managing and insuring cyber risk - a risk perspective
TRANSCRIPT
A risk perspective
Risk Management, Cyber & Insurance
Dr Russell Price
Introduction
Chairman of the Continuity Forum
Founding member of Cyber Risk & Insurance
Forum (CRIF) & Chair of GRS committee
BSI UK Risk Management Committee Chairman
ISO 22301, ISO 31000, BS 65000 & 31100
ISO 27000 – 27005
Cyber Essentials
21/05/15 © cyberriskinsuranceforum.com © 2015 Page 2
A riskier world?
21/05/15 © cyberriskinsuranceforum.com © 2015 Page 3
Value of Tangible assets
Risk Management –A changing framework
1970’s 2015+
Production based economy
Mainly National/Local
Founded on Plant, Labour etc
Knowledge based
economy
REPUTATION
Value of Intangible assets
Knowledge
Reputation
Management
Image
Traditional
Asset
Protection
Business Risks
27/05/2015 cyberriskinsuranceforum.com© 2015 Page 4
What wasn’t included?
27/05/2015 cyberriskinsuranceforum.com© 2015 Page 5
PROFITS
Risk Management
Big topic
Wide scope
Regulation
Compliance
Contract
Legal
21/05/15 © cyberriskinsuranceforum.com © 2015 Page 6
Risk Life Cycle
21/05/15 © cyberriskinsuranceforum.com © 2015 Page 7
Issue ManagementEarly Issue Identification
Pressu
re /
Cost
/Im
pact
Opportunity to Influence
Difficult to Influence
Potential Current Crisis DormantEmerging
Period of Increasing Awareness
Origin Development ResolutionImpact
Time / Development
7
The learning experience
21/05/15 © cyberriskinsuranceforum.com © 2015 Page 8
1860’s 1970’s
Risk Management Process
21/05/15 © cyberriskinsuranceforum.com © 2015 Page 9
GenericApplied to all areas of operations & activities
Adaptive Works in the context of the organization
ExpectedDemonstrates ‘good practice’
ConnectedWorks in the context of the organization
Source ISO 31000
Cyber Risk
21/05/15 © cyberriskinsuranceforum.com © 2015 Page 10
We all have some
It needs to be understood
It connects & spreads between
organizations
Not just a technology issue It is a
core business RISK!
It must be managed BETTER!
Addressing your Cyber Risk
21/05/15 © cyberriskinsuranceforum.com © 2015 Page 11
Level 4
Level 3
Level 2
Level 1
WHERE ARE YOU?
Informed on Risks
21/05/15 © cyberriskinsuranceforum.com © 2015 Page 12
Intelligent Decision Making
Realistic risk assessments
Better Performance
+
=
Demonstrating Good Practice
21/05/15 © cyberriskinsuranceforum.com © 2015 Page 13
The Insurance Sector
21/05/15 © cyberriskinsuranceforum.com © 2015 Page 14
Very Mature across many sectors
Complex
Global
Conservative
Tightly regulated
It is a business!
21/05/15 © cyberriskinsuranceforum.com © 2015 Page 15
Control Areas
PreventionPrevention
Physical Security
Network
Security
Infrastructure Security
Policy
Awareness
DetectionDetection
Fraud
Auditing
Intrusion Detection
Security Event Management
Systems Management
ResponseResponse
SOC
CIRT
Forensic Investigation
Crisis Management
Training
ResidualResidual
Cyber Liability
First Party
Third Party
Evidence
Planning
Activity
Capabilities
Context
Hard and Soft controls
21/05/15 © cyberriskinsuranceforum.com © 2015 Page 16
Preparation
Prevention
People
Relationships
Processes
Proactive
21/05/15 © cyberriskinsuranceforum.com © 2015 Page 17
If it was your money
would you want to:
See how the risks would
impact on the business
What the effective
capabilities really were
Know that the firm is acting
responsibly
Now fill in an Application Form
Summary – A Global Change
Awareness of risks
Responsibilities
Amplification
Expectations
Measurement
Convergence
Capabilities
21/05/15 © cyberriskinsuranceforum.com © 2015 Page 18
We know more
Legal and Compliance
Expansion & Cascade
effects
Stakeholders & Media
Ability to assess &
manage
Interaction & connection
Ability to act
Questions
cyberriskinsuranceforum.com
+44 (0) 208 993 1599
@cyberriskinsure
Russell Price
07770 666004
21/05/15 © cyberriskinsuranceforum.com © 2015 Page 20