INFOSEK 2016 Slovenia - Cyber Risk Insurance - Scenario and Evaluation

Vaš partner za varovanje informacij

Kliknite, če želite urediti slogCybersecurity Risk Insurance

Luca Moroni – Via Virtuosa

INFOSEK 2016 - Nova Goriza – 1/12/2016

ISACA VENICE research team coordinator ✔ Research n.1: Vulnerability and Penetration Test. User’s guidelines

about third party penetration test. ✔ Research n.5: Cyber Security Awareness of N/E Italian Critical Infrastructures: Scenarios and Guidelines for self-assessment

Member of ISACA VENICE Chapter Translation team ✔ Securing Mobile Devices – ITA

Research team coordinator Cybersecurity Risk Insurance

Geaduation in Computer Science (1989. Milan), CISA e ITIL V3 certified and other tech certifications

Focused on Cybersecurity since 2000 and lecturer in some seminars about this topic

Founder of the innovative company Via Virtuosa, which focuses on scouting and promotion of expertises in Cybersecurity and IT governance in NE of Italy.

Luca Moroni

Who am I

Cesare Burei and Debora Casalini – Margas Srl

Ettore Guarnaccia - Banca Popolare di Vicenza Spa

Marco Cozzi – Hypo Alpe Bank Spa

Andrea Cobelli – Azienda Trasporti Verona Srl

Luigi Gregori – Cogitoweb Srl

Thanks to a great team in this Research

Cyber Incident = Loss of Money

Cyber Risk

Allianz Risk Barometer 2016

Cyber Risk Zone Level

The Global Risks Report 2016 11th Edition by the World Economic Forum

• Understand CIO awareness of cyber insurance • Scenario analysis of cyber exposure • For what is a Cyber Insurance useful • Italian market of cyber insurance • CIO testimonials with 3 business cases • Q&A between CIO and Cyber Insurer • Suggest rules for Cyber Insurance requests

White Paper objectives

… having a Risk Management Approach…

Cyber insurance is a single policy or a group of insurance policies that should cover residual Cyber & Cyber related risks

What is a Cyber Risk Insurance

Cyber Insurance: Recent Advances, Good Practices and Challenges ENISA November 2016

I know about new dangerous

problems!

I Have a full portfolio of new

products!

MORE INTERESTED IN CYBERSECURITY

MORE INTERESTED IN COUNTER RESIDUAL

RISK

Paul Steven

Comunication protocol: Insurer vs CIO

PROBLEM!

Yes No

Did you ever asked, if existing policies are covering/excluding cyber risks?

White Paper 2016 Via Virtuosa Srls COPYRIGHT protected Cybersecurity Risk Insurance Survey on 63 companies

Who is asking you to provide Cybersecurity?

White Paper 2016 Via Virtuosa Srls COPYRIGHT protected Cybersecurity Risk Insurance Survey on 63 companies

Yes No

Have you registered cyber incidents involving your organization in the last five years?

White Paper 2016 Via Virtuosa Srls COPYRIGHT protected Cybersecurity Risk Insurance Survey on 63 companies

Cause of Loss

Cyber Insurance: Recent Advances, Good Practices and Challenges ENISA November 2016

Adopting standards and measures

Check Controls 27002:2013

About 90% of vulnerabilities highlighted in a Gap Analysis 27001 are not residual risk

Cyber Risk Exposure in NE of Italy

Sample of 70 Companies ranked using “Determining Your Organization’s Information Risk Assessment and Management” – ENISA Methodology

Impact

Pro

babi

lity

of

occu

rren

ce

avoid the risk 30%

Ask me only about ICT please. I’m not

CISO or a RM

Start assessing your situation

Paul Steven

What's the state of the art ?

1. Dedicated Resources 2. Policies and Procedures 3. Employee Awareness 4. Incident Response 5. Security Measures 6. Vendor Management 7. Board Oversight

Cyber Insurance: Recent Advances, Good Practices and Challenges ENISA November 2016

I analyse and know the problems

together with the cyber risk

owners

You know your situation. GREAT!

Paul Steven

What's the state of the art

1. Dedicated Resources 2. Policies and Procedures 3. Employee Awareness 4. Incident Response 5. Security Measures 6. Vendor Management 7. Board Oversight

Cyber Insurance: Recent Advances, Good Practices and Challenges ENISA November 2016

How is your situation. Ask me your question. Let me try to explain

Cesare

Andrea

Business Case

Ettore

Marco

18 Questions

answered

How and what you can cover? The Insurable risks

Damages Business Interruption

Costs Third Party requests

Paul Steven

Some questions

IT theft means any kind of intrusion from any third party into the company IT system, which will bring to the fraudulent and non authorized removal or alteration of data contained in the company IT system itself.

Loss from IT theft means the founds illegitimately or erroneously paid by the insured as a direct consequence of an IT theft that are not retrievable or - even though they are juridically retrievable - cannot be retrieved because of an insolvency of the recipient, an impossibility of an effective operation or any other similar reason.

Un example of real coverage

Expertise

Cyber Insurance: Recent Advances, Good Practices and Challenges ENISA November 2016

Security is not an investment that provides profit but loss prevention

• First step is understand the situation • Define a protocols for measure, mitigate and manage cyber risk • About 10% of vulnerabilities highlighted in a Cyber Security Gap Analysis are residual risk • Some critical sectors (eg. Banks) are mature for Cyber Insurance •Also SMB needs to have a financial parachute •Manage Cybersecurity Life cycle reduces residual risk

Conclusions

Questions?

Thanks!l.moroni@viavirtuosa.it