A risk perspective

Risk Management, Cyber & Insurance

Dr Russell Price

Introduction

Chairman of the Continuity Forum

Founding member of Cyber Risk & Insurance

Forum (CRIF) & Chair of GRS committee

BSI UK Risk Management Committee Chairman

ISO 22301, ISO 31000, BS 65000 & 31100

ISO 27000 – 27005

Cyber Essentials

21/05/15 © cyberriskinsuranceforum.com © 2015 Page 2

A riskier world?

21/05/15 © cyberriskinsuranceforum.com © 2015 Page 3

Value of Tangible assets

Risk Management –A changing framework

1970’s 2015+

Production based economy

Mainly National/Local

Founded on Plant, Labour etc

Knowledge based

economy

REPUTATION

Value of Intangible assets

Knowledge

Reputation

Management

Image

Traditional

Asset

Protection

Business Risks

27/05/2015 cyberriskinsuranceforum.com© 2015 Page 4

What wasn’t included?

27/05/2015 cyberriskinsuranceforum.com© 2015 Page 5

PROFITS

Risk Management

Big topic

Wide scope

Regulation

Compliance

Contract

Legal

21/05/15 © cyberriskinsuranceforum.com © 2015 Page 6

Risk Life Cycle

21/05/15 © cyberriskinsuranceforum.com © 2015 Page 7

Issue ManagementEarly Issue Identification

Pressu

re /

Cost

/Im

pact

Opportunity to Influence

Difficult to Influence

Potential Current Crisis DormantEmerging

Period of Increasing Awareness

Origin Development ResolutionImpact

Time / Development

7

The learning experience

21/05/15 © cyberriskinsuranceforum.com © 2015 Page 8

1860’s 1970’s

Risk Management Process

21/05/15 © cyberriskinsuranceforum.com © 2015 Page 9

GenericApplied to all areas of operations & activities

Adaptive Works in the context of the organization

ExpectedDemonstrates ‘good practice’

ConnectedWorks in the context of the organization

Source ISO 31000

Cyber Risk

21/05/15 © cyberriskinsuranceforum.com © 2015 Page 10

We all have some

It needs to be understood

It connects & spreads between

organizations

Not just a technology issue It is a

core business RISK!

It must be managed BETTER!

Addressing your Cyber Risk

21/05/15 © cyberriskinsuranceforum.com © 2015 Page 11

Level 4

Level 3

Level 2

Level 1

WHERE ARE YOU?

Informed on Risks

21/05/15 © cyberriskinsuranceforum.com © 2015 Page 12

Intelligent Decision Making

Realistic risk assessments

Better Performance

+

=

Demonstrating Good Practice

21/05/15 © cyberriskinsuranceforum.com © 2015 Page 13

The Insurance Sector

21/05/15 © cyberriskinsuranceforum.com © 2015 Page 14

Very Mature across many sectors

Complex

Global

Conservative

Tightly regulated

It is a business!

21/05/15 © cyberriskinsuranceforum.com © 2015 Page 15

Control Areas

PreventionPrevention

Physical Security

Network

Security

Infrastructure Security

Policy

Awareness

DetectionDetection

Fraud

Auditing

Intrusion Detection

Security Event Management

Systems Management

ResponseResponse

SOC

CIRT

Forensic Investigation

Crisis Management

Training

ResidualResidual

Cyber Liability

First Party

Third Party

Evidence

Planning

Activity

Capabilities

Context

Hard and Soft controls

21/05/15 © cyberriskinsuranceforum.com © 2015 Page 16

Preparation

Prevention

People

Relationships

Processes

Proactive

21/05/15 © cyberriskinsuranceforum.com © 2015 Page 17

If it was your money

would you want to:

See how the risks would

impact on the business

What the effective

capabilities really were

Know that the firm is acting

responsibly

Now fill in an Application Form

Summary – A Global Change

Awareness of risks

Responsibilities

Amplification

Expectations

Measurement

Convergence

Capabilities

21/05/15 © cyberriskinsuranceforum.com © 2015 Page 18

We know more

Legal and Compliance

Expansion & Cascade

effects

Stakeholders & Media

Ability to assess &

manage

Interaction & connection

Ability to act

Questions

cyberriskinsuranceforum.com

info@cyberriskinsuranceforum.com

+44 (0) 208 993 1599

@cyberriskinsure

Russell Price

russell.price@continuityforum.org

07770 666004

21/05/15 © cyberriskinsuranceforum.com © 2015 Page 20