Vaš partner za varovanje informacij
Kliknite, če želite urediti slogCybersecurity Risk Insurance
Luca Moroni – Via Virtuosa
INFOSEK 2016 - Nova Goriza – 1/12/2016
ISACA VENICE research team coordinator ✔ Research n.1: Vulnerability and Penetration Test. User’s guidelines
about third party penetration test. ✔ Research n.5: Cyber Security Awareness of N/E Italian Critical Infrastructures: Scenarios and Guidelines for self-assessment
Member of ISACA VENICE Chapter Translation team ✔ Securing Mobile Devices – ITA
Research team coordinator Cybersecurity Risk Insurance
Geaduation in Computer Science (1989. Milan), CISA e ITIL V3 certified and other tech certifications
Focused on Cybersecurity since 2000 and lecturer in some seminars about this topic
Founder of the innovative company Via Virtuosa, which focuses on scouting and promotion of expertises in Cybersecurity and IT governance in NE of Italy.
Luca Moroni
Who am I
Cesare Burei and Debora Casalini – Margas Srl
Ettore Guarnaccia - Banca Popolare di Vicenza Spa
Marco Cozzi – Hypo Alpe Bank Spa
Andrea Cobelli – Azienda Trasporti Verona Srl
Luigi Gregori – Cogitoweb Srl
Thanks to a great team in this Research
Cyber Incident = Loss of Money
Cyber Risk
Allianz Risk Barometer 2016
Cyber Risk Zone Level
The Global Risks Report 2016 11th Edition by the World Economic Forum
• Understand CIO awareness of cyber insurance • Scenario analysis of cyber exposure • For what is a Cyber Insurance useful • Italian market of cyber insurance • CIO testimonials with 3 business cases • Q&A between CIO and Cyber Insurer • Suggest rules for Cyber Insurance requests
White Paper objectives
… having a Risk Management Approach…
Cyber insurance is a single policy or a group of insurance policies that should cover residual Cyber & Cyber related risks
What is a Cyber Risk Insurance
Cyber Insurance: Recent Advances, Good Practices and Challenges ENISA November 2016
I know about new dangerous
problems!
I Have a full portfolio of new
products!
MORE INTERESTED IN CYBERSECURITY
MORE INTERESTED IN COUNTER RESIDUAL
RISK
Paul Steven
Comunication protocol: Insurer vs CIO
PROBLEM!
Yes No
Did you ever asked, if existing policies are covering/excluding cyber risks?
White Paper 2016 Via Virtuosa Srls COPYRIGHT protected Cybersecurity Risk Insurance Survey on 63 companies
Who is asking you to provide Cybersecurity?
White Paper 2016 Via Virtuosa Srls COPYRIGHT protected Cybersecurity Risk Insurance Survey on 63 companies
Yes No
Have you registered cyber incidents involving your organization in the last five years?
White Paper 2016 Via Virtuosa Srls COPYRIGHT protected Cybersecurity Risk Insurance Survey on 63 companies
Cause of Loss
Cyber Insurance: Recent Advances, Good Practices and Challenges ENISA November 2016
Adopting standards and measures
Check Controls 27002:2013
About 90% of vulnerabilities highlighted in a Gap Analysis 27001 are not residual risk
Cyber Risk Exposure in NE of Italy
Sample of 70 Companies ranked using “Determining Your Organization’s Information Risk Assessment and Management” – ENISA Methodology
Impact
Pro
babi
lity
of
occu
rren
ce
avoid the risk 30%
Ask me only about ICT please. I’m not
CISO or a RM
Start assessing your situation
Paul Steven
What's the state of the art ?
1. Dedicated Resources 2. Policies and Procedures 3. Employee Awareness 4. Incident Response 5. Security Measures 6. Vendor Management 7. Board Oversight
Cyber Insurance: Recent Advances, Good Practices and Challenges ENISA November 2016
I analyse and know the problems
together with the cyber risk
owners
You know your situation. GREAT!
Paul Steven
What's the state of the art
1. Dedicated Resources 2. Policies and Procedures 3. Employee Awareness 4. Incident Response 5. Security Measures 6. Vendor Management 7. Board Oversight
Cyber Insurance: Recent Advances, Good Practices and Challenges ENISA November 2016
How is your situation. Ask me your question. Let me try to explain
Cesare
Andrea
Business Case
Ettore
Marco
18 Questions
answered
How and what you can cover? The Insurable risks
Damages Business Interruption
Costs Third Party requests
Paul Steven
Some questions
IT theft means any kind of intrusion from any third party into the company IT system, which will bring to the fraudulent and non authorized removal or alteration of data contained in the company IT system itself.
Loss from IT theft means the founds illegitimately or erroneously paid by the insured as a direct consequence of an IT theft that are not retrievable or - even though they are juridically retrievable - cannot be retrieved because of an insolvency of the recipient, an impossibility of an effective operation or any other similar reason.
Un example of real coverage
Expertise
Cyber Insurance: Recent Advances, Good Practices and Challenges ENISA November 2016
Security is not an investment that provides profit but loss prevention
• First step is understand the situation • Define a protocols for measure, mitigate and manage cyber risk • About 10% of vulnerabilities highlighted in a Cyber Security Gap Analysis are residual risk • Some critical sectors (eg. Banks) are mature for Cyber Insurance •Also SMB needs to have a financial parachute •Manage Cybersecurity Life cycle reduces residual risk
Conclusions
Questions?