Upload
isalliance
View
221
Download
0
Embed Size (px)
Citation preview
7/31/2019 2011 02 21 Larry Clinton Insurance Presentation
1/20
Larry Clinton
703-907-7028
7/31/2019 2011 02 21 Larry Clinton Insurance Presentation
2/20
ISA Board of Directors
2
Pradeep Khosla, Founding Director of Cylab, Carnegie Mellon University Marc Sachs, Vice President Government Affairs, Verizon Lt. Gen. Charlie Croom (Ret.), Vice President Cyber Security, Solutions Lockheed Martin
Eric Guerrino, Managing Director Systems and Technology, Bank of New York Mellon Joe Buonomo, President, DCR Bruno Mahlmann, Vice President Cyber Security Division, Dell Kevin Meehan, Vice President Information Technology & Chief Information Security Officer, Boeing Rick Howard, iDefense Manager, VeriSign Justin Somaini, Chief Information Security Officer, Symantec Gary McAlum, Chief Security Officer, USAA Paul Davis, Chief Technology Officer, NJVC Andy Purdy, Chief Cybersecurity Strategist, CSC John Havermann, II, Vice President & Director, Cyber Programs , Intelligence & Information, SAIC
Ty Sagalow, Esq. Chair, Executive Vice President & Chief Innovation Officer, Zurich North AmericaTim McKnight, 1st Vice Chair, Vice President & Chief Information Security Officer, Northrop GrummanJeff Brown, Secretary / Treasurer, Vice President, Infrastructure and Chief Information Security Officer, Raytheon
7/31/2019 2011 02 21 Larry Clinton Insurance Presentation
3/20
ISA Mission Statement
ISA mission is to integrate advanced
technology with economics and publicpolicy to create a sustainable system of
cyber security.
7/31/2019 2011 02 21 Larry Clinton Insurance Presentation
4/20
The Internet
Changes Everything
Concepts of Privacy Concepts of National Defense Concepts of Self Concepts of Economics We have been focused on the HOW cyber
attacks we need to focus on the WHY ($)
Cyber security is an economic/strategic issue asmuch operational/technical one
7/31/2019 2011 02 21 Larry Clinton Insurance Presentation
5/20
Cyber Security Economicsare Skewed
Responsibility, costs, harms and incentives aremisaligned
Individual and Corporate Financial loss Core investment is undermined by edge
insecurity
Gov & Private Sector differ perspectives on Risk Enterprises are not structured to properly
analyze cyber risk (ANSI-ISA study)
7/31/2019 2011 02 21 Larry Clinton Insurance Presentation
6/20
We are not cyber structured
In 95% of companies the CFO is not directlyinvolved in information security
2/3 of companies dont have a risk plan 83% of companies dont have a cross
organizational privacy/security team
Less than have a formal risk managementplan1/3 of the ones who do dont considercyber in the plan
7/31/2019 2011 02 21 Larry Clinton Insurance Presentation
7/20
ANSI-ISA Program
Outlines an enterprise wide process to attackcyber security broadly and economically
CFO strategies HR strategies Legal/compliance strategies Operations/technology strategies Communications strategies Risk Management/insurance strategies
7/31/2019 2011 02 21 Larry Clinton Insurance Presentation
8/20
What we do know is all bad
All the economic incentives favor the attackers,i.e. attacks are cheap, easy, profitable andchances of getting caught are small
Defense inherently is a generation behind theattacker, the perimeter to defend is endless, ROIis hard to show
Until we solve the cyber economics equation wewill not have cyber security
7/31/2019 2011 02 21 Larry Clinton Insurance Presentation
9/20
Bad News and Good News
Bad: The situation is getting worse
Good: We know how to stop/mitigate 80 to 90% of
cyber attacks
Bad:Although attacks are up, investment is down
in 50-66% of American firms (PWC/CSIS/)
7/31/2019 2011 02 21 Larry Clinton Insurance Presentation
10/20
Regulation is not the answer
Compliance (not security) already eats up muchof the security budget
Specific regulations cant keep up with attacks Vague regulations show no effect Regulations increase costs uniquely for
American companies
Regulations can be counter productiveceilings (Campaign Finance)
7/31/2019 2011 02 21 Larry Clinton Insurance Presentation
11/20
Obamas Cyber Space
Policy ReviewIf the risks and consequences can be assignedmonetary value, organizations will have greaterability and incentive to address cybersecurity. Inparticular, the private sector often seeks a businesscase to justify the resource expenditures needed for
integrating information and communications systemsecurity into corporate risk management and forengaging partnerships to mitigate collective risk.Government can assist by considering incentive-based legislative or regulatory tools to enhance thevalue proposition and fostering an environment that
encourages partnership.
--- Presidents Cyber Space Policy Review May 30,2009 page 18
7/31/2019 2011 02 21 Larry Clinton Insurance Presentation
12/20
Current DC Activity
No bills had cyber insurance provisions inlast Congress
New Congress White House Senate House
7/31/2019 2011 02 21 Larry Clinton Insurance Presentation
13/20
New Attention to
Cyber Insurance
WH Conference with ISA on cyberinsurance last spring
House Homeland Security Committeeconsidering cyber SAFETY Act
Senate Commerce Committee set ofquestions on cyber insurance for newbill---meetings to follow
7/31/2019 2011 02 21 Larry Clinton Insurance Presentation
14/20
WH Perspectives 6 Reasons
Market Has not responded
1. Companies not being charged for all theirinputs and not being paid for outputs
2. Insuffiecent motives for long term3. Lack of information for comparative
market choices
4.Markets must be seeded with products
5. Misalignment from Gov regs & litigation6. Entry barriers cause lack of alternatives
7/31/2019 2011 02 21 Larry Clinton Insurance Presentation
15/20
Congress Questions
1. How does insurance factor material risl inunderwriting trad. Commercial policies?
2. Do traditional policies cover damage/lossof IP or interuption from cyber events?
3. Is cyber typically excluded from D&O,prop/liability? How do Cts view these?
4.Are carriers clear @ policy limits?5. What standards are used to assess cyber
risk? How is compliance measured?
7/31/2019 2011 02 21 Larry Clinton Insurance Presentation
16/20
Congress Questions
6. What kind of insurance for D & O whomust meet Payment Card security stand.?
7. What are the hurddles to developingcyber risk insurancehow overcome?
8. Are problems with expanding cyberinsurance similar to crop/flood?
9. How can fed govt help create more accdata for the industry?
7/31/2019 2011 02 21 Larry Clinton Insurance Presentation
17/20
Congress Questions
10. What impact would come from SECclarification on material cyber risk ?
11. What is impact of use of untrustworthyvendors on insurance?
7/31/2019 2011 02 21 Larry Clinton Insurance Presentation
18/20
ISA Social Contract Model
Model on Electric/TelephoneSocial Contract 1.0 (November 2008)
Cyber Space Policy Review (May 2009)
Social Contract 2.0 (January 2010)
7/31/2019 2011 02 21 Larry Clinton Insurance Presentation
19/20
Incentive based model forCybersecurity
Rely on status quo methods to create cybersecurity standards and practices
Test for effectiveness (e.g. FDA) Create tiered levels based on risk profile Apply market incentives to voluntary adoption Embraced by CSPR (tax/liability/procurement /
insurance) & legislation
7/31/2019 2011 02 21 Larry Clinton Insurance Presentation
20/20
Larry Clinton
President
703-907-7028