Changing the Game: An HPR Approach to Cyber CRM007

Similar documents
COPE-ing with Cyber Risk Exposures

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

What It Takes to be a CISO in 2017

Leveraging Best Practices to Determine your Cyber Insurance Needs. Sector Conference, Toronto November 2017

Cylance Axiom Alliances Program

CYBER INSURANCE: MANAGING THE RISK

ISE North America Leadership Summit and Awards

Designing and Building a Cybersecurity Program

Department of Management Services REQUEST FOR INFORMATION

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Best Practices in Securing a Multicloud World

Cyber Risks in the Boardroom Conference

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

CYBER RESILIENCE & INCIDENT RESPONSE

Rethinking Information Security Risk Management CRM002

Vendor Risk Management. How to Confront Third-Party Cyber Risk in Your Supply Chain

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

Cyber Incident Response. Prepare for the inevitable. Respond to evolving threats. Recover rapidly. Cyber Incident Response

Symantec Security Monitoring Services

SOLUTION BRIEF Virtual CISO

Security Awareness Training Courses

CyberEdge. End-to-End Cyber Risk Management Solutions

Why you should adopt the NIST Cybersecurity Framework

Building Resilience in a Digital Enterprise

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Leading our discussion today

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Security by Default: Enabling Transformation Through Cyber Resilience

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Cybersecurity Threat Modeling ISACA Atlanta Chapter Geek Week Conference

CISO as Change Agent: Getting to Yes

Background FAST FACTS

TSC Business Continuity & Disaster Recovery Session

2017 Annual Meeting of Members and Board of Directors Meeting

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

Mastering The Endpoint

TECHLAW AUSTRALIA. Update on cyber security and data protection. Thursday, 22 June Thursday, 22 June

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

mhealth SECURITY: STATS AND SOLUTIONS

Incident Response Services

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Cybersecurity The Evolving Landscape

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Vulnerability Management. June Risk Advisory

Cybersecurity Session IIA Conference 2018

GUIDANCE NOTE ON CYBERSECURITY

Sage Data Security Services Directory

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

NEXT GENERATION SECURITY OPERATIONS CENTER

Security Hygiene. Be in a defensible position. Be cyber resilient. November 8 th, 2017

Defensible Security DefSec 101

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

RSA NetWitness Suite Respond in Minutes, Not Months

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

External Supplier Control Obligations. Cyber Security

Enhance Your Cyber Risk Awareness and Readiness. Singtel Business

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Jeff Wilbur VP Marketing Iconix

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Moderator: Presenters: Ross Albert Damon D Levine

GUIDE. Navigating the General Data Protection Regulation Mini Guide

Cybersecurity. Securely enabling transformation and change

TAN Jenny Partner PwC Singapore

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Cybersecurity in Higher Ed

SFC strengthens internet trading regulatory controls

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

CYBERSECURITY MATURITY ASSESSMENT

Securing Your Digital Transformation

Best-in-Class Cybersecurity Program

Cyber Threat Landscape April 2013

Certified Information Systems Auditor (CISA)

Cyber Security Program

Automating the Top 20 CIS Critical Security Controls

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

The Evolving Threat to Corporate Cyber & Data Security

IT risks and controls

Adaptive & Unified Approach to Risk Management and Compliance via CCF

The University of Queensland

SOLUTIONS BRIEF GOGO AIRBORNE SECURITY SUMMARY 2017 Q3 RELEASE

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

The Business Value of including Cybersecurity and Vendor Risk in ERM

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Transcription:

Speakers: Changing the Game: An HPR Approach to Cyber CRM007 Michal Gnatek, Senior Vice President, Marsh & McLennan Karen Miller, Sr. Treasury & Risk Manager, FireEye, Inc.

Learning Objectives At the end of this session, you will: Recognize potential underwriting differentiators Why the legacy application-based underwriting approach falls short. What information cybersecurity professionals identify as critical to understanding your risk profile. Consider risk engineering mechanisms to incorporate Cybersecurity is a fluid and dynamic risk to every organization. Leveraging Cyber insurance to drive enterprise risk management. Identify benefits of taking an HPR approach to Cyber Why differentiating your organization will benefit your company.

The HPR Approach Underwriting Engineering Post-Binding Pre-Determined Underwriting Standards Best-of-Breed Protection Thorough Evaluation of COPE, Spread of Risk, Threats Subject to Risk Control Surveys Recommendations Obligation to Implement or Justify Non- Compliance Preferred Terms & Conditions Competitive Pricing vs. Non- HPR Value-Added Services

Current State of Underwriting Growing Market Gross written premiums expected to increase from $2.5B in 2014 to $7.5B in 2020. Capacity remains steady at approximately $500M. New area of opportunity in otherwise soft Property and Casualty markets. Traditional or legacy Cyber insurers threatened by naïve capacity. Opportunity Riddled With Uncertainty Where else (which policies) are insurers exposed to Cyber claims? Uncertainty driving conservative pricing. Aggregation and concentration continue to be a major concern.

Current State of Underwriting It s a Tricky Proposition Lack of sound actuarial data. Adversary adapts to latest protection/security. No commonly accepted standards (e.g., NIST, SANS 20, etc.). Difficult to estimate losses resulting from brand/reputation damage and compensation to customers, suppliers, and other stakeholders. Delay in detection. Insurance as Carrot and Stick Commercial insurance vs. government backstop (e.g., terrorism). Underwriting requirements as a means to drive compliance. Better Cyber governance = lower premium incentive.

The Problem With Applications Snapshot of Point in Time Cyber is fluid and constantly evolving with advancing technologies and adaptive adversaries. 100% of companies breached had up-to-date anti-virus. Compliance security. New focus in otherwise soft Property and Casualty markets. Check the Box Approach Effort to simplify application process has led to drop down choices. Input Needed From Multiple Stakeholders Lack of Consistency Carrier applications. Broker coverage inventories. No applications at all. Lloyd s Common Data Requirements. One Size Fits All Cyber risk profile is often industry-specific. Focus on Technology and Security Need for emphasis on people and processes.

Changing the Game Interviews Maturity Matrix Independent Assessment

Differentiating Risk Mutual Lack of Understanding Insurers lack comprehensive understanding of clients risk profiles. Threats. Assets at risk and respective value (VAR). Safeguards and protections. The Human Element. Resiliency. Clients often do not understand how their program is priced. Painted with industry broad brush? Premium credit for best-of-breed framework?

Differentiating Risk Key Areas of Focus Security culture and awareness. Encryption protocols. Cloud security. Business continuity and resiliency plans, including Cyber Crisis Management. Third party threat assessment. Continuous monitoring. Enterprise risk management approach to Cyber.

Value Add Services Partnerships With Third Party Vendors Loss Prevention Cybersecurity risk assessment. Dark Web data mining and monitoring. Vendor security ratings. Employee education (e.g., phishing). Vulnerability scanning. Claims Breach coach. Incident response, including forensics. Crisis communications. Information Sharing Business Continuity Planning/Resiliency

FireEye at a Glance Public company traded on NASDAQ under symbol FEYE. Headquarter campus Milpitas, CA 3,000 employees worldwide. Products advanced cybersecurity threat protection hardware and software and services, including threat intelligence. FireEye customers over 3,700 across 67 countries, including over 675 of the Forbes Global 2000. FireEye ranked first in the Cybersecurity 500 List of Companies to Watch in 2015.

Cyber COPE Framework Component Number of endpoints Number of networks connections Software versions Data center locations Exposure Political or criminal motivation Types of outsourcing Common software vulnerability Type and amount of sensitive information Reliance on network for operations Compliance and regulatory requirements Organization Policyholder s industry Quality of IT and security related policies % of budget allocation for security Use of industry standards Quality of information governance % of outsourced services Board-level risk appetite Protection Data retention Firewalls Incident response Monitoring Encryption Source: ACE s Global Cyber Facility

Engineering for the Evolving Threat Landscape HRP tools to empower your organization to better protect their key assets and differentiate your risk to cyber underwriters. AM I AT RISK? Red Teaming Penetration Testing Social Engineering Techniques AM I PREPARED? AM I COMPROMISED? I AM BREACHED! Security Program Audit Response Readiness Assessment (RRA) Compromise Assessment (CA) Incident Response IR Retainer Evolving Threat Landscape PREPARE FOR FUTURE EVENTS Cyber Risk for the Enterprise Threat Intelligence

Vulnerability Assessments Cyber COPE Quadrants: Component, Exposures & Protection Identify critical security vulnerabilities in a controlled "real world" compromise scenario. Evolving Threat Landscape Results help an organization improve their existing security posture while reducing the risk of a successful cyber attack. Penetration Testing - exploit known vulnerabilities. Red Teaming - detects unknown vulnerabilities Social Engineering Techniques

Cyber Suitability Indicators Organization is interested in a first look assessment. Evolving Threat Landscape Organization is worried about specific critical assets such as people, processes, or technology. Organization want to know how it s security posture measures up against best practices.

Strategic Security Programs Cyber COPE Quadrants: Organization, Components & Protection Proactively helps organization reduce the risk of an incident and minimize impact in case of a breach. Evolving Threat Landscape Results provide a security program roadmap and recommendations. Security Program Audit Response Readiness Assessment

Cyber Suitability Indicators New security leadership within the organization. Evolving Threat Landscape Recent board-level decision strategic decision to improve security. Early stage organization seeking to improve upon security.

Compromise Assessment Cyber COPE Quadrants: Organization & Exposures Proactively evaluate an organization s network for the presence of an advanced attack group. Evolving Threat Landscape Results should provide: Information on current or past attacker activity. Understanding of the extent and severity of the compromise. Preliminary attack timeline and malware information. Recommendations based on the assessment's findings.

Cyber Suitability Indicators In an industry vertical that has experienced recent breaches. Evolving Threat Landscape In a industry that is know to be targeted by threat actors. An organization that has significant activities in high-risk countries.

Incident Response Cyber COPE Quadrant: Protection Investigate and remediate cybersecurity incidents with scale, speed, and efficiency. Evolving Threat Landscape Incident Response is an essential element of a business continuity and resiliency plan. Start a dialog. Benefits of an incident response retainer: Pre-negotiated contractual terms. Guaranteed rates. On-call incident response. Reduces the impact of a security incident. Reduces business interruption and extra expenses.

Cyber Suitability Indicators Organization has identified a past security breach. Organization is in a known targeted industry. Evolving Threat Landscape Organization is subject to regulatory reporting requirements in the event of a breach.

Prepare For Future Events Cyber COPE Quadrant: Protection & Organization Threat Intelligence: Your security and risk management team receives the intelligence and context needed to help identify, block, and respond to cyber attacks. Evolving Threat Landscape TIER 1 TIER 2 TIER 13&4 An Enterprise Cyber Risk Framework provides a completeness of vision and cultural awareness of information security throughout the organization.

Conclusion Underwriting Current application-driven/point-in-time process does not capture adequate underwriting information. The insurance market is beginning to partner with network security companies to better understand and evaluate portfolio of risk. Engineering Cyber Risk Management must be ongoing and continuous process. Growing need to leverage third party Network Security tools and services to assess threats throughout policy term. Post-Binding Current market conditions continue to neutralize positive pricing and coverage impact of best-of-breed policies, protections. Underwriters reluctant to impose required standards as subjectivity for coverage (e.g., Columbia Casualty Co. v. Cottage Health System).

Questions?

Thank You

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback