Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Similar a Quantifying Cyber Risk, Insurance and The Value of Personal Data
Similar a Quantifying Cyber Risk, Insurance and The Value of Personal Data (20)
Último
Último (20)
Quantifying Cyber Risk, Insurance and The Value of Personal Data
- 2. Who Are We and Why Are We Here? Steven Schwartz • TheCyberSteve • CEO of Global Cyber Consultants • Founding Board Member of Personal Data Trade Association • Co-Founder & Vice-Chairman of Clean Data Institute Harumi Urata-Thompson • The Michelin 3-Star #FinChef • Executive and Strategic Advisor • President and Founding Board Member of Personal Data Trade Association
- 3. Where to Start First we need to acknowledge that we are accelerating into this era of data proliferation changing not only how we evaluate business risk, but the nature of the business’ operations as well 1 Almost every company is shifting towards becoming a “data” company whether they are collecting data, storing data, transacting data, analyzing data, monetizing, etc 2
- 4. How Does This Translate to Cybersecurity? Two Fold – for one, cybersecurity is now and will increasingly be a critical foundation. Trust is the new currency A company’s objective should be to increase the business’ trust & confidence in data and quality of analytic insights that come from it. Secondarily and really where the dynamic is changing, is that cybersecurity is no longer just another cost center item on your balance sheet. It’s no longer something to be done just for compliance. Evaluating cyber risk is a data driven exercise that is encapsulated within you’re overall business strategy.
- 5. Requirement Impact & Potential Consequence Methods of Control Confidentiality – Protection of Information from Unauthorized Exposure - Disclosure of information governed by privacy laws - Loss of Intellectual Property - Reputational Damage - Legal repercussions - Access Controls - File Permissions - Encryption Integrity – Accuracy and Completeness of Information - Fraud - Inaccurateness - Erroneous Decisions - Access Controls - Logging - Digital Signatures - Hashes - Encryption Availability – The ability to access information and resources - Loss of Functionality - Loss of Productivity - Interference with Enterprise Objectives - Redundancy - Backups - Access Controls Is there a Critical Foundation within Data & Cyber Security?
- 7. So Where Do We Start in Quantifying the Risk? First we need to acknowledge that cyber risk is business risk and must speak the same language The quality of the data will drive the overall effectiveness of your security program. No Assumptions!
- 8. How do we Define or Decompose Risks as it Relates to Cybersecurity? • Let’s define Risk as the the probable magnitude of future loss (an undertain event). • Terminology and classification is critical in translating the conversation towards business strategy
- 9. Which of the Following Are Risks? • Disgruntled Insiders? • Internet facing web servers? • Untested Recovery processes? • Sensitive Customer Information? • Weak Passwords? • Cyber criminals?
- 10. None of Them Are… • They are all part of the risk landscape… • Disgruntled Insiders = Threat Community • Internet facing web servers = Asset • Untested Recovery processes = Deficient Control • Sensitive Customer Information? = Asset • Weak Passwords? = Deficient Control • Cyber criminals? = Threat Community
- 11. How Do We Start to Quantify Cyber Risk? Loss Event Frequency RISK Loss Event Magnitude Examples of Loss Events: • A data center outage due to extreme weather • A corrupted database • An employee stealing intellectual property • A hacker stealing sensitive customer information Develop a Loss Flow • Threat Agent • Asset • Stakeholder • Primary • Secondary
- 12. Loss Flow
- 13. 1. Asset at risk 1. Personal Information 2. Operating System 3. Applications 2. Threat Actors 3. Threat Effect: Confidentiality, Integrity, Availability Building a Cyber Risk Scenario
- 14. Where Does Insurance Come into Play Running through these scenarios moves from tactical to strategic, evaluating multiple scenarios to provide a probabilistic view of enterprise risk. Now that we’ve identified our risk and mitigation controls, let’s assess how much risk we want/need to transfer When you understand the assets at risk, the threats and the control mechanisms in place to prevent, you can understand how much risk is mitigated Then it’s a strategic decision on how much risk you want to transfer
- 15. Cyber Insurance is “Your Last Line of Defense” when Technology Fails A Cyberattack can burden your company with substantial time and costs that can put YOU out of BUSINESS if YOU’RE NOT PROTECTED. Cyber Insurance covers a business’s liability for a data breach in which their customer’s information (PII, Tax Info, Health Info, etc.….) is exposed or stolen by a criminal or someone with unauthorized use who has gained access to the company’s network. Crisis Management Costs Notification Costs Business Interruption Costs Regulatory Fines and Penalties Legal Liability Reputational Damage Why Do You Need Cyber Insurance?
- 16. What Does Cyber Insurance Coverage?
- 17. What Does Cyber Insurance Coverage?
- 18. Company # of Records Breached Costs Insurance Root Cause of the Breach Notes 130 Million $140M to Date $30M SQL Injection code that allowed Hackers into each their systems for 6 months Stock fell by 80%, resulting in Shareholder Suits 110 Million $252M $90M Malware was introduced by a much smaller corporate partner 46% drop in sales in the quarter that the breach hit 70 Class Action Lawsuits 4 Shareholder Derivative Demands 94 Million Approx. $1.6B No Evidence Hackers broke into their wireless network and stole the records in the 2nd half of 2005 and throughout 2006 25 Class Action lawsuits following the breach settlements TJ Maxx paid out several hundred million dollars So How much do these Data Breaches Cost?
- 19. Company # of Records Breached Costs Insurance Root Cause of the Breach Notes 2.6 TB of Data; 11.5M Confidential Documents; 4.8M Emails; 214K Offshore Entities TBD – Possible most in Direct Losses Loss of Reputation NA Outdated firewalls, antivirus, password protection, encryption Outside hacker Offshore Holdings of 12 world leaders, 140 Political Leaders and 29 Forbes-listed Billionaires 78.8 Million $142m to Date NA State-Nation Cyber Attack, executing a sophisticated attack to gain unauthorized access Post-Breach, Anthem spent $65M in Cybersecurity Enhancements in both 2015 and 2016 83 Million Estimates $1 Billion NA Employee's Personal Computer was injected with malware that stole login credential IT Spending expected to increase additional $250M Both this year and next year So How much do these Data Breaches Cost?