SlideShare uma empresa Scribd logo

Cyber risk reporting aicpa framework

James Deiotte
James Deiotte

Cyber risk and challenges presented

Tecnologia
1 de 26
CHALLENGES IN MANAGING CYBER RISKS A DEVELOPING FRAMEWORK TO EXPLAIN HOW ORGANIZATIONS ARE TRYING TO MANAGE CYBERSECURITY RISK JAMES T DEIOTTE AUGUST 2017
CURRENT CLIMATE 1 Losses from cyber-attacks increase CHANGING CONDITIONS 2 Others changes taking place – may have greater impact beyond costs MOVING BEYOND COSTS 3 This shift has expanded the stakeholder group RESPONSE OF THE AICPA 4 Framework for reporting on cyber risk management TECHNOLOGY SOLUTIONS 5 Creating the cybersecurity ecosystem AGENDA SECTION HEADINGS
SECTION 1 CURRENT CLIMATE LOSSES FROM CYBER-ATTACKS INCREASE 3
CYBER RISK EXPANSION IS ON FIRE • Fuel • Complexity and interconnectivity that has created caused stakeholder expansion • Human nature • Heat • Press and political pressure • Regulatory and legislative responses globally • Oxygen • Aggressive nature of hackers • Expanding use of new products under IoT • Prevention • Need for improved risk management – a different and holistic approach with focus on people • Need for comprehensive and enabling technologies
COMPANIES ARE JUST LEARNING THEY ARE UNDERINSURED GAP BETWEEN COVERAGE AND DAMAGES WIDENS • Target Corp announced that its 2013 will cost an estimated $230 million; insurance coverage was $90 million • Home Depot expects $232 million in expenses; insurance coverage was $100 million • Anthem ran into difficulties in coverage after an attack compromised 70 million records; future insurance coverage requires Anthem to pay the first $25 million in any future attacks 5
VULNERABILITY • “37.2% of U.S. organizations had a botnet grade of ‘B’ or lower", meaning these organizations have a higher likelihood of experiencing a publicly disclosed data breach. Source: Global Security Performance: How Do Top Nations Stack Up? • “Companies with a rating of 400 or lower are five times more likely to have a breach than those with a rating of 700 or more.” Source: BitSight Security Ratings Correlated To Breaches • “Crypto-style ransomware grew 35 percent in 2015.” Source: Symantec 2016 Internet Security Threat Report • “Education accounted for 6.6 percent of all reported cybersecurity incidents in 2015.” Source: 2016 Internet Security Threat Report from Symantec • “99% of computer users are vulnerable to exploit kits (software vulnerabilities).” Source: Heimdal Security • “59% of employees steal proprietary corporate data when they quit or are fired.” Source: Heimdal Security • “28% of organizations have experienced an advanced persistent threat attack, and three-quarters have failed to update their third-party vendor contracts to include better protection against APTs.” Source: 2015 Advanced Persistent Threat Awareness Study, as quoted in Trustwave Security Stats • “63% of businesses don't have a ‘fully mature’ method to track and control sensitive data.” Source: 2014 State of Risk Report, as quoted in Trustwave Security Stats Page 6
BREACH STATISTICS • In 2016, there have been 454 data breaches with nearly 12.7 million records exposed. Source: 2016 Identity Theft Resource Center Data Breach Category Summary • “In 93% of breaches, attackers take minutes or less to compromise systems.” Source: 2016 Data Breach Investigations Report from Verizon • “Four out of five victims [of a breach] don’t realize they’ve been attacked for a week or longer.” Source: 2016 Data Breach Investigations Report from Verizon • “In 7% of [breach] cases, the breach goes undiscovered for more than a year.” Source: 2016 Data Breach Investigations Report from Verizon • “30% of phishing emails are opened. And about 12% of targets goon to click the link or attachment.” Source: 2016 Data Breach Investigations Report from Verizon • “In 60% of cases, attackers are able to compromise an organization within minutes.” Source: 2015 Data Breach Investigations Report from Verizon 7
COST STATISTICS • “80% of analyzed breaches had a financial motive.” Source: 2016 Data Breach Investigations Report from Verizon • “68% of funds lost as a result of a cyber attack were declared unrecoverable.” Source: Heimdal Security • "Impact from trade secret theft ranges from 1% to as much as 3%of a nation’s GDP – using the World Bank’s GDP estimate of $74.9trillion in 2003, loss of trade secrets may range from $749 billion to as high as $2.2 trillion annually.“ Source: Global State of Information Security Survey 2015 from PwC • “The U.S. government has spent $100 billion on cybersecurity over the past decade, and has $14 billion budgeted for cybersecurity in2016.” Source: The Business of Cybersecurity: 2015 Market Size, Cyber Crime, Employment, and Industry Statistics from Forbes • “The cyber insurance market—mainly a U.S. market—has grown from $1 billion to $2.5 billion over the past two years, and it is expected to grow dramatically and expand globally over the next five years.” Source: The Business of Cybersecurity: 2015 Market Size, Cyber Crime, Employment, and Industry Statistics from Forbes. See Also: Security Ratings For Cyber Insurance • “The forecast average loss for a breach of 1,000 records is between $52,000 and $87,000.” Source: 2015 Data Breach Investigations Report from Verizon 8
CYBER INSURANCE COVERAGE ILLUSTRATED Type of company Sector Revenues Limits Premium % of revenues Limites % of revenue Coverage for worst case scenario IT CONSULTING & DATA HOSTING PROVIDER IT 1,500,000 2,000,000 3,643 0.243% 133.333% (500,000) HEALTHCARE SAAS PROVIDER HC 2,000,000 2,000,000 9,398 0.470% 100.000% 0 HEALTHCARE IT PROVIDER/CONSULTING/PROJECTMANAGEMENT HC 4,500,000 5,000,000 34,600 0.769% 111.111% (500,000) CALL CENTER Communic ations 20,000,000 5,000,000 19,800 0.099% 25.000% 15,000,000 FIBER OPTICS COMMUNICATIONS PROVIDER Communic ations 35,000,000 10,000,000 47,000 0.134% 28.571% 25,000,000 INDUSTRY: HEALTHCARE HC 25,000,000 1,000,000 12,900 0.052% 4.000% 24,000,000 INDUSTRY: EDUCATION ED 25,000,000 1,000,000 6,000 0.024% 4.000% 24,000,000 INDUSTRY: RETAIL RETAIL 50,000,000 1,000,000 26,000 0.052% 2.000% 49,000,000 INDUSTRY: E-COMMERCE IT 50,000,000 1,000,000 37,000 0.074% 2.000% 49,000,000 RESTAURANT MFG 50,000,000 1,000,000 10,000 0.020% 2.000% 49,000,000 HEALTHCARE IT PROVIDER HC 1,200,000 5,000,000 15,900 1.325% 416.667% (3,800,000) HEALTHCARE SAAS PROVIDER (STARTUP) IT 1,500,000 5,000,000 30,420 2.028% 333.333% (3,500,000) ELECTRONIC HEALTH RECORDS (EHR) PROVIDER HC 5,000,000 1,000,000 8,010 0.160% 20.000% 4,000,000 E-WASTE COMPANY MFG 1,500,000 2,000,000 3,564 0.238% 133.333% (500,000) PSYCHOLOGIST’S OFFICE HC 1,000,000 1,000,000 1,600 0.160% 100.000% 0 DOCTOR’S OFFICE HC 1,700,000 1,000,000 1,800 0.106% 58.824% 700,000 SAAS PROVIDER IT 3,000,000 200,000 6,000 0.200% 6.667% 2,800,000 FAST FOOD Consumer 15,000,000 1,000,000 9,000 0.060% 6.667% 14,000,000 DATA STORAGE CENTER IT 15,000,000 20,000,000 120,000 0.800% 133.333% (5,000,000) Source: https://databreachinsurancequote.com/cyber-insurance/cyber-insurance-data-breach-insurance-premiums/
SECTION 2 CHANGING CONDITIONS OTHERS CHANGES TAKING PLACE – WITH MAY HAVE GREATER IMPACT BEYOND COSTS 10
OTHER CHANGES TO TAKE NOTE OF • Business and relationship models will change • Defense industry and auto industry • Expansion of stakeholder responsibilities by regulatory authorities Aggressive changes in penalty regimes • European Union • South Africa
BUSINESS MODEL CHANGES • Push down demands into supply chains impacting entire industries over the next few years • Accelerated by the introduction and increasing use of products considered by the Internet of Things (IoT) • Mobility transformation in the auto industry will accelerate changes to manufactures, suppliers and service providers (e.g. repair shops)
CYBER SECURITY IS INTIMIDATING 13 By Sead Fadilpašić, November 15 2016
GOVERNANCE IS CHANGING NY'S FSO REGULATION (500.03) RECENTLY FINALIZED THE CYBERSECURITY POLICY SHALL BE REVIEWED BY THE COVERED ENTITY’S BOARD OF DIRECTORS OR EQUIVALENT GOVERNING BODY, AND APPROVED BY A SENIOR OFFICER OF THE COVERED ENTITY THE CYBERSECURITY POLICY SHALL ADDRESS, AT A MINIMUM, THE FOLLOWING AREAS: INFORMATION SECURITY; DATA GOVERNANCE AND CLASSIFICATION; ACCESS CONTROLS AND IDENTITY MANAGEMENT; BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING AND RESOURCES; CAPACITY AND PERFORMANCE PLANNING; SYSTEMS OPERATIONS AND AVAILABILITY CONCERNS; SYSTEMS AND NETWORK SECURITY; SYSTEMS AND NETWORK MONITORING; SYSTEMS AND APPLICATION DEVELOPMENT AND QUALITY ASSURANCE; PHYSICAL SECURITY AND ENVIRONMENTAL CONTROLS; CUSTOMER DATA PRIVACY; VENDOR AND THIRD-PARTY SERVICE PROVIDER MANAGEMENT; RISK ASSESSMENT; AND INCIDENT RESPONSE.
ARE CHANGES TAKING PLACE FAST ENOUGH? 15 If you are in a domain of losses – will take more risk If you are in a domain of gains – will be more risk adverse
EU RESPONSE – ATTEMPT TO CHANGE THE PARADIGM Yet, EU laws related to identity protections provide the following fine regime: Non-compliance can lead to an administrative fine up to €10,000,000 or in case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher! (In some cases – the penalty is raised to the greater of €20,000,000 or 4% of global revenues. 16 SailPoint Survey Confirms Enterprises have GDPR on their Mind 75 percent recognize the important role identity governance plays within GDPR compliance plans LONDON, March 7, 2017 – SailPoint, the leader in identity management, surveyed customers and attendees at this week’s Gartner IAM Summit about their plans for meeting compliance requirements associated with the General Data Protection Regulation (GDPR) which goes into effect in 2018. Of approximately 100 survey respondents, 80 percent see GDPR as a priority even if they don’t have a specific plan in place (only 25 percent of respondents have an established plan) to comply with the regulation. Of those who are planning ahead for GDPR, most (75 percent) recognize the important role that identity governance plays in helping them to be GDPR-ready by 2018.
ARE OTHER COUNTRIES FOLLOWING THE EU? • YES – South Africa is leading and has already enacted the Protection of Personal Information legislation (POPI) that has been signed by the President. • Failure to comply with the Act can impose on the executive management of public and private sector bodies a personal liability.
SECTION 3 MOVING BEYOND COST THIS SHIFT HAS EXPANDED THE STAKEHOLDER GROUP 18
APPRECIATING THE CYBER RELATED CHALLENGES NOW AN AREA OF FOCUS AND SHARED CONCERNS WITH IT STAKEHOLDERS • Shareholders • Board of directors • Audit committee • Chief Executive Officer • Chief Financial Officer • Chief Risk Officer • Chief Information (CIO/CTO) • Human Resources • PR/Markets • Capital markets • Engineering and manufacturing floor • Business partners • Others (supply chain relationships) MANAGE COSTS • Protection strategic information • Improve insights through analytics • Manage stakeholder relationships with greater transparency • Delivery self-provided information with new tools for savvy users • Manage disruptions • Help people better use their technology based tools more safely • Manage cloud solutions 19 DELIVER VALUE • Increase productivity of employees through connectivity and collaboration • Connect complex supply chains across the world • Agility • Aligned and enabler of the business model • Control costs (server and communication maintenance) • Deliver actionable information • Protection of personal information PROTECT ENTERPRISE VALUE
STAKEHOLDER FOCUS OR AREAS OF CONCERN SOME OF THE CHANGES - ILLUSTRATED • Boards - Concern around reputational risk and overall enterprise value • CEOs - Concerns about protecting their strategies and sensitive information • Finance teams – Concern around reporting and compliance obligations (Sarbanes Oxley, etc.) • HR – Concerns around privacy protections • Engineers – Concerns around connecting product to suppliers or customers • Production – Concerns around automation and greater use of robotics • Financial institutions – around use of BOTS, trading algorithms, regulatory and market concerns 20
SECTION 4 TECHNOLOGY SOLUTIONS CREATING THE CYBERSECURITY ECOSYSTEM 21
TALENT LIMITED – BELIEF IN TECHNOLOGY LED SOLUTIONS 22
HOWEVER, THE INDUSTRY IS MOVING • The cyber security market is growing • Global budgets are increasing – but not even close to the increase in losses/insurance • In 2013 - $1.5 billion in funding was allocated to 240 cyber security firms • Combinations and consolidations will continue to evolve • Dell/EMC/RSA – spin off • Palantir in talks about an IPO • Initiatives observed like Mach37 Cybersecurity accelerator (https://www.mach37.com/) and interesting collaborations like Lockheed and GE – opening a center in Israel Page 23
TECHNOLOGY OFFERS A PROMISING FUTURE • Simon Crosby, CTO at Bromium, calls machine learning the pipe dream of cybersecurity, arguing that “there’s no silver bullet in security.” What backs up this argument is the fact that in cybersecurity, you’re always up against some of the most devious minds, people who already know very well how machines and machine learning works and how to circumvent their capabilities. Many attacks are carried out through minuscule and inconspicuous steps, often concealed in the guise of legitimate requests and commands. • https://techcrunch.com/2016/07/01/exploiti ng-machine-learning-in-cybersecurity/
SECTION 5 RESPONSE OF THE AICPA FRAMEWORK FOR REPORTING ON CYBER RISK MANAGEMENT 25
AICPA FRAMEWORK RELEASED MAY 1, 2017 The AICPA has developed a framework that will serve as a critical step to enabling a consistent, market-based mechanism for companies worldwide to explain how they’re managing cybersecurity risk,” Coffey explained. “We believe investors, boards, audit committees and business partners will see tremendous value in gaining a better understanding of organizations’ cybersecurity risk management efforts. That information, combined with the CPA’s opinion on the effectiveness of management’s efforts, will increase stakeholders’ confidence in organizations’ due care and diligence in managing cybersecurity risk. https://www.aicpa.org/Press/PressReleases/2017/P ages/AICPA-Unveils-Cybersecurity-Risk-Management- Reporting-Framework.aspx Prevention of security events Physical and logical access Authentication •Credential management •Privileged user management Database security •Data loss prevention •Data destruction •Data backup Virus detection and prevention •Firewalls and perimeter security •Secure system configuration •Intrusion prevention Change management •Application changes •Patch management Detection of security events • Response of events • Mitigation and recovery

Recomendados

Cost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 ReportCost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 Report
accenture
 
Verizon DBIR 2021
Verizon DBIR 2021Verizon DBIR 2021
Verizon DBIR 2021
SOCRadar Inc
 
Aon Cyber Risk Solutions
Aon Cyber Risk SolutionsAon Cyber Risk Solutions
Aon Cyber Risk Solutions
Graeme Cross
 
Verizon's DBIR-A look into each industry
Verizon's DBIR-A look into each industryVerizon's DBIR-A look into each industry
Verizon's DBIR-A look into each industry
SOCRadar Inc
 
Malwarebytes labs 2019 - state of malware report 2
Malwarebytes labs 2019 - state of malware report 2Malwarebytes labs 2019 - state of malware report 2
Malwarebytes labs 2019 - state of malware report 2
Felipe Prado
 
Innovate for Cyber Resilience
Innovate for Cyber ResilienceInnovate for Cyber Resilience
Innovate for Cyber Resilience
accenture
 
HACKER-POWERED SECURITY REPORT
HACKER-POWERED SECURITY REPORT HACKER-POWERED SECURITY REPORT
HACKER-POWERED SECURITY REPORT
E.S.G. JR. Consulting, Inc.
 
Latin america cyber security market,symantec market share internet security,m...
Latin america cyber security market,symantec market share internet security,m...Latin america cyber security market,symantec market share internet security,m...
Latin america cyber security market,symantec market share internet security,m...
Ashish Chauhan
 

Recomendados

Cost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 ReportCost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 Report
accenture
 
Verizon DBIR 2021
Verizon DBIR 2021Verizon DBIR 2021
Verizon DBIR 2021
SOCRadar Inc
 
Aon Cyber Risk Solutions
Aon Cyber Risk SolutionsAon Cyber Risk Solutions
Aon Cyber Risk Solutions
Graeme Cross
 
Verizon's DBIR-A look into each industry
Verizon's DBIR-A look into each industryVerizon's DBIR-A look into each industry
Verizon's DBIR-A look into each industry
SOCRadar Inc
 
Malwarebytes labs 2019 - state of malware report 2
Malwarebytes labs 2019 - state of malware report 2Malwarebytes labs 2019 - state of malware report 2
Malwarebytes labs 2019 - state of malware report 2
Felipe Prado
 
Innovate for Cyber Resilience
Innovate for Cyber ResilienceInnovate for Cyber Resilience
Innovate for Cyber Resilience
accenture
 
HACKER-POWERED SECURITY REPORT
HACKER-POWERED SECURITY REPORT HACKER-POWERED SECURITY REPORT
HACKER-POWERED SECURITY REPORT
E.S.G. JR. Consulting, Inc.
 
Latin america cyber security market,symantec market share internet security,m...
Latin america cyber security market,symantec market share internet security,m...Latin america cyber security market,symantec market share internet security,m...
Latin america cyber security market,symantec market share internet security,m...
Ashish Chauhan
 
Istr19 en
Istr19 enIstr19 en
Istr19 en
Anjoum .
 
Istr number 23 internet security threat repor 2018 symantec
Istr number 23 internet security threat repor 2018 symantecIstr number 23 internet security threat repor 2018 symantec
Istr number 23 internet security threat repor 2018 symantec
Soluciona Facil
 
The 4 Challenges of Managing Privacy Incident Response
The 4 Challenges of Managing Privacy Incident ResponseThe 4 Challenges of Managing Privacy Incident Response
The 4 Challenges of Managing Privacy Incident Response
Elizabeth Dimit
 
Protecting the Oil and Gas Industry from Email Threats
Protecting the Oil and Gas Industry from Email ThreatsProtecting the Oil and Gas Industry from Email Threats
Protecting the Oil and Gas Industry from Email Threats
OPSWAT
 
Symantec Internet Security Threat Report 2014 - Volume 19
Symantec Internet Security Threat Report 2014 - Volume 19Symantec Internet Security Threat Report 2014 - Volume 19
Symantec Internet Security Threat Report 2014 - Volume 19
Symantec
 
Adjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalAdjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New Normal
Priyanka Aash
 
Cyber security market 1
Cyber security market 1Cyber security market 1
Cyber security market 1
Sidhant Kale
 
Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of Directors
Abdul-Hakeem Ajijola
 
Estado del ransomware en 2020
Estado del ransomware en 2020Estado del ransomware en 2020
Estado del ransomware en 2020
iDric Soluciones de TI y Seguridad Informática
 
Whitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationWhitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformation
Nexon Asia Pacific
 
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOs
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOsGlobal Megatrends in Cybersecurity – A Survey of 1,000 CxOs
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOs
Argyle Executive Forum
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for Cybersecurity
ShareDocView.com
 
Cyber security market
Cyber security market Cyber security market
Cyber security market
Sidhant Kale
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LR
Bill Besse
 
Security troubles in e commerce website
Security troubles in e commerce websiteSecurity troubles in e commerce website
Security troubles in e commerce website
Dr. Raghavendra GS
 
Cybercrime and Corporate Reputation
Cybercrime and Corporate ReputationCybercrime and Corporate Reputation
Cybercrime and Corporate Reputation
Ipsos UK
 
Cyber threat forecast 2018..
Cyber threat forecast 2018..Cyber threat forecast 2018..
Cyber threat forecast 2018..
Bolaji James Bankole CCSS,CEH,MCSA,MCSE,MCP,CCNA,
 
FORUM 2013 Cyber Risks - not just a domain for IT
FORUM 2013 Cyber Risks - not just a domain for ITFORUM 2013 Cyber Risks - not just a domain for IT
FORUM 2013 Cyber Risks - not just a domain for IT
FERMA
 
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Jef Lacson
 
Future Watch: Cybersecurity market in South Africa
Future Watch: Cybersecurity market in South Africa Future Watch: Cybersecurity market in South Africa
Future Watch: Cybersecurity market in South Africa
Team Finland Future Watch
 
CSE 2016 Future of Cyber Security by Matthew Rosenquist
CSE 2016 Future of Cyber Security by Matthew RosenquistCSE 2016 Future of Cyber Security by Matthew Rosenquist
CSE 2016 Future of Cyber Security by Matthew Rosenquist
Matthew Rosenquist
 
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistTop 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Matthew Rosenquist
 

Mais conteúdo relacionado

Mais procurados

AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LR
Bill Besse
 

Mais procurados (17)

Istr19 en
Istr19 enIstr19 en
Istr19 en
 
Istr number 23 internet security threat repor 2018 symantec
Istr number 23 internet security threat repor 2018 symantecIstr number 23 internet security threat repor 2018 symantec
Istr number 23 internet security threat repor 2018 symantec
 
The 4 Challenges of Managing Privacy Incident Response
The 4 Challenges of Managing Privacy Incident ResponseThe 4 Challenges of Managing Privacy Incident Response
The 4 Challenges of Managing Privacy Incident Response
 
Protecting the Oil and Gas Industry from Email Threats
Protecting the Oil and Gas Industry from Email ThreatsProtecting the Oil and Gas Industry from Email Threats
Protecting the Oil and Gas Industry from Email Threats
 
Symantec Internet Security Threat Report 2014 - Volume 19
Symantec Internet Security Threat Report 2014 - Volume 19Symantec Internet Security Threat Report 2014 - Volume 19
Symantec Internet Security Threat Report 2014 - Volume 19
 
Adjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalAdjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New Normal
 
Cyber security market 1
Cyber security market 1Cyber security market 1
Cyber security market 1
 
Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of Directors
 
Estado del ransomware en 2020
Estado del ransomware en 2020Estado del ransomware en 2020
Estado del ransomware en 2020
 
Whitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationWhitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformation
 
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOs
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOsGlobal Megatrends in Cybersecurity – A Survey of 1,000 CxOs
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOs
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for Cybersecurity
 
Cyber security market
Cyber security market Cyber security market
Cyber security market
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LR
 
Security troubles in e commerce website
Security troubles in e commerce websiteSecurity troubles in e commerce website
Security troubles in e commerce website
 
Cybercrime and Corporate Reputation
Cybercrime and Corporate ReputationCybercrime and Corporate Reputation
Cybercrime and Corporate Reputation
 
Cyber threat forecast 2018..
Cyber threat forecast 2018..Cyber threat forecast 2018..
Cyber threat forecast 2018..
 

Semelhante a Cyber risk reporting aicpa framework

FORUM 2013 Cyber Risks - not just a domain for IT
FORUM 2013 Cyber Risks - not just a domain for ITFORUM 2013 Cyber Risks - not just a domain for IT
FORUM 2013 Cyber Risks - not just a domain for IT
FERMA
 
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistTop 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Matthew Rosenquist
 
Effects of IT Governance Measures on Cyber-attack Incidents
Effects of IT Governance Measures on Cyber-attack IncidentsEffects of IT Governance Measures on Cyber-attack Incidents
Effects of IT Governance Measures on Cyber-attack Incidents
The International Journal of Business Management and Technology
 
Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16
Dave Darnell
 
Data centric security key to digital business success - ulf mattsson - bright...
Data centric security key to digital business success - ulf mattsson - bright...Data centric security key to digital business success - ulf mattsson - bright...
Data centric security key to digital business success - ulf mattsson - bright...
Ulf Mattsson
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
Ulf Mattsson
 
Ransomware Bootcamp with CTEK and GroupSense
Ransomware Bootcamp with CTEK and GroupSenseRansomware Bootcamp with CTEK and GroupSense
Ransomware Bootcamp with CTEK and GroupSense
SophiaPalmira1
 
What Are Cyber Attacks All About? | Cyberroot Risk Advisory
What Are Cyber Attacks All About? | Cyberroot Risk AdvisoryWhat Are Cyber Attacks All About? | Cyberroot Risk Advisory
What Are Cyber Attacks All About? | Cyberroot Risk Advisory
CR Group
 

Semelhante a Cyber risk reporting aicpa framework (20)

FORUM 2013 Cyber Risks - not just a domain for IT
FORUM 2013 Cyber Risks - not just a domain for ITFORUM 2013 Cyber Risks - not just a domain for IT
FORUM 2013 Cyber Risks - not just a domain for IT
 
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
 
Future Watch: Cybersecurity market in South Africa
Future Watch: Cybersecurity market in South Africa Future Watch: Cybersecurity market in South Africa
Future Watch: Cybersecurity market in South Africa
 
CSE 2016 Future of Cyber Security by Matthew Rosenquist
CSE 2016 Future of Cyber Security by Matthew RosenquistCSE 2016 Future of Cyber Security by Matthew Rosenquist
CSE 2016 Future of Cyber Security by Matthew Rosenquist
 
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistTop 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
 
NextLevel Cyber Security Executive Briefing
NextLevel Cyber Security Executive BriefingNextLevel Cyber Security Executive Briefing
NextLevel Cyber Security Executive Briefing
 
Global Threats| Cybersecurity|
Global Threats| Cybersecurity| Global Threats| Cybersecurity|
Global Threats| Cybersecurity|
 
A Comprehensive Review of Cyber Security, Threats and Cyber Attacks
A Comprehensive Review of Cyber Security, Threats and Cyber AttacksA Comprehensive Review of Cyber Security, Threats and Cyber Attacks
A Comprehensive Review of Cyber Security, Threats and Cyber Attacks
 
Risk Management on the Internet
Risk Management on the InternetRisk Management on the Internet
Risk Management on the Internet
 
Combating Cybersecurity Challenges with Advanced Analytics
Combating Cybersecurity Challenges with Advanced AnalyticsCombating Cybersecurity Challenges with Advanced Analytics
Combating Cybersecurity Challenges with Advanced Analytics
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance
 
Effects of IT Governance Measures on Cyber-attack Incidents
Effects of IT Governance Measures on Cyber-attack IncidentsEffects of IT Governance Measures on Cyber-attack Incidents
Effects of IT Governance Measures on Cyber-attack Incidents
 
Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16
 
Data centric security key to digital business success - ulf mattsson - bright...
Data centric security key to digital business success - ulf mattsson - bright...Data centric security key to digital business success - ulf mattsson - bright...
Data centric security key to digital business success - ulf mattsson - bright...
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
 
Ransomware Bootcamp with CTEK and GroupSense
Ransomware Bootcamp with CTEK and GroupSenseRansomware Bootcamp with CTEK and GroupSense
Ransomware Bootcamp with CTEK and GroupSense
 
CynergisTek’s Ransomware Bootcamp
CynergisTek’s Ransomware BootcampCynergisTek’s Ransomware Bootcamp
CynergisTek’s Ransomware Bootcamp
 
2018 State of Cyber Reslience in Healthcare
2018 State of Cyber Reslience in Healthcare2018 State of Cyber Reslience in Healthcare
2018 State of Cyber Reslience in Healthcare
 
What Are Cyber Attacks All About? | Cyberroot Risk Advisory
What Are Cyber Attacks All About? | Cyberroot Risk AdvisoryWhat Are Cyber Attacks All About? | Cyberroot Risk Advisory
What Are Cyber Attacks All About? | Cyberroot Risk Advisory
 
Whitepaper 2015 industry_drilldown_finance_en
Whitepaper 2015 industry_drilldown_finance_enWhitepaper 2015 industry_drilldown_finance_en
Whitepaper 2015 industry_drilldown_finance_en
 

Mais de James Deiotte

Video creating a harmonised african tax system cnbc africa
Video creating a harmonised african tax system cnbc africaVideo creating a harmonised african tax system cnbc africa
Video creating a harmonised african tax system cnbc africa
James Deiotte
 

Mais de James Deiotte (20)

Ucsd rady mpac flier 2020 10.20.2020
Ucsd rady mpac flier 2020 10.20.2020Ucsd rady mpac flier 2020 10.20.2020
Ucsd rady mpac flier 2020 10.20.2020
 
Impact of data science in financial reporting
Impact of data science in financial reporting Impact of data science in financial reporting
Impact of data science in financial reporting
 
IMA meeting accounting for big data
IMA meeting accounting for big dataIMA meeting accounting for big data
IMA meeting accounting for big data
 
Security as a Strategy
Security as a Strategy Security as a Strategy
Security as a Strategy
 
Board Governance, Stakeholder Focus and Integrated Reporting
Board Governance, Stakeholder Focus and Integrated Reporting Board Governance, Stakeholder Focus and Integrated Reporting
Board Governance, Stakeholder Focus and Integrated Reporting
 
Challenges faced by transformational leaders in Africa
Challenges faced by transformational leaders in Africa Challenges faced by transformational leaders in Africa
Challenges faced by transformational leaders in Africa
 
Cleveland state university honors presentation
Cleveland state university honors presentationCleveland state university honors presentation
Cleveland state university honors presentation
 
Video creating a harmonised african tax system cnbc africa
Video creating a harmonised african tax system cnbc africaVideo creating a harmonised african tax system cnbc africa
Video creating a harmonised african tax system cnbc africa
 
Investment in Poland and support programs
Investment in Poland and support programsInvestment in Poland and support programs
Investment in Poland and support programs
 
Taxes in South Africa
Taxes in South AfricaTaxes in South Africa
Taxes in South Africa
 
AICPA Conference - Doing Business in the EU
AICPA Conference - Doing Business in the EU AICPA Conference - Doing Business in the EU
AICPA Conference - Doing Business in the EU
 
EY Africa REIT workshop
EY Africa REIT workshop EY Africa REIT workshop
EY Africa REIT workshop
 
Why there’s underinvestment in Africa
Why there’s underinvestment in AfricaWhy there’s underinvestment in Africa
Why there’s underinvestment in Africa
 
Tax Talk Magazine
Tax Talk MagazineTax Talk Magazine
Tax Talk Magazine
 
E2 Detroit Conference - Starting your business and managing your capital
E2 Detroit Conference - Starting your business and managing your capitalE2 Detroit Conference - Starting your business and managing your capital
E2 Detroit Conference - Starting your business and managing your capital
 
Student conference presentation at Sun City, South Africa
Student conference presentation at Sun City, South Africa Student conference presentation at Sun City, South Africa
Student conference presentation at Sun City, South Africa
 
Creating transformation and value through restructuring EY Africa Tax Confere...
Creating transformation and value through restructuring EY Africa Tax Confere...Creating transformation and value through restructuring EY Africa Tax Confere...
Creating transformation and value through restructuring EY Africa Tax Confere...
 
Building a better working world in africa through entrepreneurship africa tax...
Building a better working world in africa through entrepreneurship africa tax...Building a better working world in africa through entrepreneurship africa tax...
Building a better working world in africa through entrepreneurship africa tax...
 
Wharton School - Overview of Sub Saharan Tax
Wharton School - Overview of Sub Saharan TaxWharton School - Overview of Sub Saharan Tax
Wharton School - Overview of Sub Saharan Tax
 
Doing business in new EU countries
Doing business in new EU countriesDoing business in new EU countries
Doing business in new EU countries
 

Último

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 

Último (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Cyber risk reporting aicpa framework

  • 1. CHALLENGES IN MANAGING CYBER RISKS A DEVELOPING FRAMEWORK TO EXPLAIN HOW ORGANIZATIONS ARE TRYING TO MANAGE CYBERSECURITY RISK JAMES T DEIOTTE AUGUST 2017
  • 2. CURRENT CLIMATE 1 Losses from cyber-attacks increase CHANGING CONDITIONS 2 Others changes taking place – may have greater impact beyond costs MOVING BEYOND COSTS 3 This shift has expanded the stakeholder group RESPONSE OF THE AICPA 4 Framework for reporting on cyber risk management TECHNOLOGY SOLUTIONS 5 Creating the cybersecurity ecosystem AGENDA SECTION HEADINGS
  • 3. SECTION 1 CURRENT CLIMATE LOSSES FROM CYBER-ATTACKS INCREASE 3
  • 4. CYBER RISK EXPANSION IS ON FIRE • Fuel • Complexity and interconnectivity that has created caused stakeholder expansion • Human nature • Heat • Press and political pressure • Regulatory and legislative responses globally • Oxygen • Aggressive nature of hackers • Expanding use of new products under IoT • Prevention • Need for improved risk management – a different and holistic approach with focus on people • Need for comprehensive and enabling technologies
  • 5. COMPANIES ARE JUST LEARNING THEY ARE UNDERINSURED GAP BETWEEN COVERAGE AND DAMAGES WIDENS • Target Corp announced that its 2013 will cost an estimated $230 million; insurance coverage was $90 million • Home Depot expects $232 million in expenses; insurance coverage was $100 million • Anthem ran into difficulties in coverage after an attack compromised 70 million records; future insurance coverage requires Anthem to pay the first $25 million in any future attacks 5
  • 6. VULNERABILITY • “37.2% of U.S. organizations had a botnet grade of ‘B’ or lower", meaning these organizations have a higher likelihood of experiencing a publicly disclosed data breach. Source: Global Security Performance: How Do Top Nations Stack Up? • “Companies with a rating of 400 or lower are five times more likely to have a breach than those with a rating of 700 or more.” Source: BitSight Security Ratings Correlated To Breaches • “Crypto-style ransomware grew 35 percent in 2015.” Source: Symantec 2016 Internet Security Threat Report • “Education accounted for 6.6 percent of all reported cybersecurity incidents in 2015.” Source: 2016 Internet Security Threat Report from Symantec • “99% of computer users are vulnerable to exploit kits (software vulnerabilities).” Source: Heimdal Security • “59% of employees steal proprietary corporate data when they quit or are fired.” Source: Heimdal Security • “28% of organizations have experienced an advanced persistent threat attack, and three-quarters have failed to update their third-party vendor contracts to include better protection against APTs.” Source: 2015 Advanced Persistent Threat Awareness Study, as quoted in Trustwave Security Stats • “63% of businesses don't have a ‘fully mature’ method to track and control sensitive data.” Source: 2014 State of Risk Report, as quoted in Trustwave Security Stats Page 6
  • 7. BREACH STATISTICS • In 2016, there have been 454 data breaches with nearly 12.7 million records exposed. Source: 2016 Identity Theft Resource Center Data Breach Category Summary • “In 93% of breaches, attackers take minutes or less to compromise systems.” Source: 2016 Data Breach Investigations Report from Verizon • “Four out of five victims [of a breach] don’t realize they’ve been attacked for a week or longer.” Source: 2016 Data Breach Investigations Report from Verizon • “In 7% of [breach] cases, the breach goes undiscovered for more than a year.” Source: 2016 Data Breach Investigations Report from Verizon • “30% of phishing emails are opened. And about 12% of targets goon to click the link or attachment.” Source: 2016 Data Breach Investigations Report from Verizon • “In 60% of cases, attackers are able to compromise an organization within minutes.” Source: 2015 Data Breach Investigations Report from Verizon 7
  • 8. COST STATISTICS • “80% of analyzed breaches had a financial motive.” Source: 2016 Data Breach Investigations Report from Verizon • “68% of funds lost as a result of a cyber attack were declared unrecoverable.” Source: Heimdal Security • "Impact from trade secret theft ranges from 1% to as much as 3%of a nation’s GDP – using the World Bank’s GDP estimate of $74.9trillion in 2003, loss of trade secrets may range from $749 billion to as high as $2.2 trillion annually.“ Source: Global State of Information Security Survey 2015 from PwC • “The U.S. government has spent $100 billion on cybersecurity over the past decade, and has $14 billion budgeted for cybersecurity in2016.” Source: The Business of Cybersecurity: 2015 Market Size, Cyber Crime, Employment, and Industry Statistics from Forbes • “The cyber insurance market—mainly a U.S. market—has grown from $1 billion to $2.5 billion over the past two years, and it is expected to grow dramatically and expand globally over the next five years.” Source: The Business of Cybersecurity: 2015 Market Size, Cyber Crime, Employment, and Industry Statistics from Forbes. See Also: Security Ratings For Cyber Insurance • “The forecast average loss for a breach of 1,000 records is between $52,000 and $87,000.” Source: 2015 Data Breach Investigations Report from Verizon 8
  • 9. CYBER INSURANCE COVERAGE ILLUSTRATED Type of company Sector Revenues Limits Premium % of revenues Limites % of revenue Coverage for worst case scenario IT CONSULTING & DATA HOSTING PROVIDER IT 1,500,000 2,000,000 3,643 0.243% 133.333% (500,000) HEALTHCARE SAAS PROVIDER HC 2,000,000 2,000,000 9,398 0.470% 100.000% 0 HEALTHCARE IT PROVIDER/CONSULTING/PROJECTMANAGEMENT HC 4,500,000 5,000,000 34,600 0.769% 111.111% (500,000) CALL CENTER Communic ations 20,000,000 5,000,000 19,800 0.099% 25.000% 15,000,000 FIBER OPTICS COMMUNICATIONS PROVIDER Communic ations 35,000,000 10,000,000 47,000 0.134% 28.571% 25,000,000 INDUSTRY: HEALTHCARE HC 25,000,000 1,000,000 12,900 0.052% 4.000% 24,000,000 INDUSTRY: EDUCATION ED 25,000,000 1,000,000 6,000 0.024% 4.000% 24,000,000 INDUSTRY: RETAIL RETAIL 50,000,000 1,000,000 26,000 0.052% 2.000% 49,000,000 INDUSTRY: E-COMMERCE IT 50,000,000 1,000,000 37,000 0.074% 2.000% 49,000,000 RESTAURANT MFG 50,000,000 1,000,000 10,000 0.020% 2.000% 49,000,000 HEALTHCARE IT PROVIDER HC 1,200,000 5,000,000 15,900 1.325% 416.667% (3,800,000) HEALTHCARE SAAS PROVIDER (STARTUP) IT 1,500,000 5,000,000 30,420 2.028% 333.333% (3,500,000) ELECTRONIC HEALTH RECORDS (EHR) PROVIDER HC 5,000,000 1,000,000 8,010 0.160% 20.000% 4,000,000 E-WASTE COMPANY MFG 1,500,000 2,000,000 3,564 0.238% 133.333% (500,000) PSYCHOLOGIST’S OFFICE HC 1,000,000 1,000,000 1,600 0.160% 100.000% 0 DOCTOR’S OFFICE HC 1,700,000 1,000,000 1,800 0.106% 58.824% 700,000 SAAS PROVIDER IT 3,000,000 200,000 6,000 0.200% 6.667% 2,800,000 FAST FOOD Consumer 15,000,000 1,000,000 9,000 0.060% 6.667% 14,000,000 DATA STORAGE CENTER IT 15,000,000 20,000,000 120,000 0.800% 133.333% (5,000,000) Source: https://databreachinsurancequote.com/cyber-insurance/cyber-insurance-data-breach-insurance-premiums/
  • 10. SECTION 2 CHANGING CONDITIONS OTHERS CHANGES TAKING PLACE – WITH MAY HAVE GREATER IMPACT BEYOND COSTS 10
  • 11. OTHER CHANGES TO TAKE NOTE OF • Business and relationship models will change • Defense industry and auto industry • Expansion of stakeholder responsibilities by regulatory authorities Aggressive changes in penalty regimes • European Union • South Africa
  • 12. BUSINESS MODEL CHANGES • Push down demands into supply chains impacting entire industries over the next few years • Accelerated by the introduction and increasing use of products considered by the Internet of Things (IoT) • Mobility transformation in the auto industry will accelerate changes to manufactures, suppliers and service providers (e.g. repair shops)
  • 13. CYBER SECURITY IS INTIMIDATING 13 By Sead Fadilpašić, November 15 2016
  • 14. GOVERNANCE IS CHANGING NY'S FSO REGULATION (500.03) RECENTLY FINALIZED THE CYBERSECURITY POLICY SHALL BE REVIEWED BY THE COVERED ENTITY’S BOARD OF DIRECTORS OR EQUIVALENT GOVERNING BODY, AND APPROVED BY A SENIOR OFFICER OF THE COVERED ENTITY THE CYBERSECURITY POLICY SHALL ADDRESS, AT A MINIMUM, THE FOLLOWING AREAS: INFORMATION SECURITY; DATA GOVERNANCE AND CLASSIFICATION; ACCESS CONTROLS AND IDENTITY MANAGEMENT; BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING AND RESOURCES; CAPACITY AND PERFORMANCE PLANNING; SYSTEMS OPERATIONS AND AVAILABILITY CONCERNS; SYSTEMS AND NETWORK SECURITY; SYSTEMS AND NETWORK MONITORING; SYSTEMS AND APPLICATION DEVELOPMENT AND QUALITY ASSURANCE; PHYSICAL SECURITY AND ENVIRONMENTAL CONTROLS; CUSTOMER DATA PRIVACY; VENDOR AND THIRD-PARTY SERVICE PROVIDER MANAGEMENT; RISK ASSESSMENT; AND INCIDENT RESPONSE.
  • 15. ARE CHANGES TAKING PLACE FAST ENOUGH? 15 If you are in a domain of losses – will take more risk If you are in a domain of gains – will be more risk adverse
  • 16. EU RESPONSE – ATTEMPT TO CHANGE THE PARADIGM Yet, EU laws related to identity protections provide the following fine regime: Non-compliance can lead to an administrative fine up to €10,000,000 or in case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher! (In some cases – the penalty is raised to the greater of €20,000,000 or 4% of global revenues. 16 SailPoint Survey Confirms Enterprises have GDPR on their Mind 75 percent recognize the important role identity governance plays within GDPR compliance plans LONDON, March 7, 2017 – SailPoint, the leader in identity management, surveyed customers and attendees at this week’s Gartner IAM Summit about their plans for meeting compliance requirements associated with the General Data Protection Regulation (GDPR) which goes into effect in 2018. Of approximately 100 survey respondents, 80 percent see GDPR as a priority even if they don’t have a specific plan in place (only 25 percent of respondents have an established plan) to comply with the regulation. Of those who are planning ahead for GDPR, most (75 percent) recognize the important role that identity governance plays in helping them to be GDPR-ready by 2018.
  • 17. ARE OTHER COUNTRIES FOLLOWING THE EU? • YES – South Africa is leading and has already enacted the Protection of Personal Information legislation (POPI) that has been signed by the President. • Failure to comply with the Act can impose on the executive management of public and private sector bodies a personal liability.
  • 18. SECTION 3 MOVING BEYOND COST THIS SHIFT HAS EXPANDED THE STAKEHOLDER GROUP 18
  • 19. APPRECIATING THE CYBER RELATED CHALLENGES NOW AN AREA OF FOCUS AND SHARED CONCERNS WITH IT STAKEHOLDERS • Shareholders • Board of directors • Audit committee • Chief Executive Officer • Chief Financial Officer • Chief Risk Officer • Chief Information (CIO/CTO) • Human Resources • PR/Markets • Capital markets • Engineering and manufacturing floor • Business partners • Others (supply chain relationships) MANAGE COSTS • Protection strategic information • Improve insights through analytics • Manage stakeholder relationships with greater transparency • Delivery self-provided information with new tools for savvy users • Manage disruptions • Help people better use their technology based tools more safely • Manage cloud solutions 19 DELIVER VALUE • Increase productivity of employees through connectivity and collaboration • Connect complex supply chains across the world • Agility • Aligned and enabler of the business model • Control costs (server and communication maintenance) • Deliver actionable information • Protection of personal information PROTECT ENTERPRISE VALUE
  • 20. STAKEHOLDER FOCUS OR AREAS OF CONCERN SOME OF THE CHANGES - ILLUSTRATED • Boards - Concern around reputational risk and overall enterprise value • CEOs - Concerns about protecting their strategies and sensitive information • Finance teams – Concern around reporting and compliance obligations (Sarbanes Oxley, etc.) • HR – Concerns around privacy protections • Engineers – Concerns around connecting product to suppliers or customers • Production – Concerns around automation and greater use of robotics • Financial institutions – around use of BOTS, trading algorithms, regulatory and market concerns 20
  • 21. SECTION 4 TECHNOLOGY SOLUTIONS CREATING THE CYBERSECURITY ECOSYSTEM 21
  • 22. TALENT LIMITED – BELIEF IN TECHNOLOGY LED SOLUTIONS 22
  • 23. HOWEVER, THE INDUSTRY IS MOVING • The cyber security market is growing • Global budgets are increasing – but not even close to the increase in losses/insurance • In 2013 - $1.5 billion in funding was allocated to 240 cyber security firms • Combinations and consolidations will continue to evolve • Dell/EMC/RSA – spin off • Palantir in talks about an IPO • Initiatives observed like Mach37 Cybersecurity accelerator (https://www.mach37.com/) and interesting collaborations like Lockheed and GE – opening a center in Israel Page 23
  • 24. TECHNOLOGY OFFERS A PROMISING FUTURE • Simon Crosby, CTO at Bromium, calls machine learning the pipe dream of cybersecurity, arguing that “there’s no silver bullet in security.” What backs up this argument is the fact that in cybersecurity, you’re always up against some of the most devious minds, people who already know very well how machines and machine learning works and how to circumvent their capabilities. Many attacks are carried out through minuscule and inconspicuous steps, often concealed in the guise of legitimate requests and commands. • https://techcrunch.com/2016/07/01/exploiti ng-machine-learning-in-cybersecurity/
  • 25. SECTION 5 RESPONSE OF THE AICPA FRAMEWORK FOR REPORTING ON CYBER RISK MANAGEMENT 25
  • 26. AICPA FRAMEWORK RELEASED MAY 1, 2017 The AICPA has developed a framework that will serve as a critical step to enabling a consistent, market-based mechanism for companies worldwide to explain how they’re managing cybersecurity risk,” Coffey explained. “We believe investors, boards, audit committees and business partners will see tremendous value in gaining a better understanding of organizations’ cybersecurity risk management efforts. That information, combined with the CPA’s opinion on the effectiveness of management’s efforts, will increase stakeholders’ confidence in organizations’ due care and diligence in managing cybersecurity risk. https://www.aicpa.org/Press/PressReleases/2017/P ages/AICPA-Unveils-Cybersecurity-Risk-Management- Reporting-Framework.aspx Prevention of security events Physical and logical access Authentication •Credential management •Privileged user management Database security •Data loss prevention •Data destruction •Data backup Virus detection and prevention •Firewalls and perimeter security •Secure system configuration •Intrusion prevention Change management •Application changes •Patch management Detection of security events • Response of events • Mitigation and recovery