OECD EXPERT CONSULATION ON

IMPROVING THE MEASUREMENT OF

DIGITAL SECURITY INCIDENTS AND RISK MANAGEMENT

12 - 13 May 2017

Swiss-Re Centre for Global Dialogue Gheistrasse 37 8803 Rüschlikon Switzerland

BIO - BOOK

Hans Allnut Partner DAC Beachcroft LLP United Kingdom

Hans leads the Cyber & Data Risk team at international law firm DAC Beachcroft. He

advises on cyber risk strategy, incident preparation, incident response and contentious data

protection issues.

In 2016, he was recommended for his "excellent data privacy skills" in The Legal 500;

recognised as a Litigation Rising Star; and, nominated as a Legal Innovator of the Year.

Hans has worked in the insurance industry for 15 years. He is a legal expert on cyber risk

and data breach insurance policies and has advised on policy wordings, aggregation,

systemic cyber risk and “silent” cyber exposures.

Hans chairs the International Underwriting Association’s Cyber Claims Committee and is an

Editorial Board Member of Cyber Security Practitioner.

Alexandre Barbosa

Head of the Regional Center for Studies on the Development of the Information Society (Cetic.br) under the auspices of UNESCO based in São Paulo, Brazil

Mr. Barbosa is responsible for managing nationwide stand-alone ICT survey projects for the

production of ICT-related statistics on the access to and use of ICTs in different segments of

society in Brazil, and for promoting capacity building programs in survey methodologies in

Latin America and Portuguese-speaking countries in Africa.

Mr. Barbosa is also the Chair of the Expert Group on ICT Households indicators (EGH) from

the International Telecommunications Union (ITU) and member of the International Advisory

Group of Experts on the Global Kids Online project leaded by UNICEF and LSE.

Mr Barbosa holds a PhD degree in Business Administration from Getulio Vargas Foundation (Brazil), a Master Degree in Business Administration from Bradford University (UK), a MSc Degree in Computer Science from Federal University of Minas Gerais (Brazil) and a BSc Degree in Electrical Engineering from Catholic University (Brazil). He has also conducted postdoctoral research at HEC Montreal (Canada) in the area of electronic government.

Joel Benge Risk Evangelist Emergent Network Defense United States

Joel Benge is an award-winning communicator with roots that span from the humanities to

cybersecurity. Early dalliances with education, theatrical arts, and the entertainment industry

(including Nickelodeon, video game development, and as one of the Internet’s first

podcatsers) gave way to hands-on industry experience in network security. Joel has been on

the technical staff at NASA Goddard Space Flight Center and spent many a long night “in

the trenches” of network and security operations centers.

An opportunity to combine his passion for storytelling and communications with his technical

skills led Joel to serve seven years with the U.S. Department of Homeland Security as the

principal manager for enterprise cybersecurity communications. There worked to develop

and communicate the Department’s internal cybersecurity strategy, including implementing

the Stop.Think.Connect.™ and National Cyber Security Awareness Month campaigns.

He is currently the “Risk Evangelist” for Emergent Network Defense, a global Digital Risk

Management solutions provider. He brings his divergent thinking to help Fortune 100

companies and international non-profits contextualize their enterprise data to “see around

the corner” and predict their next digital risk.

Laurent Bernat

Policy Analyst OECD France

Laurent Bernat is Policy Analyst at the OECD Secretariat, within the Division for Digital Economy Policy in the Directorate for Science, Technology and Industry. He has supported the work of the Working Party on Security and Privacy in the Digital Economy (SPDE) since he joined the OECD in 2003, working in many areas from national cybersecurity strategies, electronic authentication, and the protection of critical information infrastructures.

He is currently part of the OECD horizontal project on "Going Digital: Making the Digital Transformation Work for Growth and Well-Being" which gathers 14 OECD Committees in various policy areas. He has a Masters degree in political science and has graduated from the French Institut d’étude des relations internationales (ILERI).

Steve Bishop

Head of Insurance and Asset Management ORX United Kingdom

Steve is a risk management professional with over 15 years’ experience gained in the financial services industry.

During his career, he has developed and implemented operational risk management and measurement frameworks at major insurance firms, banks and asset managers, as well as effecting risk management change within organisations and successfully managing varied and complex stakeholder relationships.

At ORX, Steve has responsibility for the insurance operational risk data exchange service, insurance focussed operational risk research and membership growth.

Maya Bundt

Head of Cyber and Digital Security Swiss Re Switzerland

Maya Bundt is the Head Cyber and Digital Strategy at Swiss Re Reinsurance. In this role she

is responsible to further develop and implement the Reinsurance cyber risk strategy, and to

drive digital innovation and initiatives. Maya joined Reinsurance from Group Strategy, where

she was Chief of Staff to the Group's Chief Strategy Officer. Before she joined the Group

Strategy team, Maya held a position in the Information Technology Division of Swiss Re.

Maya joined Swiss Re from the Boston Consulting Group where she spent 3 years as a

strategy consultant serving a variety of industries.

She holds a PhD in Environmental Science from the ETH Zurich.

Maya is elected member of the World Economic Forum Future Council for the Digital

Economy and Society. She supports several international initiatives around the digital

economy and cyber risks and has published several articles on the topic.

Anne Carblanc

Head of Digital Economy Policy OECD France

Ms. Anne Carblanc is Head of the OECD Digital Economy Policy Division (DEP) in the

Directorate for Science, Technology and Innovation. Her division works on evidence-based

policy frameworks to make the digital transformation work for inclusive growth and well-

being.

Ms Carblanc joined the OECD in 1997, working on privacy, consumer protection and digital

security issues. From 2009 to early 2012, she assisted the STI Director as Special

Counsellor, and was responsible for strategic planning, organisation and co-ordination as

well as global relations. Prior to joining the OECD, she spent five years as Secretary

General, Director of Services in the French Commission Nationale de l’informatique et des

libertés (CNIL). She also served ten years in the French judicial system as "juge

d'instruction" and Head of criminal legislation in the Ministry of Justice.

Anne Carblanc, a French national, holds a Bachelor’s degree in modern languages and

literature, a Master's degree in Civil Law from University Paris 1, and graduated in 1983 from

the "École nationale de la magistrature".

Philippe Cotelle

Head of Defense and Space Insurance Risk Management Airbus France

Philippe Cotelle has been the Head of Insurance and Risk Management of Airbus Defence &

Space since 2014, gathering all Airbus activities in Space, Defence and Military Transport

Aviation belonging to the former Divisions Astrium, Cassidian and Airbus Military.

Philippe Cotelle is leading the SPICE project (Scenario Planning to Identify Cyber Exposure)

within Airbus developing a new approach for Business impact analysis related to a cyber

event. Philippe coordinates a research program with the French Institute of Research and

Technology on cyber risk management and collaborates with FERMA (Federation of

European Risk Management Associations), French Administration and OECD on this topic.

Philippe Cotelle graduated as an Engineer from Ecole Nationale Superieure de

l'Aeronautique et de l'Espace and Executive MBA from Essec & Mannheim 2007.

Benjamin Dean

OECD Consultant Based in the United States

Benjamin C. Dean works at the intersection of technology, economics and public policy. He presently contributes to an initiative to develop business digital risk management metrics with the OECD’s Working Party on Security and Privacy in the Digital Economy. Mr. Dean recently contributed a paper to inform the European Parliament on the economic implications of EU-US cooperation in cybersecurity and cybercrime. He also assists re-insurance clients with the development of models to assess the probability and impact of a variety of digital security incidents. Previously he was a fellow for cybersecurity at Columbia University and a policy analyst at the Organisation for Economic Co-operation and Development’s Center for Entrepreneurship, Small and Medium Enterprises and Local Development.

Mr. Dean completed a MA International Affairs at Columbia University’s School of International and Public Affairs. He is also a graduate of the University of Sydney with a BA Economics and Social Sciences (Hons.)

Martin Eling

Director Institute of Insurance Economics Switzerland

Martin Eling is professor of insurance management and director of the Institute of Insurance

Economics at the University of St. Gallen (Switzerland). He studied business administration

at University of Münster (Germany), where he also received his doctoral degree in 2005.

From 2005 to 2009, he worked as postdoc at the Institute of Insurance Economics of the

University of St. Gallen. In 2008 he has been Visiting Professor at the University of

Wisconsin-Madison (USA) and in 2010 and 2011 Visiting Lecturer at the University of Torino

and University of Urbino (Italy). From 2009 to 2011 he has been Director of the Institute of

Insurance and Professor in Insurance at the University of Ulm (Germany).

Dr. Eling has published in numerous international journals, including the Journal of Risk and

Insurance, the Journal of Banking & Finance, the European Journal of Operational

Research, and Insurance: Mathematics and Economics. He received several research prices

from leading international organizations such as the American Risk and Insurance

Association, the Casualty Actuarial Society and the National Association of Insurance

Commissioners. His main research fields are new insurance markets (e.g. cyber insurance,

microinsurance), new approaches in asset management (e.g. alternative investments),

regulation, risk management and performance measurement.

Kevvie Fowler

National Leader of Cyber Response KPMG United States

Kevvie Fowler is National Leader of Cyber Response and partner in Advisory Services at KPMG in Canada where he helps clients prevent, detect and recover from security incidents. Kevvie proactively helps clients identify, assess and manage cyber risks to protect sensitive data and prepare to effectively respond to a breach. Kevvie also helps clients reactively investigate and discount the occurrence of, or confirm and precisely scope, breaches in a manner that minimizes impact to their organization.

He is a recognized security and forensics expert, author of Data Breach Preparation and Response and SQL Server Forensic Analysis and coauthor to several cyber security and forensic books. He is also a SANS lethal forensicator and sits on the SANS Advisory Board, where he guides the direction of emerging security and forensics research.

Robert W. (Bob) Gordon

Executive Director Canadian Cyber Threat Exchange (CCTX) Canada

Bob is the Executive Director, Canadian Cyber Threat Exchange (CCTX) where he has

organisational responsibility to deliver cyber threat information services and lead all cyber

intelligence engagements and research activities. Most recently, Bob was a Director, Global

Cyber Security at CGI. Prior to this, he enjoyed a long and successful career in the Federal

Government, which included being the architect of Canada’s Cyber Security Strategy.

Bob has had a unique career in Canada’s security, intelligence and law enforcement

organizations: Public Safety Canada, Communications Security Establishment, Canadian

Security Intelligence Service, and the Royal Canadian Mounted Police. He has had senior

executive responsibility for science and technology, IM/IT, and internal security programs

(personnel, physical, and information technology). He has also provided operational

leadership in investigating and analyzing the full range of threats to the security of Canada,

which included leading the CSIS Counter Terrorism program.

Marc Henauer

Head of MELANI Program Swiss Federal Intelligence Switzerland

Marc Henauer is the Head of the MELANI Operation and Information Centre. This unit is part

of the Federal Intelligence Service within the Swiss Ministry of Defence, Civil Protection and

Sports. The MELANI OIC Unit is responsible for the analytical and operative parts of the

Swiss Analysis and Reporting Unit for Information Assurance (MELANI). MELANI is

mandated with supporting the Swiss Critical Infrastructures within their Information

Assurance Process.

Mr. Henauer was the strategic analyst for economic and cyber criminality within the Service

of Analysis and Prevention, before heading MELAN and part of the Cybercrime Coordination

Unit (CYCO). He studied at the University of Zurich economic science and Media and

Communication Management at the University of St. Gallen. Mister Henauer got his Master

of Arts in Security Studies from the Georgetown University in Washington DC.

Yurie Ito

Founder and Executive Director The CyberGreen Institute United States

Yurie Ito is a Founder and Executive Director of The CyberGreen Institute, a global non-

profit organization focused on improving the cyber ecosystem’s health by providing reliable

metrics, measurement, and mitigation best practices to national CERTs, network operators,

and policy makers. She is also a Director of Global Coordination Division for the Japan

Computer Emergency Response Team Coordination Center (JPCERT/CC). She has

previously served 12 years as Technical Director and Global Coordination Director for the

organization, and also served at ICANN as a Director of Global Security Programs from

2009-2011. She has been leading a number of international collaborative efforts, including

as Chair of the Asia Pacific Computer Emergency Response Team (APCERT), an active

member of the Forum of Incident Response and Security Teams (FIRST), and as Board

Member of FIRST for 6 years from 2004-2010.

She is a non-resident Senior Fellow at the Atlantic Council, associated with the Cyber

Statecraft Initiative. Her Master's thesis at the Fletcher School of Law and Diplomacy, Tufts

University, was on Managing Global Cyber Health and Security through Risk Reduction.

Nick Kitching

Head Risk Management EMEA for Reinsurance CRO Forum United Kingdom

Nick Kitching is Chief Risk Officer of Swiss Re Europe S.A., Swiss Re's Luxembourg based

carrier for reinsurance operations in Europe.

Nick joined Swiss Re in July 2013 as head of EMEA Regulatory Risk Management leading a

team coordinating Swiss Re's engagement on regulatory risks and developments in EMEA.

Before joining Swiss Re, Nick worked at Aviva as head of Regulatory Policy Oversight and at

the UK Financial Services Authority as a member of the General Counsel Division and

Prudential Policy Division.

In his roles at Swiss Re and Aviva, Nick has been actively engaged in a number of industry

bodies, particularly the CRO Forum. For the CRO Forum, He led a number of CRO Forum

initiatives on recovery and resolution and diversification benefits. Since December 2013,

Nick has chaired the coordination of the CRO Forum's cyber risk working group. This group

has been responsible for two papers on cyber resilience and cyber risk published in June

2016 and December 2014.

Nick started his career in law and is a qualified UK solicitor.

Éireann Leverett

Senior Risk Researcher Cambridge Centre for Risk Studies United Kingdom

Éireann Leverett is a regular speaker at computer security conferences such as FIRST, BlackHat, Defcon, Brucon, Hack.lu, RSA, and CCC; and also a regular speaker at insurance

and risk conferences such as Society of Information Risk Analysts, Onshore Energy Conference, International Association of Engineering Insurers, International Risk Governance Council, and the Reinsurance Association of America. He has been featured by the BBC, The Washington Post, The Chicago Tribune, The Register, The Christian Science Monitor, Popular Mechanics, and Wired magazine.

Mr Leverett continually studies computer science, cryptography, networks, information theory, economics, and magic history. He is also fascinated by zero knowledge proofs, firmware and malware reverse engineering, and complicated network effects such as Braess' and Jevon's Paradoxes. He has worked in quality assurance on software that runs the electric grid, penetration testing, and academia. He likes long binwalks by the hexdumps with his friends.

He also serves in an advisory role to ENISA: on the industrial control systems and smart grid security experts group.

He was part of a multidisciplinary team that built the first cyber risk models for insurance with Cambridge University Centre for Risk Studies and RMS.

Aaron Martin

Oxford Martin Associate University of Oxford United Kingdom

Aaron Martin is an Oxford Martin Associate at the University of Oxford's Global Cyber

Security Capacity Centre and a Vice President of Global Technology at JPMorgan Chase in

NYC. He is also a member of the NY Cyber Task Force convened by Columbia University’s

School of International and Public Affairs. He was previously an analyst at the OECD, where

he concentrated on cybersecurity policy and security metrics. He has a PhD in Information

Systems & Innovation from the London School of Economics. Further information about

Aaron’s experience, research and expertise can be found at http://sixfouronea.net.

Jérôme Notin

General Manager ACYMA France

After an experience of more than twenty years in the private sector where Jérôme participated in the creation and the development of start-ups in the world of computer security, Jérôme joined the French National Cyber Security Agency in 2016.

His role was to design and build the structure of the Public-Private Partnership (GIP ACYMA) which is created today. Since its birth in March 2017, Jérôme is the general manager of the GIP ACYMA

Elettra Ronchi

Senior Policy Analyst OECD France

Elettra Ronchi, PhD, MPP, is Senior Policy Analyst in the Science, Technology and Innovation Directorate at the Organisation for Economic Co-operation and Development (OECD) in Paris where since 2015 she is Head of Unit, coordinating work on data governance and security risk management in the digital economy. Elettra Ronchi has more than 20 years of experience as policy analyst, evaluating the

instruments available to governments to improve the public benefits from investments in

health, science and technology. Since 2006 she has led work on e-health, including the

development of international measures and approaches to benchmarking progress in this

sector. From 2013 to 2015 Elettra has coordinated G7 OECD work on dementia, Big Data

and open science and more recently, the development of an OECD Council

Recommendation on Health Data Governance.

Elettra Ronchi started her policy career in 1993 as consultant for the United Nations

Development Programme. Before joining the international civil service she held academic research and teaching positions in the US and France. She received her PhD from the Rockefeller University/Cornell Medical School (US), and MPP from the University of York (UK).

Matthew Shabat

Cybersecurity Strategist and Performance Manager Department of Homeland Security United States

Since starting at the Department of Homeland Security in 2008, Matt has served in several cybersecurity policy and strategy roles. Subsequently, he became the Director of Performance Management within the DHS Office of Cybersecurity and Communications where he contributes to strategic planning and oversees associated program performance. Active projects include analyzing the costs of a cyber incident and leadership of an ongoing cyber insurance and risk management data repository dialogue. In Spring 2017, he was selected as a finalist for the (ISC)2 U.S. Government Information Security Leadership Award for process or policy improvement related to his work on the Cyber Incident Data and Analysis Repository. Matt graduated from The George Washington University’s Elliott School of International Affairs with a M.A. in Security Policy Studies. Prior to returning to graduate school, he practiced corporate, mergers and acquisitions, and securities law with Mayer Brown LLP in Chicago. Matt earned his J.D. from the University of Pennsylvania Law School and he received his B.A. from Stanford University.

Blair Stewart

Assistant Privacy Commissioner Office of the Privacy Commissioner New Zealand

Mr Blair Stewart is Assistant Commissioner with the Office of the Privacy Commissioner, New Zealand, with principal responsibilities in relation to international policy and for regulation (codes of practice). Blair is New Zealand’s delegate to the APEC Electronic Commerce Steering Group Data Privacy Subgroup (ECSG DPS) and the OECD Working Party on Security and Privacy in the Digital Economy (SPDE). Blair contributes to the work of a number of networks of privacy and data protection authorities. He was involved in the establishment of the APEC Cross-border Privacy Enforcement Arrangement (CPEA) and the Global Privacy Enforcement Network (GPEN) and was on their governance bodies for several years. Since 2014 Blair has served as the Secretariat for the International Conference of Data Protection and Privacy Commissioners. Blair regularly participates in the Asia Pacific Privacy Authorities (APPA) Forum. Blair is currently convenor of the ICDPPC Data Protection Metrics Working Group and the APPA Comparative Privacy Statistics Working Group.

Mika Susi

Chief Policy Advisor at the Executive Office Confederation of Finnish Industries Finland

Mr. Susi has over 15 years of experience on security and risk management both from public

and private sectors. Mr. Susi has a masters degree in political science and has studied

leadership and management and has also a diploma in law enforcement studies. He has

worked with wide range of security issues including counter terrorism and industrial and

personnel security.

Mr. Susi works as chief policy adviser at the Confederation of Finnish industries and is also

the chairman of the board of corporate security. Currently he is focusing on developing

Finnish corporate security framework model and its implementing in versatile organizations

including SME´s and public organizations.

He is a member of several advisory bodies of security related projects and is also known as

lecturer in cybersecurity and corporate espionage related issues.

Dan Tofan

Cybersecurity Expert ENISA Greece

Dr. Dan Tofan is a cyber-security expert, with more than 10 years of experience, gathered in

EU level institutions or working groups, national governmental agencies as well as in the

academic and private sectors. He holds a PhD in computer science as well as a number of

international certifications in the areas of cyber security and project management. Since May

2015, he joined ENISA as an expert, being responsible for all mandatory incident reporting

activities developed by the Agency in areas like telecom, trust service providers and NIS

directive.

Dr Shaun Wang

Director, Insurance Risk and Finance Research Nanyang technological University Singapore

Professor Shaun Wang is Director of the Insurance Risk and Finance Research Centre,

Nanyang Technological University in Singapore. He is currently leading the Cyber Risk

Management Project (CyRiM), which is a university-government-industry partnership with

the Monetary Authority of Singapore, Cyber Security Agency of Singapore, and several

global insurance companies.

Professor Wang has rich academic and industry experience. He held the position of Deputy

Secretary General & Head of Research of The Geneva Association from 2013-2015. He was

Thomas P. Bowles Chair Professor at Georgia State University (2004-2013), Research

Director at SCOR (1997-2004), and Assistant professor at the University of Waterloo (1994-

1997).

Professor Wang has published numerous papers in top actuarial and insurance journals and

received several international awards. He is the inventor of the "Wang Transform", a widely-

cited formula for pricing risks. He served as Editor of the ASTIN Bulletin. He led several

international symposiums on risk and capital. He delivered a Capitol Hill briefing in

Washington D.C. on “The Financial Crisis and Lessons for Insurers” in 2009. He has a Ph.D.

from University of Waterloo and B.Sc. from Peking University. He is Fellow of the Casualty

Actuarial Society and Chartered Enterprise Risk Analyst.

Matthias Weber

Group Chief Underwriting Officer Swiss Re Switzerland

Matthias Weber started his career at Swiss Re in Zurich in 1992 as an expert for natural perils. He moved to the Swiss Re Americas Division in 1998 and in 2000 became Regional Executive for the Western Region of the United States located in San Francisco. From 2001, he was responsible for property underwriting in the US Direct Business Unit, and in 2005 was named Head of the Americas Property Hub in Armonk. From 2008, Matthias Weber served as Division Head of Property & Specialty. Matthias Weber was appointed Group Chief Underwriting Officer and member of the Group Executive Committee in April 2012. Matthias Weber, born 1961, is a Swiss and American citizen.

Leigh Wolfrom

Policy Analyst – Insurance expert OECD France

Leigh Wolfrom is a policy analyst in the OECD’s Directorate for Financial and Enterprise Affairs, focused on undertaking research and policy analysis on the financial management of disaster risks. In this role, he has provided analysis and reports to the OECD Insurance and Private Pensions on a variety of disaster risk financing issues, including reports on the financial management of flood risk, financial instruments for managing disaster risks related to climate change and the establishment of OECD guidance on the development of disaster risks financing strategies. Most recently, he has been developing a report on the cyber insurance market which examines the types of coverage available as well as the challenges to the further development of the market. Prior to joining the OECD, Mr. Wolfrom worked in the Financial Sector Policy Branch at the Canadian Department of Finance and at Global Affairs Canada on international financing issues.

Mr. Wolfrom has an M.A. in International Affairs from Norman Paterson School of International Affairs (Carleton University) and a B.A. in Economics from the University of British Columbia.