From Governance to response:an advanced cyber risk manaGement

march 31 - april 1, 2016

toron to hilton

w w w .i c r mc .c o m

#icr mc2 0 1 6

2016 International Cyber Risk Management Conference

PLAYBOOK

ICRMC™

because cyber risk is everyone’s businessTM

©2015-2016 by the International Cyber Risk Management Conference, a division of MSA Research Inc.

Joel Baker President & CEO, MSA Research Inc.

Chantal Bernier Counsel, Dentons Canada LLP

Ray Boisvert CEO, I-SEC Integrated Strategies and former Assistant Director, Intelligence at Canadian Security Intelligence Service (CSIS)

Russell Cohen Partner , Orrick, Herrington & Sutcliffe LLP

Darius Delon Associate Vice-President, Risk Services at Mount Royal University and Chair of RIMS Canada Council

Gregory Eskins SVP and National Cyber Practice Leader, Marsh Canada

José Fernandez Associate Professor, Dept. of Computer & Software Engineering, École Polytechnique de Montréal

Greg Markell Account Manager Cyber/D&O, HUB International HKMB Ltd

Adel Melek Global Vice Chairman Risk Advisory, Deloitte LLP

Brian Rosenbaum SVP, National Cyber and Privacy Practice Leader, Aon Canada Inc.

Derek Tang Manager, Risk and Insurance, Metrolinx

Richard Wilson Partner, Cyber Security Consulting Leader, PricewaterhouseCoopers LLP

ICRMC 2016 Advisory Committee

Thank you to our Sponsors

Platinum Sponsor

Gold Sponsors

Silver Sponsors

General & Media Sponsors

WelcomeAs dependency on technology continues to permeate every facet of business, the associated cyber risks continue to escalate bringing significant threats to organizational, economic, and even social well-being. No one is immune to the growing threats as we’ve recently witnessed, and many have yet to surface. Across the globe, organizations are grappling with questions about how to mitigate and better manage cyber risk daily, and how to transfer it in an environment where the industry heralded as the expert in risk management overall - insurance - is only just starting to dip its toe in the cyber risk waters. Still, there are valuable lessons to be shared today amongst the global industries, sectors and disciplines who are working hard to find solutions to better manage this challenge.

Cyber risk management cannot effectively be managed in silos. Nor should an event, focused on sharing lessons learned, be a siloed representation of a problem that is as complex and multi-faceted as cyber risk. In keeping with last year’s inaugural event, this year’s ICRMC brings together the most comprehensive spectrum of issues and experts to addresse the challenges we face head-on.

The 2016 ICRMC Advisory Committee draws on a wealth of expertise and, quite appropriately, decided to adopt a playbook format for this year’s conference. The format logically leads you from Governance through to Protection and finally to Response. In addition, concurrent with these strategic sessions, we are offering technical breakout sessions to address a variety of specialty topics.

This year’s ICRMC is designed to give you even more substantial takeaways!

The rich agenda also brings together a stellar cast of experts that bring first-hand knowledge and experience to share timely insights on this rapidly evolving issue. When it comes to managing the cyber risk challenge, it is no longer just what you know; who you know is now equally important. Take advantage of the opportunity to build your cross-functional and global network at ICRMC and maximize your ability to tap into a larger pool of thought leadership and expertise in the eventuality that you may need it in the not-so-distant future.

Waiting on the sidelines is too costly a strategy. The global cyber risk challenge is everyone’s business -- and it is your business. And this is your conference.

We hope you look forward to learning, networking, and sharing your insights in this critically important area as much as we do.

Joel BakerPresident & CEO, MSA Research Inc.

The global cyber risk challenge is now everyone`s business - it`s your business. And this is your conference.

Across the globe, organizations are grappling with questions and issues on how to mitigate and manage cyber risk and how to transfer it.

Who Should Attend (what’s in it for me?)

•Corporate Risk Managers•CISO’s, CTO’s, CSO’s, CIO’s, CRO’s• Internal Audit•Board Risk/Audit/Governance Committee

Members•Corporate Technology Risk and Security

Professionals

• Insurance Brokers, Insurers, MGA’s and MGU’s•Claims Professionals•Regulators and Government• Law Enforcement• Legal Counsel•Audit/Risk and Actuarial Consultants•Academics and Researchers

2016 ICRMC Emcee Ray BoisvertCEO, I-SEC Integrated Strategies and former Assistant Director, Intelligence at Canadian Security Intelligence Service (CSIS)

Cyber risk is ranked amongst the most serious threats to business, specifically, and indeed the global economy overall. The ICRMC has been developed with the understanding that the latest approaches to managing these risks is of critical importance to you, whether you’re involved in governance, mitigation, risk transfer and/or post-event response, and importantly, if you fall into one of the following categories:

3ICRMC 2016 is accredited by RIBO: 5 hours Management and 4.5 hours Technical

4

AGENDA

9:00 - 10:00 Chapter 1a: Governance (Discovery, Identification, Strategy, Policies & Risk Assessment)

Robyn CollverSVP, Risk & Regulatory Affairs, Canadian Tire Corporation

John ProctorVP, Global Cyber Security,CGI

Richard WilsonPartner, Cyber Security Consulting Leader, PwC

Cybersecurity governance has become a prominent topic for many organizations today as they start to distinguish cybersecurity and privacy as management issues, and not simply IT topics. What are the practical components of a cybersecurity governance framework, and who is responsible for its development and stewardship among the board and management? How do you know if your cyber governance is comprehensive, and effective? How do you create effective governance reports?

This moderated panel session will address these and other important questions. Our panelists will discuss a range of cybersecurity governance models and highlight both good practices to follow, and pitfalls to avoid in its design and facilitation. They will expand upon issues of cybersecurity governance design, accountability, roles and responsibilities for management and the board, risks and safeguards, monitoring and reporting, and training, among others.

The governance session will set the stage for attendees with the first chapter of your Cybersecurity Playbook, and outline the strategic direction for the remainder of the conference topics.

10:00 - 10:30 Networking Break sponsored by Chubb

7:30 - 8:30 Registrations opens; Breakfast sponsored by Dentons

8:40 - 9:00 Welcome & Acknowledgements: Your Playbook Introduction

Joel BakerPresident & CEO,MSA Research Inc.

ICRMC Emcee Ray BoisvertCEO, I-SEC Integrated Strategies and former Assistant Director, Intelligence, Canadian Security Intelligence Service (CSIS)

10:30 - 12:00

PLAYBOOK: governance

10:30 - 12:00 Technical Briefing I (see page 9)

Thurs day, Mar ch 31

Following the 2016 ICRMC AgendaThe 2016 ICRMC is structured as a three chapter playbook (Governance, Protect, Response). Each chapter opens with a plenary session that sets the stage. Following each plenary session you will have the option to attend either:

1. An in-depth session(s) relating to the chapter in question or

2. A specialized technical briefing(s) that may be unrelated to the chapter. Detailed information can be found on page 9.

Moderator: Chantal BernierCounsel, Dentons Canada LLP

5

AGENDA

Boards of directors are increasingly confronted with the cyber risks their respective organizations are encountering. Within their duty of care, they must ensure risk mitigation strategies are developed and implemented, they must inquire about their degree of effectiveness and maturity, and they must ensure that sufficient resources are dedicated towards managing their cyber risks. Recently, more boards have been inquiring about the role that Cyber Insurance could play to address their potential/residual exposure to cyber risks.

This moderated session will provide a view from the board room, profiling several senior and experienced board members from some of Canada’s largest boards across a diverse set of industries. They will address some of the most topical cyber risk issues that they are confronting as well as the role of cyber insurance.

10:30 - 12:00 Chapter 1b: What Should a Cyber-Governance/Risk-Management Framework Look Like?

Moderator: Adel MelekGlobal Vice Chairman Risk

Advisory, Deloitte LLP

Yezdi PavriBoard Member,

Ontario Power Generation

PLAYBOOK: governance

playbook: protect Moderator: Ray Boisvert

CEO, I-SEC Integrated Strategies and former

Assistant Director, Intelligence, CSIS

Abhay RamanPartner, Cyber Security &

Resilience, Canada, EY

The velocity and complexity of the current threat environment, from ever sophisticated spear-phishing malware, to the increasing likelihood a firm or agency will one day suffer the ignominious betrayal of a trusted “insider”, requires an equally complex resilience build. Thus, “protecting” the enterprise is a multifaceted, broadly enjoined process requiring a myriad of specialized skills, a people-centric internal strategy, top-flight independent advice, along with a well engineered technical solution-set.

Leading-edge thinking around the most trusted and contemporary approaches to achieve maximum organizational resilience will be unpacked and debated to a degree of specificity that will provide IT leaders, as well as business managers, with effective strategies that will meet the threat requirements of 2016 and beyond.

1:45 - 2:30 Chapter 2a: What Does a Protection Framework Look Like?

Jonathan RaymondNational Lead,

Cyber Analytics, SAS Institute

Can the Good Guys Win the Cyber Security Battle?A discussion of the current threat landscape, effective risk management techniques including risk

transfer and the role of insurance in bolstering cyber security, the truth that technology alone is not going to solve this problem, regulatory guidance/landscape, future challenges and predictions.

12:00 - 1:30 Lunch and Presentation sponsored by AIG

Keynote Speaker: Tracie Grella Global Head, Cyber Risk Insurance, AIG Property Casualty/Underwriting

Thurs day, Mar ch 31

Jim GoodfellowBoard Member,

Canadian Tire

Eduard GoodmanChief Privacy Officer,

IDT911

Helen SinclairIndependent Board Member,

TD Bank and CEO, Bankworks Trading Inc.

6

AGENDA

Moderator: Brian RosenbaumSVP, National Cyber & Privacy Practice Leader, Aon Canada Inc.

Alex CameronPartner and Leader of the Privacy and Information Protection Group, Fasken Martineau DuMoulin LLP

Bernice KarnPartner,Cassels Brock & Blackwell LLP

Canadian organizations now routinely outsource core business functions to service providers around the world. From information technology, to customer service and human resources, many service providers are entrusted with access to sensitive business and personal information. Where such information is compromised in a data breach, it can create significant risk, cost and liability for both the service provider and the outsourcing organization. Contractual risk transfer raises unique considerations and is essential in respect of cybersecurity and related issues. In this session, we will cover:

• Fundamentals of contractual risk transfer• Contractual risk transfer due diligence• Indemnity and hold harmless provisions• Current state of the law

Part B: Contractual Risk Transfer - Illusion or Reality

PLAYBOOK: protect

Moderator: Greg MarkellAccount Manager, Cyber/D&O, HUB International HKMB Ltd

Matthew DaviesDirector - Professional, Media & Cyber Liability, Chubb Insurance Company of Canada

Brian RosenbaumSVP, National Cyber & Privacy Practice Leader, Aon Canada Inc.

Reasons for the increase in purchase of cyber coverage vary – from board mandates seeking to protect corporate reputations to companies looking to mitigate potential revenue loss from cyber-induced interruptions of operations, to the basic financial protection provided as a result of a privacy breach or a cyber extortion event.

Increasingly, insurers have responded to this increased demand by offering broader cyber insurance coverage in 2015, including coverage for contingent business interruption (CBI) and cyber-induced bodily injury and property damage. In an effort to help client’s improve their overall risk management framework, they also expanded availability of loss-control services, including risk assessment tools, breach counseling, and event response assistance.

While these are all positive developments, the complexity of the contracts, the risk issues facing clients, and the underwriting process is growing; moreover, these policies are largely untested, and the interaction of these policies with others is being challenged.

This session is designed to cut through the noise and provide practical and useful information to help you navigate through each step of the insurance buying process, including what to look for, and avoid, in the contracts themselves.

Chapter 2b: Protect - an in-depth look

Greg EskinsSVP & National Cyber Practice Leader, Marsh Canada Ltd.

Part A: Cyber Insurance - Avoiding the Pitfalls

3:00 - 4:45

3:00 - 4:00 Technical Briefing II (see page 9)

Thurs day, Mar ch 31

Networking Break sponsored by IDT9112:30 - 3:00

7

AGENDA

Moderator: John KerrDirector, Risk Management and

Insurance, University of Toronto

Rick HaierChief Security Officer,

eHealth Ontario

Tracy DallaireChief Internal Auditor, Chief Risk

Officer, Chief Compliance Officer,eHealth Ontario

Derek TangManager, Risk & Insurance,

Metrolinx

Part C: Risk Manager Views

playbook: protect

With continued escalation in the frequency and impact of cyber attacks, Cyber Risk has become top of mind for Boards and Senior Leaders. Given the increasing risk level, it is a heightened priority for organizations in both the public and private sectors to assess and enhance their ability to prevent, detect and resume business to cyber attacks. As Cyber Risk is tied to multiple aspects of business operations, products and services, no single party within a corporation has sole responsibility in managing Cyber Risk. Risk managers can play a leadership role in bringing together key stakeholders in articulating the risk through an enterprise lens and managing it through an integrated approach at the corporate level.

This panel will discuss the kind of enterprise concerns some risk managers have in addressing Cyber Risk and the collaborative actions that some risk managers take to protect their corporations against Cyber Risk.

Cocktail Reception sponsored by Zurich 5:00 - 6:00

Friday, Ap ril 1

7:30 - 8:45 Breakfast sponsored by PwC

PLAYBOOK: response

Moderator: Nick GallettoPartner, Americas Cyber, Risk Services Leader, Deloitte LLP

Ira NishisatoPartner,

Borden Ladner Gervais LLP

Jane ShapiroSVP, National Practice Leader,

Hill+Knowlton Strategies

Operationalizing incident response strategies is never a straightforward endeavor. There are a plethora of considerations from legal, to reputational and regulatory.

This panel sets the stage by providing an overview of considerations that organizations have to consider well before a breach occurs.

9:00 - 9:45 Chapter 3a: Operationalizing Incident Response

Thurs day, Mar ch 31

AGENDA

8

10:15 - 11:30 Chapter 3b: Response - an In-Depth Look

Part A: Proactive and Reactive Incident Response

This session is focused on executive/leadership level issues surrounding incident response. It moves beyond IT and technology to define and address the questions that leaders need to consider in both preparing for and responding to an incident. Such as:

• What are the key considerations before, during and after an incident for organizations

• Current findings surrounding effective and ineffective approaches to managing incidents

• Understanding the risks and responsibilities with external partners through the incident lifecycle

Russell CohenPartner, Orrick, Herrington & Sutcliffe LLP

Ira NishisatoPartner, Borden Ladner Gervais LLP

Part B: Defending Against Class Actions

Networking Break sponsored by Intact 9:45 - 10:15

Phil FodchukCanadian Leader, Cyber Incident Response, Deloitte

PLAYBOOK: response

Class actions filed in the immediate aftermath of a data breach are one of the key legal risks faced by companies on both sides of the border. Claims based on common law or statutory violations are often filed within hours of an announced breach seeking relief on behalf of thousands or millions of alleged victims.

In this session we will discuss class action trends and defenses, including standing to sue, certification requirements and damages models.

Moderator: Ray BoisvertCEO, I-SEC Integrated Strategies and former Assistant Director, Intelligence, CSIS

Chantal BernierCounsel, Dentons Canada LLP

Protecting privacy and cybersecurity is principally a matter of managing information, technology and administrative challenges, along with their concomitant legal risks. In the face of a daunting global threat environment that features incessant and sophisticated external attacks, as well as insider threats, be it through employee error, indiscretion or violation, the very standards of success in privacy protection and cybersecurity need to be re-examined: principally, what are the indicators of success in this context of risk? And what are the successful mitigation strategies?

This session will unpack key decision vectors surrounding past events, point precisely to “what went right”, while sharing intimate lessons learned from truly effective risk management.

Therefore, conference participants will benefit from personal insights derived through direct leadership experience managing potentially organizational transforming events, as well as cases where panelists were exposed to important industry-wide lessons touching clients and stakeholders alike. All of which will help prepare decision makers for the inevitable reality of an internal or external data breach.

11:30 - 12:15 Closing Session: What Success Looks Like

Marcus LecuyerArea Vice President, RSA Security

Conference Wrap Up12:15

10:15 - 11:30 Technical Briefing III (see page 10)

Friday, Ap ril 1

9

AGENDA

Moderator: José FernandezAssociate Professor,

École Polytechnique de Montréal

Technical Briefing II: The Quantum Computing Threat to Encryption

Thursday 3:00-4:00

Donna DodsonChief Cybersecurity Advisor,

National Institute of Standards and Technology (NIST)

Large-scale quantum computers would pose a major disruptive threat to cybersecurity. These devices will break essentially all of the currently used forms of public-key cryptography, on which all forms of electronic commerce and electronic transactions rely. While sufficiently large quantum computers do not exist yet, several academic and industrial research efforts worldwide focus on constructing them. Recent and ongoing progress toward critical milestones in building a large-scale quantum computer lead experts to believe that not only may they be a reality in our lifetimes, but possibly even within 10-15 years.

Given the enormous impact that such a discovery would have on computer security and the complexity of migrating existing systems to alternative cryptographic technology, it is paramount to consider this risk factor and start planning for it now. This is especially important for systems designed to provide long-term confidentiality, which must be made quantum-resistant even sooner. For instance, the NSA has recently announced preliminary plans to transition to a quantum-resistant cryptography.

Our panel of experts will describe this threat, the implications for organizations today, and the various strategies that can be put in place to mitigate it, including quantum cryptography and quantum-resistant cryptographic systems.

PLAYBOOK: response

Sean Earhard Head, Advanced Threat Solutions,

Cisco Systems Canada Co

With the ever growing importance of close collaboration within a supply chain, and the pressures of timely delivery, one area that is often times overlooked is how information is transmitted among members of the chain, and the security of the storage mechanisms protecting the information at both ends. This presentation will take a look at some simple, yet effective, steps that all collaborators can take to ensure that their valuable Intellectual property, personal information, or other sensitive materials are not compromised.

Part A: Internet Supply Chain

Part B: IoT vs. Cybersecurity: How will we defend 1.5B network connected cows?

Moderator: José FernandezAssociate Professor,

École Polytechnique de Montréal

Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc.

With 1 million devices soon coming online every hour, the Internet of Things (IoT) is rapidly transforming the way organizations gather data and make decisions—driving unprecedented efficiency gains. But the rise of IoT comes with a long list of cybersecurity risks. Join us for an in-depth review of how IoT deployment risks conflict with the traditional cybersecurity model and how organizations can adapt to ensure both succeed.

technical stream

Technical Briefing I

Thursday 10:30 - 12:00

Bob GordonDirector, Global Cyber Security

CGI

Michele MoscaCo-founder,

Institute for Quantum Computing, University of Waterloo

AGENDA

10

Technical Briefing III: Actuarial Perspectives on Cyber Pricing/Modeling or Quantification in General

Friday 10:15 - 11:30

José FernandezAssociate Professor,École Polytechnique de Montréal

Christopher MessinaCo-Founder & CEO, CyberCat Risk Management, LLC

Given the dynamic and fast-developing nature of cyber risk, there are many difficulties and challenges associated with quantification. The risk is subject to numerous forces, all changing in real time at interconnected local, regional and global levels. The insurance industry has found data can be difficult to obtain, and it is reasonable to question whether available information is relevant for estimating future losses. The resulting lack of well-accepted models for cyber risk has hindered the insurance industry’s ability to offer wider protection and greater capacity, and has led to the creation of new service models to address this glaring problem.

This panel will discuss the current state of cyber modeling in the insurance industry as well as ideas for how to move the industry forward by identifying new sources of data, various approaches for modeling cyber risk, and ways of dealing with the inherent uncertainty.

Alice UnderwoodExecutive Vice President,Willis Re Inc.

technical stream

About ICRMC

The International Cyber Risk Management Conference (ICRMC) brings together an unparalleled gathering of professionals, expertise and timely content that represents the far-reaching spectrum of the global cyber risk challenge.

No longer just a technological issue to be relegated solely to IT. No longer just a sector-specific risk. No longer just a ‘big business’ concern. Cyber risk is everyone’s business.

The ICRMC addresses the most salient and timely topics and challenges to help organizations manage risk internally and effectively transfer a portion of it.

From technological mitigation, organizational controls, legal means, security, post-breach management, effective risk transfer methodologies, insurance and self-insurance – the ICRMC brings together the most comprehensive menu of critical issues - and the expertise/experience to address them – all in one place.

register now!

w w w . i c r m c . c o m

Toronto HiltonMarch 31- April 1, 2016

©2016 by the International Cyber Risk Management Conference, a division of MSA Research Inc.

Connect with us on Twitter: @ICRMConf

#ICRMC2016

Cyber risk is everyone`s business. It

is here today and growing tomorrow,

already impacting organizations and

individuals across all sectors of the

economy.

2016

“It was a great conference, and I’ve been to quite a number of these.

The 2015 ICRMC really stood out.”Russell Cohen Partner, Orrick, Herrington & Sutcliffe LLP