provide global coverage > Near real-time alerting > Cost competitive with others in the SOC market SOC based in Leeds and provides monitoring services to organisations such as HMG and BAE Systems Respond Currently asked to respond to several incidents each month 1 of 3 companies used by Centre for Protection of National Infrastructure to respond to security incidents across commercial base We support major incident response by Confirm: Establish the facts around the initial compromise Capture: Capture logs, network and host agent data for analysis Expose: Fully understand the origin and extent of the compromise Remediate: Safely inhibit the attack and secure the network Resume: Return to normal operations with enhanced security Our aim is to restore the network to a ‘clean’ state in order to resume normal activities We use experienced investigators available for investigations of suspicious activity Catalogue services: Incident review Disk analysis Malware analysis Network and application event log analysis Email analysis We provide actionable intelligence on compromised assets and active threats We have sophisticated tools and proprietary data to help us attribute the attack source.
Prepare Risk is the product of threat, impact and vulnerability. While there are many firms in the market that can measure vulnerability and impact, Detica through its experience of protecting the UK’s most sensitive information assets from advanced attacks, has the means to accurately assess the risk of a targeted attack. We review risk in the context of the firm’s existing controls and degree of risk it is willing to tolerate to make a risk assessment and if appropriate, create and blueprint and business case to implement measures for bringing the firm’s security controls in line with the risks it’s prepared to accept. Protect Advise and build secure IT systems, we deploy X-domain technology to provided protected access to highly sensitive data. We enable organisations to integrate IT and physical security, and share intelligence. Monitor Detica Treidan is an enterprise cyber risk management platform developed specifically to detect targeted attacks. Treidan collects network activity data and uses this data, together with data already collected by the firm and data from 3 rd parties’ sources, to detect potentially suspicious activities. Sophisticated analytical techniques employing statistical and behavioural analysis, and our experience of how targeted attacks are perpetrated, are used to spot anomalous activity within the firm’s network and identify the stage of a targeted attacks. We then recommend remedial action based on what we can observe about the attacker’s intent. A managed service providing 24/7 protective monitoring of client networks up to and including IL3 focussed on non-targetted attacks such as virus outbreaks, denial of service attacks and speculative intrusion attempts. > Able to provide global coverage > Near real-time alerting > Cost competitive with others in the SOC market SOC based in Leeds and provides monitoring services to organisations such as HMG and BAE Systems Respond Currently asked to respond to several incidents each month 1 of 3 companies used by Centre for Protection of National Infrastructure to respond to security incidents across commercial base We support major incident response by Confirm: Establish the facts around the initial compromise Capture: Capture logs, network and host agent data for analysis Expose: Fully understand the origin and extent of the compromise Remediate: Safely inhibit the attack and secure the network Resume: Return to normal operations with enhanced security Our aim is to restore the network to a ‘clean’ state in order to resume normal activities We use experienced investigators available for investigations of suspicious activity Catalogue services: Incident review Disk analysis Malware analysis Network and application event log analysis Email analysis We provide actionable intelligence on compromised assets and active threats We have sophisticated tools and proprietary data to help us attribute the attack source.
Prepare Risk is the product of threat, impact and vulnerability. While there are many firms in the market that can measure vulnerability and impact, Detica through its experience of protecting the UK’s most sensitive information assets from advanced attacks, has the means to accurately assess the risk of a targeted attack. We review risk in the context of the firm’s existing controls and degree of risk it is willing to tolerate to make a risk assessment and if appropriate, create and blueprint and business case to implement measures for bringing the firm’s security controls in line with the risks it’s prepared to accept. Protect Advise and build secure IT systems, we deploy X-domain technology to provided protected access to highly sensitive data. We enable organisations to integrate IT and physical security, and share intelligence. Monitor Detica Treidan is an enterprise cyber risk management platform developed specifically to detect targeted attacks. Treidan collects network activity data and uses this data, together with data already collected by the firm and data from 3 rd parties’ sources, to detect potentially suspicious activities. Sophisticated analytical techniques employing statistical and behavioural analysis, and our experience of how targeted attacks are perpetrated, are used to spot anomalous activity within the firm’s network and identify the stage of a targeted attacks. We then recommend remedial action based on what we can observe about the attacker’s intent. A managed service providing 24/7 protective monitoring of client networks up to and including IL3 focussed on non-targetted attacks such as virus outbreaks, denial of service attacks and speculative intrusion attempts. > Able to provide global coverage > Near real-time alerting > Cost competitive with others in the SOC market SOC based in Leeds and provides monitoring services to organisations such as HMG and BAE Systems Respond Currently asked to respond to several incidents each month 1 of 3 companies used by Centre for Protection of National Infrastructure to respond to security incidents across commercial base We support major incident response by Confirm: Establish the facts around the initial compromise Capture: Capture logs, network and host agent data for analysis Expose: Fully understand the origin and extent of the compromise Remediate: Safely inhibit the attack and secure the network Resume: Return to normal operations with enhanced security Our aim is to restore the network to a ‘clean’ state in order to resume normal activities We use experienced investigators available for investigations of suspicious activity Catalogue services: Incident review Disk analysis Malware analysis Network and application event log analysis Email analysis We provide actionable intelligence on compromised assets and active threats We have sophisticated tools and proprietary data to help us attribute the attack source.