2011 02 16 larry clinton rsa bus 203 presentation how to assess the financial impact of cyber risk
TRANSCRIPT
-
7/31/2019 2011 02 16 Larry Clinton RSA BUS 203 Presentation How to Assess the Financial Impact of Cyber Risk
1/16
How to Assess the FinancialImpact of Cyber Risk
Larry Clinton
Internet Security Alliance
Tom JacksonPhillips Nizer
PANELISTS:
Ty Sagalow
Zurich North America
Justin Somaini
Symantec Corporation
MODERATOR:
Session ID: BUS-203Session Classification: Intermediate
-
7/31/2019 2011 02 16 Larry Clinton RSA BUS 203 Presentation How to Assess the Financial Impact of Cyber Risk
2/16
ISA-ANSI Project
DHS Assistant Secetary Garcia asks ISA-ANSI todevelop a program on enterprise financialanalysis of cyber risk 2007
ISA-ANSI conduct 6 workshops publish 50Questions Every CFO Should be asking @ CyberSecurity 2008 (Phase I)
ISA ANSI- Symantec conduct workshops onresponses to Phase I & Publish Financial
Aspects of Cyber Risk 2010 (Phase II) Currently developing Phase III targeted to CEO
& Board levels
2
-
7/31/2019 2011 02 16 Larry Clinton RSA BUS 203 Presentation How to Assess the Financial Impact of Cyber Risk
3/16
Obama: What We Need to Do
3
It is not enough for the information technologyworkforce to understand the importance of
cybersecurity; leaders at all levels of governmentand industry need to be able to make business
and investment decisions based on knowledge ofrisks and potential impacts.
Obama Administration Cyber Space Policy Review,
May 30, 2009
-
7/31/2019 2011 02 16 Larry Clinton RSA BUS 203 Presentation How to Assess the Financial Impact of Cyber Risk
4/16
-
7/31/2019 2011 02 16 Larry Clinton RSA BUS 203 Presentation How to Assess the Financial Impact of Cyber Risk
5/16
What to do
5
Good News: We know a lot about how to solvethis problem--80-90% can be solved by usingbest practices and standardsmost dont due tocost
Focus on Enterprise Education so companiesunderstand total financial cyber risk ISA-ANSI program (which is free) provides a
pathway to do this
-
7/31/2019 2011 02 16 Larry Clinton RSA BUS 203 Presentation How to Assess the Financial Impact of Cyber Risk
6/16
ISA-ANSI Phase I Produces Model of GrossFinancial Risk OF Cyber Events
THREAT
FREQUENCY
of Risk Event
Probable
numberof events in a
year
6
CONSEQUENCE
SEVERITY
of Risk Event
Possible loss froman individual
event
VULNERABILITY
LIKELIHOOD
Or % of Damage
Given the riskmitigation
actions taken
RISK
TRANSFERRED
NET
FINANCIAL
RISK
GROSS FINANCIAL RISK
(Annualized Expected Loss)
-
7/31/2019 2011 02 16 Larry Clinton RSA BUS 203 Presentation How to Assess the Financial Impact of Cyber Risk
7/16
ANSI-ISA Phase II Program
7
Outlines an enterprise wide process to attackcyber security broadly and economically CFO strategies HR strategies Legal/compliance strategies Operations/technology strategies Communications strategies Risk Management/insurance strategies
-
7/31/2019 2011 02 16 Larry Clinton RSA BUS 203 Presentation How to Assess the Financial Impact of Cyber Risk
8/16
What CFO needs to do
8
Own the problem Appoint an enterprise wide cyber risk team Meet regularly Develop an enterprise wide cyber risk
management plan
Develop an enterprise wide cyber risk budget Implement the plan, analyze it regularly, test
and reform based on EW feedback
-
7/31/2019 2011 02 16 Larry Clinton RSA BUS 203 Presentation How to Assess the Financial Impact of Cyber Risk
9/16
Human Resources
9
Recruitment Awareness Remote Access Compensate for cyber security Discipline for bad behavior Manage social networking Beware of vulnerability especially from IT and
former employees
-
7/31/2019 2011 02 16 Larry Clinton RSA BUS 203 Presentation How to Assess the Financial Impact of Cyber Risk
10/16
Legal/Compliance Cyber Issues
10
What rules/regulations apply to us andpartners? Exposure to theft of our trade secrets? Exposure to shareholder and class action suits? Are we prepared for govt. investigations? Are we prepared for suits by customers and
suppliers?
Are our contracts up to date and protecting us?
-
7/31/2019 2011 02 16 Larry Clinton RSA BUS 203 Presentation How to Assess the Financial Impact of Cyber Risk
11/16
Operations/IT
11
What are our biggest vulnerabilities? Re-evaluate? What is the maturity of our information
classification systems?
Are we complying with best practices/standards How good is our physical security? Do we have an incident response plan?
How long till we are back up?---do we wantthat?
Continuity Plan? Vendors/partners/providersplan?
-
7/31/2019 2011 02 16 Larry Clinton RSA BUS 203 Presentation How to Assess the Financial Impact of Cyber Risk
12/16
Communications
12
Do we have a plan for multiple audiences? General public Shareholders Govt./regulators Affected clients Employees Press
-
7/31/2019 2011 02 16 Larry Clinton RSA BUS 203 Presentation How to Assess the Financial Impact of Cyber Risk
13/16
InsuranceRisk Management
13
Are we covered?----Are we sure????????? What can be covered How do we measure cyber losses? D and O exposure? Who sells cyber insurance & what does it cost? How do we evaluate insurance coverage?
-
7/31/2019 2011 02 16 Larry Clinton RSA BUS 203 Presentation How to Assess the Financial Impact of Cyber Risk
14/16
Apply
14
Complete the equation for attendees:
Educate + Learn = Apply
Complete the equation for attendees:
Educate + Learn = Apply
Illustratethatcyber
securityismorethana
technicalissue,itisanenterprisewiderisk
managementissue.
Appreciatehow
organiza;onchangeswith
respecttoanalyzingcyber
securitycanleadto
increasedinvestmentand
greaterprotec;on.
HowtoApplyseeslide
-
7/31/2019 2011 02 16 Larry Clinton RSA BUS 203 Presentation How to Assess the Financial Impact of Cyber Risk
15/16
How to Apply What You Have Learned Today
15
In the first three months following thispresentation you should:Appoint an enterprise wide cyber risk teamDevelop an enterprise wide cyber riskmanagement planDevelop an enterprise wide cyber risk budget
Within six months you should: Implement the plan, begin analyzing itregularly, test and reform based on
enterprise wide (all departments) feedback
-
7/31/2019 2011 02 16 Larry Clinton RSA BUS 203 Presentation How to Assess the Financial Impact of Cyber Risk
16/16
Internet Security Alliance
16
www.isalliance.org
(703)907-7090
Larry Clinton, President