The 4th webinar is being hosted by the European Confederation of Directors' Associations (ecoDa), AIG, and the Federation of European Risk Managers' Associations (FERMA) and in close cooperation with the Internet Security Alliance (ISA). it includes a Risk Manager’s’ perspective about the necessity to provide organisations with decision-support tools for mitigation and recommendations for risk transfer.

1. Philippe Cotelle
Head of Insurance Risk Management
Airbus Defence and Space
Mark Camillo
Head of Cyber EMEA
AIG
The Honorable John P. Carlin
Assistant Attorney General for
National Security
U.S. Department of Justice
Mark Hughes
President
BT Security
BT Global Services

2. The Honorable John P. Carlin
Assistant Attorney General for
National Security
United States Department of Justice

3. A European perspective on the
security landscape.
Mark Hughes, BT Security
14th October 2016.
Mark Hughes, CEO of BT Security.

4. The European threat and how to counter it.
Traditional security is
not enough.
• Lack of preparation
for new
technological
challenges such as
cloud, Big data and
shadow IT.
We need to… focus on
the protection of data.
Complexity is
growing.
• The threat, the
countermeasures
and the
technologies are all
growing in
complexity.
We need to... forge
strategic alliances with
peers and security
partners.
Scarcity of skills.
• Cyber skills
shortage across the
EU.
We need to… develop
strong recruitment and
training programmes.
A lack of focus on EU
needs.
• Uncertainty over
future legal and
commercial
frameworks.
We need to…invest in
EU relevant solutions.

5. • Sets the highest standards globally.
• Requires European companies, and non-EU
companies operating in the EU region to mobilise
leading security professionals and resources to
comply with these new requirements.
• European security vendors and service
providers will have to quickly adapt to demanding
customer requirements.
The EU Digital Single Market – enabling digital
transformation.

6. Embedding
security
in the early stages
of new product or
service
development.
What will make a difference?
Influencing key
business
stakeholders.
Having a holistic
view of company
risk.
Developing
vendor/supplier
partnerships to
build reference
architectures.
Getting full
collaboration of
internal and
external
stakeholders.
Move to
predictive vs.
reactive.

8. 8
Risk Managers contribution to business
valuation with digital risk management
Benefits for the Boards and external stakeholders: investors, shareholders, public,
regulators…
Philippe Cotelle,
Head of Insurance and Risk Management of Airbus Defence & Space
VP of AMRAE IT Commission

9. 9
Cybersecurity and business valuation
One of the key concerns for Boards
• Business valuation
• Trust and reputation
Digital risks are affecting both business valuation and trust by the public
• Fast-paced and evolving, impact across functions
• Once disclosed, high sensitivity of investors and public opinion
• Regulatory pressure in Europe to disclose more transparently on incidents: NIS directive,
Data Protection regulation
Digital risks are therefore also a key concern for the Boards

10. 10
Risk managers proposition on digital risk
management 1/2
• Boards should be able to find and support
internally the capabilities to respond
to this challenge
• Boards should send a key message towards
external stakeholders
Once aware of
possible impacts
on business
valuation
• Risk managers need to link their work to
Boards preoccupation
• Risk managers need to propose solutions
relevant for Boards and talk the same
language across functions
To move towards
a strategic
advisor role

11. 11
Risk managers proposition on digital risk
management 2/2
• Is currently evolving to propose a cross-function digital risk
management…
• Gathering representatives of all functions…
• To start an open dialogue on scenarios and exposure
The Risk
Management
profession…
• Identify the scenarios linked to cyber-event (risk identification)
• Assess their financial costs and likelihood (risk assessment)
• Justify the prevention plan with IT investments and protection
plan with captive and insurance which is complementary and
not competitive (risk response)
Provide a rationale
for a mitigation
strategy with a
methodology to…

12. 12
Challenges ahead for the profession
Development of high-quality
indicators and metrics to support the
investment decisions on cyber
security
• Accepted indicators and metrics
across functions (accounting, IT,
legal) and partners (insurance, loss
adjuster, public authorities)
• Accepted scenario analysis and
possible damages, converted into
financial terms
• Accepted terminology and
definitions across functions
Proposed research projects on a
new digital risk management
methodology
• At EU (Horizon2020 public
fundings, cyber public-private
partnerships) and OECD level
(within specialised working parties)
• Gathering academics, businesses
like AIRBUS and professional
organisations like FERMA
• Possible start in 2017

13. 13
1 thing to remember
We are convinced that a high-quality digital risk
management will contribute to business valuation
Thank you!

15. Risk Transfer: Managing
Cyber as a Peril
Mark Camillo
Head of Cyber, EMEA
Mark.Camillo@AIG.com

16. 16
Develop & Quantify Cyber Loss Scenarios
 Identify several high-impact,
notional, feasible cyber loss
scenarios specific to your
organization/operations
 Estimate impact for selected
scenarios using a structured
impact taxonomy
• Four quadrant model
• All impacts from any cyber event
can be categorized into these
quadrants
Exposure Quantification
1st Party
Financial
Damages
Tangible
Damages
3rd Party
Impact
Framework

17. 17
Four Generic Starter Scenarios
 Customer & employee bank account info
(ACH), credit cards, &other identity information
is stolen (SSNs, address)
 Proprietary exploration & financial data is also
suspected to be stolen
 A Shamoon-style attack deletes hard drive
contents on every desktop and laptop
computer in the enterprise overnight
 Business operations are severely impacted for
2 (or more) weeks while machines are either
replaced/restored
 Attacker compromises network
communications used to control field assets
 Production operations are impacted due to
inability to control remote assets
 Stuxnet-like malware infects industrial control
systems
 Attacker overtakes control of key valves and
pressurization equipment leading to disruption
in operation and major spill of petroleum
products
Data Theft Data Destruction
Network Disruption ICS Attack

18. 18
Top Quadrants: Financial Damages
Some of these impacts are data-breach centric; many could apply to any event
1st Party
FinancialDamages
Tangible Damages
3rd Parties may seek to recover:
• Consequential revenue losses
• Restoration expenses
• Legal expenses
• Shareholder losses
• Other financial damages
3rd Party Entities may issue or be
awarded civil fines and penalties
• Response costs: forensics,
notifications, credit monitoring
• Legal: advice and defense
• Public Relations: minimizing
brand damage
• Revenue losses from network
or computer outages, including
cloud
• Cost of restoring lost data
• Cyber extortion expenses
• Value of intellectual property
3rd Party

19. 19
Bottom Quadrants: Tangible Damages
These impacts are of increasing concern to all companies, especially critical infrastructure
Financial Damages
• Mechanical breakdown of
others’ equipment
• Destruction or damage to
others’ facilities or other
property
• Environmental cleanup of
others’ property
• Bodily injury to others
• Mechanical breakdown of your
equipment
• Destruction or damage to your
facilities or other property
• Environmental cleanup of your
property
• Lost revenues from physical
damage to your (or dependent)
equipment or facilities (business
interruption)
• Bodily injury to your employees
TangibleDamages
1st Party 3rd Party

20. 20
Review & Stress Test Insurance Portfolio
 Review all insurance policies to
understand cyber coverage or
exclusion
 Stress test insurance portfolio
with the loss scenarios
Exposure Quantification
Insurance Analysis
and Stress Test
1st Party
FinancialTangible
3rd Party
Uncertainty
Policy
Languag
e Review
Cyber
Inclusion
Cyber
Exclusio
n
Affirmative (favorable)
None
None
Partial
Strong/clear (i.e., CL-380)

21. 21
Traditional Policies May Cover Cyber Impacts
Analysis is required to fully
understand how such
policies are likely to respond
Affirming language or
cyber is a listed peril
All risk and no cyber
exclusions (silence)
Debatable cyber or
electronic data exclusions
Definitive cyber exclusion
(NMA-2914 or CL-380)
1st Party
FinancialTangible
• Crime
• Fidelity
• Kidnap & Ransom
• Technology E&O
• Miscellaneous E&O
• Product Recall
• Directors & Officers
• Property
• Workers Comp
• Terrorism
• Umbrella
• Auto
• General Liability
• Excess Liability
• Umbrella
• Pollution
• Terrorism
• Product Liability
3rd Party
AIG CyberEdge
AIG CyberEdge
PC/Plus

22. Any Questions?
Please use the GoTo Webinar
Dashboard to send a question to the
Moderator