Presentation is loading. Please wait.

Presentation is loading. Please wait.

CYBERSECURITY RISK MANAGEMENT AND ENTERPRISE RESILIENCE Paul Klumpes 01 October 2016.

Published byPhebe May Modified over 8 years ago

Similar presentations

Presentation on theme: "CYBERSECURITY RISK MANAGEMENT AND ENTERPRISE RESILIENCE Paul Klumpes 01 October 2016."— Presentation transcript:

1 CYBERSECURITY RISK MANAGEMENT AND ENTERPRISE RESILIENCE Paul Klumpes 01 October 2016

2 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 Paul Klumpes joins NBS as professor of Finance and Risk Accounting from EDHEC Business School, Roubaix, France. Prior to that, he was professor of accounting at Imperial College London and Professor of Risk Accounting at Nottingham University Business School. He holds an LLB (Hons) from Open University, a BCom (Hons), MCom (Hons) and PhD in Accounting - University of New South Wales. Professor Paul Klumpes 11/03/2014 NBS 2

3 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 Paul has professional experience as an accountant and consults to investor and government organisations and is associate editor of Geneva Papers and International Journal of Banking Finance and Auditing. He is also an Australian CPA and Honorary Fellow of the Institute of Actuaries. He has recently become a member of both CFA Society UK and the CFA Institute Professor Paul Klumpes 15/10/2013CFA Society UK Masterclass 3

4 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 His research interests cover the inter- relationship of public policy and voluntary reporting, regulation, financial management and control of financial services, particularly related to pensions and life insurance. His recent publications include: Journal of European Law and Economics Journal of Business British Actuarial Journal (2010, 2012, 2015*) Professor Paul Klumpes 15/10/2013CFA Society UK Masterclass 4

5 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 His recent research, funded by ACCA, examines the relationship of enterprise-wide risk management practices to derivative usage, credit rating and other accounting policy choices related to risk management and risk retention by multinational firms. Professor Paul Klumpes 15/10/2013CFA Society UK Masterclass 5

6 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 Paul is currently chair of a risk-reporting working party and is a member of the Actuarial profession sub-PEC committee on ERM research and is currently undertaking research on the topic of risk reporting in the financial sector. Professor Paul Klumpes 15/10/2013CFA Society UK Masterclass 6

7 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 Presentation outline 1.Key concepts 2.Survey evidence 3.Institutional background 4.Popular myths 5.Alternative perspective 6.Conclusion 01 October 2016 7

8 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 2014 R&I Conference 8 Protection of Information Transmitted and Stored over the Internet or any other Computer Network Basic Concepts Cybersecurity Protect Confidentiality of Private Information Ensure Availability of Information to Authorized Users on a Timely Basis - Authentication - Nonrepudiation Protect Integrity of Information (Accuracy, Reliability, Validity) Objectives of Cybersecurity 1/6/2014

9 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 2014 R&I Conference 9 Basic Concepts (Cont:) Uncertainty of Potentially Harmful Events Related to Cybersecurity Cybersecurity Risk Process of Managing (Reducing) Potentially Harmful Uncertain Events Due to the Lack of Effective Cybersecurity. CRM is a subset of Enterprise Risk Management Cybersecurity Risk Management (CRM) 1/6/2014

10 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 2014 R&I Conference 10 Enterprise risk management (ERM) is the "overall process of managing an organization's exposure to uncertainty with particular emphasis on identifying the events that could potentially prevent the organization from achieving its objectives" ('Gordon and Loeb, 2006, p.175). However, no matter how well managed, organizations may experience major disruptions (e.g., theft of an entire database that contains confidential information on customers). Enterprise resilience represents an organization's ability to adapt to such disruptions, and even grow in the face of such adversity. ENTERPRISE RISK MANAGEMENT and ENTERPRISE RESILIENCE 1/6/2014

11 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 2. PWC UK security breach survey Security breaches increased in 2011 Relative to others; insurers: –Subject to most external attacks –Have significant business exposure –Suffer greatest loss 1/6/2014 2014 R&I Conference 11

12 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 3 Institutional backgound Demands for mandatory disclosure of security breaches (Bonner, FT 30/4/14) –SEC 2011 guidance –Pressure for SEC to go further –KPMG survey shows audit committees dissatisfied with quality of information –IFRS limited requirements IAS 1 IFRS 7 Voluntary disclosure only? –Proprietary theory explanation –Guidance from regulators e.g. EU data protection regulations proposals –Labour party call for mandatory disclosure –Impact of latest big data, cloud computing developments? 1/6/2014 2014 R&I Conference 12

13 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 2014 R&I Conference 13 4 Popular Myths 1. RISK CONCEPT IS WELL UNDERSTOOD* 2. APPLYING COST-BENEFIT ANALYSIS TO CYBERSECURITY THREATS IS VOODOO ECONOMICS* CYBERSECURITY THREATS IS VOODOO ECONOMICS* 4. INFORMATION SHARING REDUCES CYBERSECURITY RELATED PROBLEMS* RELATED PROBLEMS* 3. ALL CYBERSECURITY BREACHES HAVE A SIGNIFICANT IMPACT ON ORGANIZATIONS* SIGNIFICANT IMPACT ON ORGANIZATIONS* 5. SOX HAS NO IMPACT ON CYBERSECURITY ACTIVITIES* ACTIVITIES* 6. CYBERSECURITY INSURANCE IS TAKING OFF* 1/6/2014

14 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 2014 R&I Conference 14 Expected Loss Expected Loss Most Popular in Information Security Literature = (Probability of Loss) X (Amount of Loss) Probability of No Loss Probability of No Loss Probability of Largest Loss Probability of Largest Loss Variance (or Standard Deviation) of Losses Variance (or Standard Deviation) of Losses Most Popular Metric in Management Accounting, Most Popular Metric in Management Accounting, Economics & Finance Economics & Finance RISK METRICS 1. RISK CONCEPT IS NOT WELL UNDERSTOOD* 1/6/2014

15 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 2014 R&I Conference 15 Figure 1: Different Risk Metrics Source: Gordon and Loeb, 2006a, p. 98. (1)(2)(3) = (1) x (2) (4)(5) = (1) x (4) (6)(7) = (1) x (6) Probability of Losses Expected Value of the given loss Probability of Losses Expected Value of the given loss Probability of Losses Expected Value of the given loss Possible LossesInvestment AInvestment BInvestment C $00.40$00.60$00.15$0 $1,000,0000$00 0.60$600,000 $2,000,0000.60$1,200,0000$00.15$300,000 $3,000,0000$00.40$1,200,0000.10$300,000 Expected Value of Losses Investment A=sum of column (3) $1,200,000 Investment B=sum of column (5)$1,200,000 Investment C=sum of column (7) Investment A, B and C are Equal Amounts $1,200,000 Equal Expected Value of Loss 1/6/2014

16 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 2014 R&I Conference 16 Figure 1: Different Risk Metrics Source: Gordon and Loeb, 2006a, p. 98. (1)(2)(3) = (1) x (2) (4)(5) = (1) x (4) (6)(7) = (1) x (6) Probability of Losses Expected Value of the given loss Probability of Losses Expected Value of the given loss Probability of Losses Expected Value of the given loss Possible LossesInvestment AInvestment BInvestment C $00.40$00.60$00.15$0 $1,000,0000$00 0.60$600,000 $2,000,0000.60$1,200,0000$00.15$300,000 $3,000,0000$00.40$1,200,0000.10$300,000 Expected Value of Losses Investment A=sum of column (3) $1,200,000 Investment B=sum of column (5)$1,200,000 Investment C=sum of column (7) Investment A, B and C are Equal Amounts $1,200,000 Smallest Probability of Largest Loss Largest Probability of No Loss Smallest Variance of Losses 1/6/2014

17 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 2014 R&I Conference 17 Planning and Control of Cybersecurity Investments The Business Case The Business Case Postauditing Postauditing 2. APPLYING COST-BENEFIT ANALYSIS TO CYBERSECURITY THREATS IS NOT TO CYBERSECURITY THREATS IS NOT VOODOO ECONOMICS * VOODOO ECONOMICS * 1/6/2014

18 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 2014 R&I Conference 18 Figure 2: The Business Case for Cybersecurity Investments 1. Specify Organizational Cybersecurity Objectives 2. Identify Alternatives for Achieving Cybersecurity Objectives 3. Acquire Data and Analyze Each Alternative Identified 4. Conduct Cost-Benefit Analysis and Rank Order the Alternatives Identified 5. Control (Postauditing) Source: Gordon and Loeb, 2006a, pp. 116 and 131. 1/6/2014

19 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 2014 R&I Conference 19 Figure 3: Postauditing Cybersecurity Investment Timeline Source: Gordon and Loeb, 2006a. CISO expends capital and effort t0t0 t2t2 t3t3 CFO contracts with CISO CISO submits cybersecurity investment proposal to CFO CFO allocates funds for cybersecurity investments to CISO Realization of Information Security Breaches Postauditing and payment of incentives t4t4 t1t1 1/6/2014

20 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 2014 R&I Conference 20 3. MOST CYBERSECURITY BREACHES DO NOT SIGNIFICANTLY IMPACT ORGANIZATIONS* SIGNIFICANTLY IMPACT ORGANIZATIONS* Empirical Evidence Surveys (e.g., CSI/FBI Survey) - large absolute dollar amounts of losses Campbell et al., 2003 Study - most breaches are not statistically significant - exception relates to breaches of confidentiality 1/6/2014

21 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 2014 R&I Conference 21 4. INFORMATION SHARING REQUIRES 4. INFORMATION SHARING REQUIRES ECONOMIC INCENTIVES TO BE EFFECTIVE* ECONOMIC INCENTIVES TO BE EFFECTIVE* Potentially Valuable Free-Rider Problem - Need Economic Incentives (see Gordon et al., 2003b) 1/6/2014

22 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 2014 R&I Conference 22 5. SOX DOES IMPACT CYBERSECURITY 5. SOX DOES IMPACT CYBERSECURITY ACTIVITIES ACTIVITIES Sarbanes-Oxley (SOX) Act of 2002 Section 302, entitled “Corporate Responsibility for Financial Reports”, requires the CEO and the CFO to take personal responsibility for establishing and maintaining the corporation’s internal controls and for certifying that the financial statements provide an accurate representation of a corporation’s financial condition. Section 404, entitled “Management Assessment of Internal Controls”, requires corporations to include internal control report with SEC filing SOX & Information Security Activities Although not Explicit in SOX or SEC Rules, a Widely Held View is that Information and System Security is an Implicit Requirement of the Internal Control Structure and Procedures Mandated by Sections 302 and 404 of SOX 1/6/2014

23 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 2014 R&I Conference 23 Figure 4: Impact of Sarbanes Oxley Act of 2002 on Information Security Mandatory Disclosures Financial Reports Internal Controls Reports Information System Security Voluntary Disclosures of Security Activities (see Figure 5) Mandatory Voluntary CEO CFOCIO/CSO/CISO Legend Financial Systems Certification Source: Gordon, Loeb, Lucyshyn, and Sohail, 2006. 1/6/2014

24 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 2014 R&I Conference 24 Cybersecurity Risk Management and Firm Value Voluntary Disclosure of Information Security Activities (including Investments and Internal Control) Increased Firm Value (Gordon, Loeb and Sohail, 2006) A. Empirical Evidence Auditing Cybersecurity Investments Enhanced Firm Value (Gordon, Loeb, and Zhou, 2006) B. Analytical Model 1/6/2014

25 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 2014 R&I Conference 25 Organization’s Perspective: - Assess if Cybersecurity is Needed - Evaluate Available Insurance Policies - Select Appropriate Policy Insurance Company’s Perspective - Pricing – Need More Actuarial Data - Adverse Selection - Moral Hazard Empirical Evidence - CSI/FBI Survey - AIG market entry (FT, 23/4/14) 6. CYBERSECRITY INSURANCE IS SLOW TO TAKE OFF* TO TAKE OFF* 1/6/2014

26 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 2014 R&I Conference 26 Figure 6: Cybersecurity Risk Management Assessment and Control Framework Identifying Cybersecurity Risk Manage Cybersecurity Risk via -- Efficient Use of Resources -- Internal Controls -- Information Sharing -- Technical Improvements -- Behavioral/Organizational Improvements No Yes Need to Further Reduce Risk via Insurance? Is Risk Level Acceptable? Cybersecurity Insurance Organizational Objectives Estimate Residual Risk Cybersecurity Risk Control and Response (e.g., intrusion detection systems, cybersecurity auditing, corrective actions) 1/6/2014

27 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 5. Alternative perspective The definition of cyber risk, esp the part about integrity of information seems to cover retention of data and hence system crashes which is overlapping with business continuity risks. Need clearer definition of what exactly is covered by cyber risk. For instance, you need to be more specific about the information that needs to be protected: not just that of the customer, but that of the company including its IP - corporate espionage is a big issue (e.g. Renault). Its not just information that needs to be protected, but also assets - hackers could divert funds to their own accounts for example - and systems (e.g. denial of service attacks). 01 October 2016 27

28 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 Confused ?

29 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 5. Alternative perspective S ometimes, hackers may not target a company's systems directly but use these to attack other systems (e.g.botnet attacks). Other times hackers may not be targeting anything in particular but are doing so for fun - though there is a serious impact to any breach of system integrity. There may be a number of systems and interfaces - a big issue at present relates to the security of systems accessed by smartphones - and sometimes fraudsters may not target the system at all but seek to steal data through phishing. As well as external hackers, internal fraud is also a problem - and in some cases, external hackers may seek to breach systems by placing a "mole" on the staff of a firm. As well as deliberate attempts to steal data, this can also be lost e.g.lost disks (laptops, disks). It can also be sent to the wrong persons. There is an internal as well as an external dimension to cyber risk. 01 October 2016 29

30 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 5. Alternative perspective Basel II/III promotes “bottom up” view of operational risk and hence cyber risk is less important? Insurance may not take off is because a lot of the impacts in terms of reputation and IP are difficult to quantify. Need to could usefully highlight what costs may be borne by others – –Eg. 1 recent theft of customer data from Target in the US, banks will cover the cost of issuing new cards etc.. They will also be first in line for credit card fraud losses though if the fraud can be attributed to the firm which had data stolen, then the firm may have to pick up the cost –Eg 2: Target’s ead of data security (CISO) resigned – need to have ear of C-suit or board of directors FT, 28/4/14) 01 October 2016 30

31 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 2014 R&I Conference 31 Concluding Comments Cybersecurity Risk Management is a Fundamental Concern to all Organizations in a Digital Economy and is an Important Subset of Enterprise Risk Management. However existing bottomup perspectives Eg. BASLE II/II do not facilitate corporate governance effectiveness in monitoring Economics Analysis can, and should, play an important role in Cybersecurity Risk Managing (CRM). Uncertainty needs to be built into these models, and not used as an excuse for avoiding careful economic analysis (i.e., this is not Voodoo Economics). However, applying economic analysis is best viewed as a complement to, rather than a substitute for, other approaches (e.g., technical and behavioral solutions) for CRM. 1/6/2014

32 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 2014 R&I Conference 32 5. Conclusion and recommendation Study “Best Practices” to help derive the right amount to Spend on Cybersecurity. Develop Models and Study “Best Practices” for Assessing the Appropriate Use of Cybersecurity –Sustainable compliance linking IT governance to corporate governance –Apply “top down” risk classification methods to improve risk profile of cyber risk v other types of operational risk (Kelliher et al 2012 – SWIFT) –Apply the Contingency View of Cybersecurity Risk Management to Solvency II implementation. Examine the Broader Relation Among Cybersecurity Budgeting, Performance, Compliance and Managerial Incentives. Business case study of BofE to initiate Penetration Testing of key London based financial firms (CREST) 1/6/2014

33 Colour palette for PowerPoint presentations Dark blue R17 G52 B88 Gold R217 G171 B22 Mid blue R64 G150 B184 Secondary colour palette Primary colour palette Light grey R220 G221 B217 Pea green R121 G163 B42 Forest green R0 G132 B82 Bottle green R17 G179 B162 Cyan R0 G156 B200 Light blue R124 G179 B225 Violet R128 G118 B207 Purple R143 G70 B147 Fuscia R233 G69 B140 Red R200 G30 B69 Orange R238 G116 29 Dark grey R63 G69 B72 01 October 2016 33 Expressions of individual views by members of the Institute and Faculty of Actuaries and its staff are encouraged. The views expressed in this presentation are those of the presenter. Questions Comments

Download ppt "CYBERSECURITY RISK MANAGEMENT AND ENTERPRISE RESILIENCE Paul Klumpes 01 October 2016."

Similar presentations

What is Corporate Governance?

What is Corporate Governance?
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Generally Accepted Accounting Principles Common set of standards for U.S. accounting Not laws, but nearly treated as such Developed primarily by Financial.

Generally Accepted Accounting Principles Common set of standards for U.S. accounting Not laws, but nearly treated as such Developed primarily by Financial.
Auditing Concepts.

Auditing Concepts.
NAIC Oversight of Corporate Governance Commissioner Susan Donegan Vermont Department of Financial Regulation.

NAIC Oversight of Corporate Governance Commissioner Susan Donegan Vermont Department of Financial Regulation.
ECONOMIC ASPECTS OF CYBERSECURITY

ECONOMIC ASPECTS OF CYBERSECURITY
PwC David Devlin 23 April 2002 Auditor Independence in a Global Market Place.

PwC David Devlin 23 April 2002 Auditor Independence in a Global Market Place.
Security Controls – What Works

Security Controls – What Works
Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.

Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.

1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.
Corporate Social Responsibility (CSR) and Small Firms: Theory and Reality Dr. Athanasios Hadjimanolis Associate Professor European University of Cyprus.

Corporate Social Responsibility (CSR) and Small Firms: Theory and Reality Dr. Athanasios Hadjimanolis Associate Professor European University of Cyprus.
Chapter 2 Careers in Fraud Examination and Financial Forensics.

Chapter 2 Careers in Fraud Examination and Financial Forensics.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
This PPP #2 based on chapter 8 of the textbook ( pp.173-190) will be reviewed again in PPP #3 in “Review of Chapters 2 and 8, and Advanced Discussion”.

This PPP #2 based on chapter 8 of the textbook ( pp ) will be reviewed again in PPP #3 in “Review of Chapters 2 and 8, and Advanced Discussion”.

Similar presentations

Ads by Google