Join Steven Schwartz and Harumi Urata-Thompson, representing Global Cyber Consultants and the International Personal Data Trade Association, as they teach the Columbia University School of International and Public Affairs about quantifying the value of cyber risk, cyber insurance and the value & policy landscape surrounding personal data.
2. Who Are We and Why Are We Here?
Steven Schwartz
• TheCyberSteve
• CEO of Global Cyber Consultants
• Founding Board Member of Personal Data
Trade Association
• Co-Founder & Vice-Chairman of Clean Data
Institute
Harumi Urata-Thompson
• The Michelin 3-Star #FinChef
• Executive and Strategic Advisor
• President and Founding Board Member of
Personal Data Trade Association
3. Where to Start
First we need to acknowledge that we
are accelerating into this era of data
proliferation changing not only how
we evaluate business risk, but the
nature of the business’ operations as
well
1
Almost every company is shifting
towards becoming a “data” company
whether they are collecting data,
storing data, transacting data,
analyzing data, monetizing, etc
2
4. How Does This
Translate to
Cybersecurity?
Two Fold – for one, cybersecurity
is now and will increasingly be a
critical foundation. Trust is the
new currency
A company’s objective should be
to increase the business’ trust &
confidence in data and quality of
analytic insights that come from it.
Secondarily and really where the dynamic
is changing, is that cybersecurity is no
longer just another cost center item on
your balance sheet. It’s no longer
something to be done just for
compliance. Evaluating cyber risk is a data
driven exercise that is encapsulated
within you’re overall business strategy.
5. Requirement Impact & Potential Consequence Methods of Control
Confidentiality – Protection of
Information from Unauthorized
Exposure
- Disclosure of information
governed by privacy laws
- Loss of Intellectual Property
- Reputational Damage
- Legal repercussions
- Access Controls
- File Permissions
- Encryption
Integrity – Accuracy and
Completeness of Information
- Fraud
- Inaccurateness
- Erroneous Decisions
- Access Controls
- Logging
- Digital Signatures
- Hashes
- Encryption
Availability – The ability to access
information and resources
- Loss of Functionality
- Loss of Productivity
- Interference with Enterprise
Objectives
- Redundancy
- Backups
- Access Controls
Is there a Critical Foundation within Data & Cyber Security?
7. So Where Do
We Start in
Quantifying
the Risk?
First we need to acknowledge that
cyber risk is business risk and must
speak the same language
The quality of the data will drive
the overall effectiveness of your
security program.
No Assumptions!
8. How do we
Define or
Decompose
Risks as it
Relates to
Cybersecurity?
• Let’s define Risk as the the probable magnitude
of future loss (an undertain event).
• Terminology and classification is critical in
translating the conversation towards business
strategy
9. Which of the
Following Are
Risks?
• Disgruntled Insiders?
• Internet facing web servers?
• Untested Recovery processes?
• Sensitive Customer Information?
• Weak Passwords?
• Cyber criminals?
10. None of Them
Are…
• They are all part of the risk landscape…
• Disgruntled Insiders = Threat Community
• Internet facing web servers = Asset
• Untested Recovery processes = Deficient Control
• Sensitive Customer Information? = Asset
• Weak Passwords? = Deficient Control
• Cyber criminals? = Threat Community
11. How Do We Start to Quantify Cyber Risk?
Loss Event Frequency
RISK
Loss Event Magnitude
Examples of Loss Events:
• A data center outage due to extreme weather
• A corrupted database
• An employee stealing intellectual property
• A hacker stealing sensitive customer information
Develop a Loss Flow
• Threat Agent
• Asset
• Stakeholder
• Primary
• Secondary
13. 1. Asset at risk
1. Personal Information
2. Operating System
3. Applications
2. Threat Actors
3. Threat Effect: Confidentiality, Integrity, Availability
Building a Cyber Risk Scenario
14. Where Does
Insurance
Come into
Play
Running through these scenarios moves from tactical
to strategic, evaluating multiple scenarios to provide
a probabilistic view of enterprise risk. Now that we’ve
identified our risk and mitigation controls, let’s assess
how much risk we want/need to transfer
When you understand the assets at risk, the threats
and the control mechanisms in place to prevent, you
can understand how much risk is mitigated
Then it’s a strategic decision on how much risk you
want to transfer
15. Cyber Insurance is “Your Last Line of Defense” when Technology Fails
A Cyberattack can burden your company with substantial time and costs that can put YOU out of BUSINESS if YOU’RE NOT PROTECTED.
Cyber Insurance covers a business’s liability for a data breach in which their customer’s information (PII, Tax Info, Health Info, etc.….)
is exposed or stolen by a criminal or someone with unauthorized use who has gained access to the company’s network.
Crisis
Management
Costs
Notification
Costs
Business
Interruption
Costs
Regulatory
Fines and
Penalties
Legal Liability
Reputational
Damage
Why Do You Need Cyber Insurance?
18. Company
# of Records
Breached
Costs Insurance
Root Cause
of the Breach
Notes
130 Million
$140M
to Date
$30M
SQL Injection code that
allowed Hackers into each
their systems for 6 months
Stock fell by 80%, resulting
in Shareholder Suits
110 Million $252M $90M
Malware was introduced
by a much smaller
corporate partner
46% drop in sales in the quarter that
the breach hit
70 Class Action Lawsuits
4 Shareholder Derivative Demands
94 Million
Approx.
$1.6B
No Evidence
Hackers broke into their wireless
network and stole the records in the 2nd
half of 2005 and throughout 2006
25 Class Action lawsuits following the
breach settlements
TJ Maxx paid out several hundred
million dollars
So How much do these Data Breaches Cost?
19. Company
# of Records
Breached
Costs Insurance
Root Cause
of the Breach
Notes
2.6 TB of Data;
11.5M Confidential
Documents;
4.8M Emails;
214K Offshore Entities
TBD –
Possible most in
Direct Losses
Loss of Reputation
NA
Outdated firewalls, antivirus, password
protection, encryption
Outside hacker
Offshore Holdings of
12 world leaders,
140 Political Leaders and
29 Forbes-listed Billionaires
78.8 Million
$142m
to Date
NA
State-Nation Cyber Attack, executing a
sophisticated attack to gain unauthorized
access
Post-Breach, Anthem spent $65M in
Cybersecurity Enhancements
in both 2015 and 2016
83 Million Estimates $1 Billion NA
Employee's Personal Computer was
injected with malware that stole login
credential
IT Spending expected to increase
additional $250M
Both this year and next year
So How much do these Data Breaches Cost?