2011 02 16 larry clinton rsa bus 203 presentation how to assess the financial impact of cyber risk

7/31/2019 2011 02 16 Larry Clinton RSA BUS 203 Presentation How to Assess the Financial Impact of Cyber Risk

1/16

How to Assess the FinancialImpact of Cyber Risk

Larry Clinton

Internet Security Alliance

Tom JacksonPhillips Nizer

PANELISTS:

Ty Sagalow

Zurich North America

Justin Somaini

Symantec Corporation

MODERATOR:

Session ID: BUS-203Session Classification: Intermediate


2/16

ISA-ANSI Project

DHS Assistant Secetary Garcia asks ISA-ANSI todevelop a program on enterprise financialanalysis of cyber risk 2007

ISA-ANSI conduct 6 workshops publish 50Questions Every CFO Should be asking @ CyberSecurity 2008 (Phase I)

ISA ANSI- Symantec conduct workshops onresponses to Phase I & Publish Financial

Aspects of Cyber Risk 2010 (Phase II) Currently developing Phase III targeted to CEO

& Board levels

2


3/16

Obama: What We Need to Do

3

It is not enough for the information technologyworkforce to understand the importance of

cybersecurity; leaders at all levels of governmentand industry need to be able to make business

and investment decisions based on knowledge ofrisks and potential impacts.

Obama Administration Cyber Space Policy Review,

May 30, 2009


4/16


5/16

What to do

5

Good News: We know a lot about how to solvethis problem--80-90% can be solved by usingbest practices and standardsmost dont due tocost

Focus on Enterprise Education so companiesunderstand total financial cyber risk ISA-ANSI program (which is free) provides a

pathway to do this


6/16

ISA-ANSI Phase I Produces Model of GrossFinancial Risk OF Cyber Events

THREAT

FREQUENCY

of Risk Event

Probable

numberof events in a

year

6

CONSEQUENCE

SEVERITY

of Risk Event

Possible loss froman individual

event

VULNERABILITY

LIKELIHOOD

Or % of Damage

Given the riskmitigation

actions taken

RISK

TRANSFERRED

NET

FINANCIAL

RISK

GROSS FINANCIAL RISK

(Annualized Expected Loss)


7/16

ANSI-ISA Phase II Program

7

Outlines an enterprise wide process to attackcyber security broadly and economically CFO strategies HR strategies Legal/compliance strategies Operations/technology strategies Communications strategies Risk Management/insurance strategies


8/16

What CFO needs to do

8

Own the problem Appoint an enterprise wide cyber risk team Meet regularly Develop an enterprise wide cyber risk

management plan

Develop an enterprise wide cyber risk budget Implement the plan, analyze it regularly, test

and reform based on EW feedback


9/16

Human Resources

9

Recruitment Awareness Remote Access Compensate for cyber security Discipline for bad behavior Manage social networking Beware of vulnerability especially from IT and

former employees


10/16

Legal/Compliance Cyber Issues

10

What rules/regulations apply to us andpartners? Exposure to theft of our trade secrets? Exposure to shareholder and class action suits? Are we prepared for govt. investigations? Are we prepared for suits by customers and

suppliers?

Are our contracts up to date and protecting us?


11/16

Operations/IT

11

What are our biggest vulnerabilities? Re-evaluate? What is the maturity of our information

classification systems?

Are we complying with best practices/standards How good is our physical security? Do we have an incident response plan?

How long till we are back up?---do we wantthat?

Continuity Plan? Vendors/partners/providersplan?


12/16

Communications

12

Do we have a plan for multiple audiences? General public Shareholders Govt./regulators Affected clients Employees Press


13/16

InsuranceRisk Management

13

Are we covered?----Are we sure????????? What can be covered How do we measure cyber losses? D and O exposure? Who sells cyber insurance & what does it cost? How do we evaluate insurance coverage?


14/16

Apply

14

Complete the equation for attendees:

Educate + Learn = Apply

Complete the equation for attendees:

Educate + Learn = Apply

Illustratethatcyber

securityismorethana

technicalissue,itisanenterprisewiderisk

managementissue.

Appreciatehow

organiza;onchangeswith

respecttoanalyzingcyber

securitycanleadto

increasedinvestmentand

greaterprotec;on.

HowtoApplyseeslide


15/16

How to Apply What You Have Learned Today

15

In the first three months following thispresentation you should:Appoint an enterprise wide cyber risk teamDevelop an enterprise wide cyber riskmanagement planDevelop an enterprise wide cyber risk budget

Within six months you should: Implement the plan, begin analyzing itregularly, test and reform based on

enterprise wide (all departments) feedback


16/16

Internet Security Alliance

16

www.isalliance.org

(703)907-7090

Larry Clinton, President

2011 02 16 larry clinton rsa bus 203 presentation how to assess the financial impact of cyber risk

Documents