2011 02 21 larry clinton insurance presentation

7/31/2019 2011 02 21 Larry Clinton Insurance Presentation

1/20

Larry Clinton

[email protected]

703-907-7028


2/20

ISA Board of Directors

2

Pradeep Khosla, Founding Director of Cylab, Carnegie Mellon University Marc Sachs, Vice President Government Affairs, Verizon Lt. Gen. Charlie Croom (Ret.), Vice President Cyber Security, Solutions Lockheed Martin

Eric Guerrino, Managing Director Systems and Technology, Bank of New York Mellon Joe Buonomo, President, DCR Bruno Mahlmann, Vice President Cyber Security Division, Dell Kevin Meehan, Vice President Information Technology & Chief Information Security Officer, Boeing Rick Howard, iDefense Manager, VeriSign Justin Somaini, Chief Information Security Officer, Symantec Gary McAlum, Chief Security Officer, USAA Paul Davis, Chief Technology Officer, NJVC Andy Purdy, Chief Cybersecurity Strategist, CSC John Havermann, II, Vice President & Director, Cyber Programs , Intelligence & Information, SAIC

Ty Sagalow, Esq. Chair, Executive Vice President & Chief Innovation Officer, Zurich North AmericaTim McKnight, 1st Vice Chair, Vice President & Chief Information Security Officer, Northrop GrummanJeff Brown, Secretary / Treasurer, Vice President, Infrastructure and Chief Information Security Officer, Raytheon


3/20

ISA Mission Statement

ISA mission is to integrate advanced

technology with economics and publicpolicy to create a sustainable system of

cyber security.


4/20

The Internet

Changes Everything

Concepts of Privacy Concepts of National Defense Concepts of Self Concepts of Economics We have been focused on the HOW cyber

attacks we need to focus on the WHY ($)

Cyber security is an economic/strategic issue asmuch operational/technical one


5/20

Cyber Security Economicsare Skewed

Responsibility, costs, harms and incentives aremisaligned

Individual and Corporate Financial loss Core investment is undermined by edge

insecurity

Gov & Private Sector differ perspectives on Risk Enterprises are not structured to properly

analyze cyber risk (ANSI-ISA study)


6/20

We are not cyber structured

In 95% of companies the CFO is not directlyinvolved in information security

2/3 of companies dont have a risk plan 83% of companies dont have a cross

organizational privacy/security team

Less than have a formal risk managementplan1/3 of the ones who do dont considercyber in the plan


7/20

ANSI-ISA Program

Outlines an enterprise wide process to attackcyber security broadly and economically

CFO strategies HR strategies Legal/compliance strategies Operations/technology strategies Communications strategies Risk Management/insurance strategies


8/20

What we do know is all bad

All the economic incentives favor the attackers,i.e. attacks are cheap, easy, profitable andchances of getting caught are small

Defense inherently is a generation behind theattacker, the perimeter to defend is endless, ROIis hard to show

Until we solve the cyber economics equation wewill not have cyber security


9/20

Bad News and Good News

Bad: The situation is getting worse

Good: We know how to stop/mitigate 80 to 90% of

cyber attacks

Bad:Although attacks are up, investment is down

in 50-66% of American firms (PWC/CSIS/)


10/20

Regulation is not the answer

Compliance (not security) already eats up muchof the security budget

Specific regulations cant keep up with attacks Vague regulations show no effect Regulations increase costs uniquely for

American companies

Regulations can be counter productiveceilings (Campaign Finance)


11/20

Obamas Cyber Space

Policy ReviewIf the risks and consequences can be assignedmonetary value, organizations will have greaterability and incentive to address cybersecurity. Inparticular, the private sector often seeks a businesscase to justify the resource expenditures needed for

integrating information and communications systemsecurity into corporate risk management and forengaging partnerships to mitigate collective risk.Government can assist by considering incentive-based legislative or regulatory tools to enhance thevalue proposition and fostering an environment that

encourages partnership.

--- Presidents Cyber Space Policy Review May 30,2009 page 18


12/20

Current DC Activity

No bills had cyber insurance provisions inlast Congress

New Congress White House Senate House


13/20

New Attention to

Cyber Insurance

WH Conference with ISA on cyberinsurance last spring

House Homeland Security Committeeconsidering cyber SAFETY Act

Senate Commerce Committee set ofquestions on cyber insurance for newbill---meetings to follow


14/20

WH Perspectives 6 Reasons

Market Has not responded

1. Companies not being charged for all theirinputs and not being paid for outputs

2. Insuffiecent motives for long term3. Lack of information for comparative

market choices

4.Markets must be seeded with products

5. Misalignment from Gov regs & litigation6. Entry barriers cause lack of alternatives


15/20

Congress Questions

1. How does insurance factor material risl inunderwriting trad. Commercial policies?

2. Do traditional policies cover damage/lossof IP or interuption from cyber events?

3. Is cyber typically excluded from D&O,prop/liability? How do Cts view these?

4.Are carriers clear @ policy limits?5. What standards are used to assess cyber

risk? How is compliance measured?


16/20

Congress Questions

6. What kind of insurance for D & O whomust meet Payment Card security stand.?

7. What are the hurddles to developingcyber risk insurancehow overcome?

8. Are problems with expanding cyberinsurance similar to crop/flood?

9. How can fed govt help create more accdata for the industry?


17/20

Congress Questions

10. What impact would come from SECclarification on material cyber risk ?

11. What is impact of use of untrustworthyvendors on insurance?


18/20

ISA Social Contract Model

Model on Electric/TelephoneSocial Contract 1.0 (November 2008)

Cyber Space Policy Review (May 2009)

Social Contract 2.0 (January 2010)


19/20

Incentive based model forCybersecurity

Rely on status quo methods to create cybersecurity standards and practices

Test for effectiveness (e.g. FDA) Create tiered levels based on risk profile Apply market incentives to voluntary adoption Embraced by CSPR (tax/liability/procurement /

insurance) & legislation


20/20

Larry Clinton

President

[email protected]

703-907-7028

2011 02 21 larry clinton insurance presentation

Documents