Too many incidents related to "ransomware" in North East of Itally. Companies needs to understand how to protect themselves and ensure continued access to the digital data. The damage of a cyber incidents exceed the threshold of US $ 25mil. Safe rating of Intangible Assets of a company need enhancement of the cyber risks insurance market. But a weak competence require clarification on this topic. The research intent was to identify the real risks and digital vulnerabilities in companies. We have done an evaluation of typical insurance products on IT risk and we have made a CIO/CISO Survey. The final scope was a guideline for approacing the problem of outsourcing Cyber Risk Protection.
1. Vaš partner za varovanje informacij
Kliknite, če želite urediti slog
Cybersecurity Risk Insurance
Luca Moroni – Via Virtuosa
INFOSEK 2016 - Nova Goriza –
1/12/2016
2. ISACA VENICE research team coordinator
✔ Research n.1: Vulnerability and Penetration Test. User’s guidelines
about third party penetration test.
✔ Research n.5: Cyber Security Awareness of N/E Italian Critical
Infrastructures: Scenarios and Guidelines for self-assessment
Member of ISACA VENICE Chapter Translation team
✔ Securing Mobile Devices – ITA
Research team coordinator Cybersecurity Risk Insurance
Geaduation in Computer Science (1989. Milan), CISA e ITIL V3
certified and other tech certifications
Focused on Cybersecurity since 2000 and lecturer in some
seminars about this topic
Founder of the innovative company Via Virtuosa, which focuses
on scouting and promotion of expertises in Cybersecurity and IT
governance in NE of Italy.
Luca Moroni
Who am I
3. Cesare Burei and Debora Casalini –
Margas Srl
Ettore Guarnaccia - Banca Popolare di
Vicenza Spa
Marco Cozzi – Hypo Alpe Bank Spa
Andrea Cobelli – Azienda Trasporti Verona Srl
Luigi Gregori – Cogitoweb Srl
Thanks to a great team in this Research
6. Cyber Risk Zone Level
The Global Risks Report 2016 11th Edition by the World Economic Forum
7. • Understand CIO awareness of cyber insurance
• Scenario analysis of cyber exposure
• For what is a Cyber Insurance useful
• Italian market of cyber insurance
• CIO testimonials with 3 business cases
• Q&A between CIO and Cyber Insurer
• Suggest rules for Cyber Insurance requests
White Paper objectives
… having a Risk Management Approach…
8. Cyber insurance is a single policy or a group of insurance policies
that should cover residual Cyber & Cyber related risks
What is a Cyber Risk Insurance
Cyber Insurance: Recent Advances, Good Practices and Challenges ENISA November 2016
9. I know about
new dangerous
problems!
I Have a full
portfolio of new
products!
MORE INTERESTED
IN CYBERSECURITY
MORE INTERESTED IN
COUNTER RESIDUAL
RISK
Paul Steven
Comunication protocol: Insurer vs CIO
PROBLEM!
10. Yes No
Did you ever asked, if existing policies are
covering/excluding cyber risks?
White Paper 2016 Via Virtuosa Srls COPYRIGHT protected
Cybersecurity Risk Insurance Survey on 63 companies
11. Who is asking you to provide Cybersecurity?
White Paper 2016 Via Virtuosa Srls COPYRIGHT protected
Cybersecurity Risk Insurance Survey on 63 companies
12. Yes No
Have you registered cyber incidents involving
your organization in the last five years?
White Paper 2016 Via Virtuosa Srls COPYRIGHT protected
Cybersecurity Risk Insurance Survey on 63 companies
13. Cause of Loss
Cyber Insurance: Recent Advances, Good Practices and Challenges ENISA November 2016
14. Adopting standards and measures
Check Controls 27002:2013
About 90% of vulnerabilities highlighted in a Gap Analysis 27001 are not
residual risk
15. Cyber Risk Exposure in NE of Italy
Sample of 70 Companies ranked using “Determining Your Organization’s Information Risk
Assessment and Management” – ENISA Methodology
Impact
Probabilityof
occurrence
avoid the risk
30%
16. Ask me only about
ICT please. I’m not
CISO or a RM
Start assessing
your situation
Paul Steven
What's the state of the art ?
1. Dedicated Resources
2. Policies and Procedures
3. Employee Awareness
4. Incident Response
5. Security Measures
6. Vendor Management
7. Board Oversight
Cyber Insurance: Recent Advances, Good Practices and Challenges ENISA November 2016
17. I analyse and
know the
problems
together with
the cyber risk
owners
You know your
situation.
GREAT!
Paul Steven
What's the state of the art
1. Dedicated Resources
2. Policies and Procedures
3. Employee Awareness
4. Incident Response
5. Security Measures
6. Vendor Management
7. Board Oversight
Cyber Insurance: Recent Advances, Good Practices and Challenges ENISA November 2016
18. How is your situation.
Ask me your question.
Let me try to explain
Cesare
Andrea
Business Case
Ettore
Marco
18 Questions
answered
19. How and what you
can cover? The
Insurable risks
Damages
Business Interruption
Costs
Third Party requests
Paul Steven
Some questions
20. IT theft means any kind of intrusion from any third party into
the company IT system, which will bring to the fraudulent and
non authorized removal or alteration of data contained in the
company IT system itself.
Loss from IT theft means the founds illegitimately or
erroneously paid by the insured as a direct consequence of an
IT theft that are not retrievable or - even though they are
juridically retrievable - cannot be retrieved because of an
insolvency of the recipient, an impossibility of an effective
operation or any other similar reason.
Un example of real coverage
22. Security is not an investment that
provides profit but loss prevention
• First step is understand the situation
• Define a protocols for measure, mitigate and
manage cyber risk
• About 10% of vulnerabilities highlighted in a Cyber
Security Gap Analysis are residual risk
• Some critical sectors (eg. Banks) are mature for
Cyber Insurance
•Also SMB needs to have a financial parachute
•Manage Cybersecurity Life cycle reduces residual
risk
Conclusions