SlideShare a Scribd company logo

w-cyber-risk-modeling Owasp cyber risk quantification 2018

Open Security Summit , profile picture
Open Security Summit

This document describes Focal Point's cyber risk quantification services for insurance underwriting. It outlines a four-step roadmap for measuring an organization's cyber risk profile to inform insurance strategies. The first step leverages an organization's existing NIST Cybersecurity Framework assessment. The second step involves further evaluating cyber risks through an online self-assessment or deeper evaluation. The third step uses Monte Carlo modeling to measure potential cyber loss scenarios. The fourth step provides insights to define an appropriate risk strategy and optimize insurance coverage, limits, and deductibles. The document argues this approach helps organizations better understand cyber risks, prioritize mitigation options, and make informed decisions about cyber insurance.

Technology
1 of 55
Downloaded 33 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
Cyber Risk Quantificaiton for insurance and underwriting transactions Proprietary & Confidential For Discussion Purposes Only
2 SKILLS YOU NEED A unique combination of capabilities allows Focal Point to solve the biggest and most complex challenges facing your organization, without requiring a web of different vendors. DATA IN OUR DNA Our focus on the data helps you look at your business from a new vantage point – so you can understand your risks in a way not otherwise possible. DELIVERABLES WITH INSIGHT We skip the jargon and get to the point. We deliver actionable insights, prioritized recommendations, and practical strategies for achieving your business goals. What Makes Focal Point Different
WHAT WE DO We measure, improve, and manage your risks - protecting your most important assets and helping you achieve your business goals. HOW WE DO IT Top experts from the most in-demand fields are embedded into each engagement and build deliverables that have a meaningful impact on your business. WHO USES FOCAL POINT Many of the most innovative organizations in the world, including 5 of the 10 largest companies in the U.S., rely on Focal Point to manage their key risks. Enterprise risk management Cybersecurity Identity governance Data privacy Project advisory Workforce development Data analytics Internal and IT audit 3 CORE SERVICE AREAS About Focal Point
Cyber Risk Measurement Roadmap
Roadmap To Cyber Risk Measurement: Improving Insurance Strategy and Purchasing Decision Making 5 Step 1 LEVERAGE: Leverage Client’s NIST CSF, if available. Step 3 MEASURE: Outputs Inform Model/Scenario Testing to: Measure Scenario-based Impacts. Measure Mitigation Options / ROIs. Measure Overall Cyber Risk Profile. Step 4 INFORM: Helps Define an Appropriate Risk Strategy (e.g., Commercial and/or Captive use). Assists Alignment of Identified Gaps with Potential Solutions. Drives Optimization of Insurance Pricing, Coverage, Limits, and Deductible/SIR’s. Helps CISO’s Selection/Business Case around Security & Resiliency Investments. Step 2 EVALUATE: Client may opt to take an Online NIST Self- Evaluation (only), and/or undergo a deeper Cyber Readiness Evaluation (CRE) at a level matching Client’s needs. Leverage Information + Evaluate Risks + Measure Exposure = Inform Strategies & Solutions
Step 1: Leverage Current NIST CSF Scores
Basis for starting point risk model analysis: The NIST Cybersecurity Framework (NIST CSF) 7 The National Institute Of Standards & Technology (NIST) Cybersecurity Framework (CSF), or NIST CSF, is a risk-based framework created through collaboration between the U.S. government and private sector that frames a standardized set of cybersecurity concepts into best practices to help organizations manage cyber risks. The Framework consists of three (3) parts; the Core, Implementation Tiers and the Profile. The Framework Core provides a set of five activities to achieve specific cybersecurity outcomes, divided into five functions: Identify, Protect, Detect, Respond, and Recover. The Implementation Tiers provide context on how you view cybersecurity risk and your processes currently in place to manage risk. The Framework Profile represents the alignment of your cybersecurity activities with business requirements, risk tolerances, and resources. The Framework enables you to describe your current and target cybersecurity postures, identify and prioritize opportunities for improvement, and evaluate your progress toward your target state.
8 NIST CSF: Leverage Client Outputs – Apply An Existing NIST Cyber Evaluation (if any)
Step 2: NIST CSF Online Scoring and/or Detailed Evaluation
Online NIST CSF Self-Evaluation: Easy Answer/Framework Selection and Document Referencing 10 Samples
Online NIST CSF Self-Evaluation: Sample Scoring Outputs 11 Current and Target Risk Comparison Comparative Scoring Analysis Detailed Scoring Results (optional)Summary Scoring & Benchmarking Results Samples
Cyber Readiness Evaluation (CRE) Components: A Deeper Analysis To Inform More Robust Cyber Measurement 12 • Evaluate and score current state of cybersecurity framework using NIST standards, mapped to the NIST Cybersecurity Framework (CSF).NIST CSF Evaluation • Identify existing vulnerabilities (people, process, technology) that could be exploited by malicious actors. Cyber Vulnerability Evaluation • Identify current or historical compromise of information/data through analysis of system artifacts. Cyber Compromise Evaluation • Conduct a cyber threat simulation exercise that enables executives and staff to build practical experience responding to cyber threats. Cyber Threat Management Exercise • Validate the maturity of the incident response and cyber protection controls through a targeted cyber attack. Cyber Attack & Response (Pen Testing) • Review data access policies/standards and determine opportunities for internal and external threat actors to access sensitive corporate or other protected information. Internal and External Threat Actor Profiling
Cyber Readiness Evaluation (CRE) Sample Deliverables: A Deeper Analysis To Inform More Robust Cyber Measurement 13 Current And Target State Positions Sample Written Recommendations
Step 3: Measurement
15 Framework Implementation Tiers Scoring and Gap Prioritization Tier 1 – Partial: cybersecurity risk management practices are either not formulated or are ad-hoc Tier 2 – Risk Informed: cybersecurity risk management practices are not organization-wide Tier 3 – Repeatable: there is an organization-wide management of cybersecurity risk Tier 4 – Adaptive: cybersecurity risk management is part of the organizational culture Use An Organized NIST CST Risk Taxonomy: Leveraging NIST Framework/Outputs For Model Preparation
16 Monte Carlo Simulation Overview: What Is It And Why We Use It Modeling a real system to learn about its behavior Building a set of mathematical and logical relationships Establishing and varying conditions to test different scenarios Providing a helpful solution when you do not have historical loss data
17 Monte Carlo Outputs: Understanding The Monte Carlo Simulation Process • Simulates the uncertainty in the assumptions • The program selects a value for the assumption, recalculates the spreadsheet, plots the forecast and repeats Random Number Generation • We build frequency and severity distributions for each selected Cyber Risk Factor (e.g., Access Control, Protective Technology, etc.) • We perform up to 50,000 year loss simulations and apply it to selected Cyber Risk Factors • The model simulates different loss outcomes and applied correlation and aggregate views to link results • This then provides an overall loss distribution along with a view of the associated variability around mean estimate (average) calculations Application of Model
18 Develop Key Modeling Assumptions: Samples Derivation of Assumptions:  Used the scores from the Cyber Risk Evaluation to estimate ABC's frequency scores.  Used ABC's revenue numbers and general industry patterns to estimate ABC's severity scores.  Used offsets from ABC's frequencies and severities to estimate XYZ's frequencies and severities. Key Assumptions:  The frequencies of each of the cyber risks range between a 6 and a 10 (between 3% and 50%).  The severities of each of the cyber risks follows profiles which are common in the industry.  The average severity loss among the cyber risks is around $17 million: a significant part of ABC’s revenue is from conferences.  XYZ’s risks are mostly around 1/2 as severe as ABC’s, since despite small revenue, its liabilities will grow rapidly given the new cloud exposure.
Conduct Simulated Cyber Loss Scenarios: Inform Your Cyber Risk Profile And Optimize Your Risk Strategies 19 Total potential losses with no insurance Total potential losses after insurance Total potential losses beyond $50k deductible Total potential losses using two-factor authentication Example See Appendix For Larger Views
Step 4: Inform
Final Results Summarized: Informing Strategies And Solutions 21 What you asked us to do? Focus on the security and privacy exposures of ABC, especially in the light of the first year of XYZ’s development and operations Provide specific recommendations on insurance coverage structure, terms and conditions, and policy wording where appropriate How did we proceed? Applied the NIST CSF and scored your cyber risk profile. We reviewed policies, networks, systems, vendors, and interviewed ABC and XYZ management We identified and quantified cyber vulnerabilities and calculated potential losses based on the NIST framework We developed operational and cyber insurance coverage recommendations using the cyber loss profile results and coordinated with insurance broker to position account for a more strategic insurance placement What did we find? 1 There is over a 70% chance of a cyber loss 2 With the current $10 m limit, there is a 10% chance of a cyber loss exceeding $38 m including $50k deductible 3 A breach could reduce (or eliminate) future revenue or enrolment due to direct or consequential reputational impacts What do we recommend? 1 Adopt two-factor authentication to cut likelihood of breach and help lessen reputational impacts of a breach 2 Maintain current deductible, if possible, and increase the limit to $15 m to reduce average losses from $9.8 m to $7.3 m, using a $50 k deductible 3 Improve insurance policy features through alignment with the NIST CSF framework Example
Baseline Risk Measurement: High concentrations of potential loss in controlling access with protective technology 22 Issue: How to evaluate Baseline cyber risk exposure without insurance and operational mitigation? Approach: – Use NIST taxonomy to drive review – Use risk experts to test and score likelihood and impact of potential cyber risk events associated with each NIST risk driver Findings: 10% chance of loss greater than $38 million with average losses around $17 million 1. Over 70% chance that a cyber loss could occur 2. Loss concentrated around Access Control and Protective Technology: both high frequency and high severity 3. Either could exceed current insurance limit levels Example
Baseline Risk Measurement: Understanding Operational Risk Impacts and Reduction 23 Example
How Can You Respond To Cyber Risk? Recommendation (1 of 3): Invest In 2FA To Help Reduce A Chance Of A Breach 24 ➢ Issue: How do we evaluate an emergent and insurgent risk and understand operational mitigations? ➢ Approach: – Use NIST taxonomy to drive comprehensive review – Simulate the range of potential losses associated with each NIST risk driver – Apply simulation to operational mitigations ➢ Insight: 10% chance of loss greater than $38 million with average losses around $17 million, highly concentrated around Access Control and Protective Technology. ➢ A failure in Access Control can present a significant reputational risk to the ability to attract and maintain clients, particularly during its early years. An Access Control failure in one part of the business can have a consequential reputational impact on others. RECOMMENDATION ➢ Idea: Operationally protect core revenues and start-up situations. Implement Two Factor Authentication (2FA) which reduces by at least 10% the chance of loss impact, by $1 - $2 million This may also reduce reputational impacts from a breach 2-Factor Authentication May Reduce the Losses from a Breach 34 35 36 37 38 10%ChanceofLess($million) Loss Mitigation Remaining Loss Note: 2FA offers a noteworthy reduction in the attack horizon, however the attack surface (as with all networks with any kind of inter web connectivity) still remains high for other types of attacks (phishing, SQL cross-site, etc.) that are not quantifiable as a percentage with any accuracy. Even IF 2FA reduced the exposure by a measurable amount a protected connection is still vulnerable if the connecting system is already infected. Example
How Can You Respond To Cyber Risk? Recommendation (2 of 3): Optimize Insurance Coverage Relative To Potential Cyber Losses 25 Use Insurance Coverage to Reduce Potential Cyber Losses 20 25 30 35 10%ChanceofLess($million) Loss Mitigation Remaining Loss Note: Loss Mitigation estimates include an assumption for a $50,000 insurance deductible. ➢ Issue: How do we evaluate an emergent and insurgent risk and understand potential mitigations? ➢ Approach: ➢ Use NIST taxonomy to drive comprehensive review ➢ Simulate a range of losses for each risk driver ➢ Apply simulation to financial mitigations ➢ Insight: 10% chance of loss greater than $38 million with average losses around $17 million RECOMMENDATION ➢ Idea: Financially protect core revenues and new membership enrolment Increase Cyber Insurance Policy Limit by $5 million Reduce the estimated loss impact to $23 million Reduce the average loss to approx. $7.3 million Example
26 ● Host Scripts ● Commercial Tools ● Client Interviews ● System Logs ● Volatile Data ● File Metadata ● Network information ● User Account Information ● Find Malware ● Identify Exfiltration ● Enumerate Compromised Users ● Locate All Affected Systems Issue: How do we manage policies to mitigate an emerging and insurgent risk like cyber? Approach: – Provide an in-depth policy coverage review – Map NIST framework to policy items – Discuss potential gaps with broker and determine the market’s ability to customize coverage – Assist in preparing underwriting documents to educate markets and obtain customized solution – Review quotes and coverage against NIST Map when received Insight: Some NIST-based risks are not covered cleanly in many existing cyber policies (e.g., Reputational impacts) RECOMMENDATION Idea: Design and acquire customized cyber coverage better matching to actual risk variables & controls How Can You Respond To Cyber Risk? Recommendation (3 of 3): Improve Policy Structure Working with brokers, provide underwriting markets with clear coverage requirements matching risk exposures to customize coverage to reduce risk of coverage issues in case of a claim. Example
How Can You Manage Cyber Risk? Recommendation (3 of 3): Align Your Framework To Cyber Insurance Coverages 27 A FAILURE IN… WOULD LIKELY TRIGGER COVERAGE UNDER… Security & Privacy Liability Multimedia & IP Liability Technology Services Misc. Prof. Services Network Interruption & Recovery Event Support Expense Privacy Regulatory Defense & Penalties Network Extortion Electronic Theft & Computer Fraud Reputational Damage Cyber ID and Governance Y No Coverage Y No Coverage Y Y No Coverage Access Control Y No Coverage Y No Coverage Y Y Y Y Y No Coverage Awareness and Training No Coverage No Coverage Y No Coverage Data Security Y No Coverage Y No Coverage Y Y Y Y Y No Coverage Maintenance Y No Coverage Y No Coverage Y Y Y No Coverage Protective Technology Y No Coverage Y No Coverage Y Y Y Y Y No Coverage Detection Y No Coverage Y No Coverage Y Y Y Y No Coverage Response & Recovery No Coverage No Coverage Y Y No Coverage Example
For Future Consideration: Updating and Extending Analysis ▸ Determine an acceptable risk tolerance level ▸ Select Operating Margin or Net Income (vs Revenue) as a basis for analysis ▸ Update analysis on an annual basis ▸ Add new inputs, looking at the effects of other operational changes ▸ Add new external data about different insurance coverage options available in the market 28 Example
Appendix
Example Views
Simulated Losses: Total Potential Cyber Losses – Excluding Insurance 31 Example
Simulated Losses After Insurance: Total Cyber Losses After Current Insurance 32 Shows $9.7m average net residual loss exposure (uninsured losses) Example
Simulated Losses Beyond Deductible: Total Cyber Losses Beyond $50k Deductible 33 Shows $17m of exposure remaining which can be mitigated through higher insurance limits Example
Simulated Losses Under Two-Factor Authentication: Total Losses Using 2FA 34 Shows improvement in the value of cyber losses (less) post implementation of two-factor authentication (2FA) technology (mitigation solution)
Enterprise Risk Impacts: Correlated Cyber Risk Impact Views 35 Example
Example Case Study
Case Study Example: Solving For An Enterprise-wide Cyber Loss Profile 37 • Assisted a prominent global healthcare research organization with qualifying and quantifying operational risks, and doing so with a key focus on identifying emerging cyber risk related loss exposures. • The operational risk assessment involved estimating and quantifying the value of a vast amount of longitudinal research studies (a key organizational product sold into the marketplace) that were critical to annual revenue. • The product was largely warehoused in a proprietary IT system that was undergoing operational changes. Worked with internal client teams to assess the cyber risk profile and apply NIST/COBIT/ISO27K control and risk frameworks and develop a gap analysis’. • Proposed appropriate risk mitigation strategies involving personnel, enhanced processes and additional technology. Specific insurance solutions were also examined.
Case Study Example: Solving For An Enterprise-wide Cyber Loss Profile 38 • This organization then asked to: • deeply test its cyber security environment across multiple IT networks and across both mature and immature technology environments; • categorize, quantify, and model its operational cyber risks; and • understand how its cyber risk profile impacts its enterprise wide risk mitigation strategies and insurance (limits and coverage). • Responses and solutions included: • performing numerous ERM and operational cyber risk assessments (e.g., vulnerability & compromise assessments, external network scans, ERM risk maturity assessments and reports.) to produce qualitative and quantitative reporting of operational risks; • developing a risk taxonomy that is useful for operational risk assessment; more fully aligned with the NIST framework. Developed a unique approach to a cyber risk scoring methodology; and • using operational risk modeling results to help inform various operational risk and financial risk hedging strategies the organization can undertake as part of its overall ERM and risk management strategies.
Team Bios
Background 40 Yvette Connor joined Focal Point in 2017 as its Chief Risk Officer and head of the Enterprise Risk Consulting practice. Ms. Connor has more than 20 years of experience building, and implementing and testing enterprise risk frameworks. She is a thought leader on emerging risk and efficient ways to effectively manage and link enterprise risk frameworks with regulatory, InfoSec, compliance, and audit platforms. Ms. Connor focuses on identifying opportunities for value creation, including building decision-driven models informed by risk awareness and organizational behavior. Immediately prior to joining Focal Point, Yvette Connor was a Managing Director with Alvarez & Marsal Insurance and Risk Advisory Services in Chicago, where she focused on global Enterprise Risk Management engagements and developed an approach for Enterprise- wide cybersecurity risk valuation. Ms. Connor’s research is focused on ways companies identify risk priorities broadly throughout an organization or more narrowly, by going deeper into a specific risk topic. Her master’s thesis,: “Does Risk Management Matter to Shareholders,” describes a methodology to financially assess the impacts of “sophisticated” risk management on both profitability and growth. Prior to A&M, Ms. Connor served as the Director of Client Engagement for Marsh,, Inc. where she lead a proprietary global servicing model designed to define clients’ business needs and risk priorities, design optimal risk management responses, and deliver value-add solutions (Marsh 3D). Ms. Connor is the lead designer of the Dynamic Risk Mapping tool utilized by Marsh, Inc, within their global iMap analytics offering. Prior to joining Marsh in 2010, Ms. Connor was the Director of Risk Management at Vulcan Inc., a privately held company, with a diverse portfolio of over 200 operating companies. While at Vulcan, Ms. Connor led the development of a multi-disciplinary risk management department and rolled out an enterprise-wide risk management framework across a portfolio of stakeholders and companies.. Ms. Connor was the Vice President of Risk Management at Roll International (now, the Wonderful Company), a global food producer, distributor and product manufacturer, as well as Director of Insurance and Risk Financing at Sutter Health. Ms. Connor earned a master’s of science degree in risk management at NYU and an MBA in finance at University of California, Davis., graduating Beta Gamma Sigma (highest honors). In 2013, Business Insurance magazine named Ms. Connor as one of the “Women to Watch” in Risk Management and Insurance, confirming her talents as a leader and innovator for risk management excellence. In 2008, Treasury and Risk magazine named her as one of the up and coming key leaders in treasury risk, as part of their “40 under 40 list.” Yvette Connor Chief Risk Officer & Lead Engagement Partner Enterprise Risk Consulting
Background 41 Bill Foote joined Focal Point in 2017 as a Senior Director/Strategic Advisor in its Enterprise Risk Consulting practice in New York City and is focused on supporting and delivering ERM solutions to Focal Point clients. Dr. Foote has over 40 years of risk and performance modeling and consulting experience in private and public sector organizations. Dr. Foote has led several public and sector enterprise risk quantification and management initiatives, and he has specialized expertise across several functional domains including quantitative and qualitative modeling of market, credit, and operational risk. Immediately prior to joining Focal Point, Mr. Foote was a Director with Alvarez & Marsal’s Insurance and Risk Advisory Services in New York. While at A&M, Dr. Foote has designed, developed and built an enterprise risk management process, governance, quantification, and reporting capability for impending ORSA and existing business decision making requirements. He also built enterprise risk measurement and reporting for mitigation decisions and regulatory disclosure by senior management of a major U.S. asset manager. Dr. Foote has built market, credit, and operational risk functionality for financial services, energy, manufacturing, and public sector firms. Specifically for credit, he implemented credit risk governance, risk factor identification and quantification, transaction structuring, collateral and counterparty management, and the production of reviews, reports, presentations for regulators, investors, management, and public disclosure. He also provided expert testimony in legal and regulatory proceedings regarding credit risk practices, transactions and risk management systems, collateral valuation, analysis of credit events and their impact on asset portfolios. Dr. Foote has participated in the structuring of transactions to mitigate credit risk and provided specialist valuation services for management and external auditors. On other projects at Paraclete, Dr. Foote advised a major pharmaceutical to improve margins and reduce treasury, marketing, and sales process costs on an operating annual budget by designing integrated valuation, risk control assessment and assurance, value chain, decision, real options pricing, and KPI taxonomies to deliver enterprise risk and performance strategy for CFO business planning and budgeting function; constructed business simulation, scenario analysis, stress testing, capital modeling and review to support project management based on integrated taxonomies. Prior to working with Alvarez & Marsal, Dr. Foote started his career, and was credit trained, at Manufacturers Hanover, and was more recently a Senior Manager with Ernst & Young, a Firm Director with Deloitte & Touche, a Vice President with Charles River Associates, and most recently a Principal at Paraclete Risk Solutions. Dr. Foote holds his M.A. and Ph.D. in Economics from Fordham University, and also has a B.A. in Classical Languages and Philosophy from Fordham. Bill Foote Senior Director Enterprise Risk Consulting
Background 42 Daniel Barwick is a Director with Focal Point’s Enterprise Risk Consulting practice. He specializes in market, credit and operational risk analysis and mitigation. With more than 14 years of Risk Management experience, Mr. Barwick’s primary areas of concentration are with the analytics/models for risk metrics and valuations and the associated systems and methods to gather the data to drive these models. Prior to joining Focal Point, Mr. Barwick was a Director in Alvarez & Marsal (A&M)’s Enterprise Risk Management practice where he worked on complex risk quantification projects related to Technology risk, among others. Prior to A&M, Mr. Barwick served as a subject matter expert for bulge bracket banks working on their CCAR (Capital adequacy reviews) reviews of their market risk models for CVA, trade and derivative models. Along with the review of these models Mr. Barwick also added insight and opined on the system layouts and governance processes currently in place, suggesting new measures where applicable to mitigate procedural and operational risk to the companies. Mr. Barwick has experience in the auto leasing industry where serving as an analyst he helped to model the residual values for autos. He also performed analysis on the potential resale values and impacts of tax benefits such as like kind exchange on the pricing and value of the portfolio at large. Before his transition to consulting, Mr. Barwick served as a financial engineer for Fannie Mae in Washington DC, where he helped to specify the design of and roll out new risk system updates to the models and systems responsible for various market risk, credit default, prepayment and trade analytics across the company. Additionally, prior to his service at Fannie Mae, Mr. Barwick gained valuable counterparty risk experience at Ditech mortgage in Fort Washington PA, where functioning as a risk manager assessing the companies aggregate market exposure to third parties and ensuring these assessed risk were within established tolerances. While at Ditech, Mr. Barwick helped to redesign their counterparty risk system during the company’s divestiture from Ally Bank form scratch into a more cost effective form to meet the needs of the new formed small business. Mr. Barwick earned a bachelor’s degree in finance from Virginia Polytechnic and State University and a master’s degree in Finance from George Washington University. Daniel Barwick Director, Enterprise Risk Consulting
Background 43 Damon Levine is a published enterprise risk management thought leader, industry speaker, and practitioner, serving as a Director in Focal Point’s Enterprise Risk Management practice. Mr. Levine has more than 20 years’ experience in enterprise risk management, asset management, quantitative modeling, consulting, and insurance. His specialties include risk-reward optimization, risk appetite and limit systems, risk modeling, risk training, and linking ERM to strategy and company value. Mr. Levine emphasizes a business-enabling approach to risk management that reflects a company’s culture, business goals, and resources. Mr. Levine has researched and developed approaches to improve risk culture, embed ERM in operating companies, and optimize both return on capital and earnings as a function of product allocation. He is the winner of the Actuarial Foundation's ERM Research Excellence Award for his whitepaper "Enterprise Risk-Reward Optimization: Two Critical Approaches" and the Joint CAS/CIA/SOA Award for Practical Risk Management Applications for "Growth in Stock Price as the ERM Linchpin". Prior to joining Focal Point, Mr. Levine served as Vice President, Enterprise Risk Management for Assurant Inc., where he developed and implemented its risk framework and risk governance infrastructure while serving on the ERM, Information Security, and Benefit Plan Investment Committees of this global Fortune 300 insurer. In that role, he partnered with all business lines and functional areas to manage risk exposures and mitigations for financial, credit, market, operational, and insurance risks. He is a frequent speaker at RIMS, the Enterprise Risk Management Symposium, Insurance Nexus, the Actuarial Society of NY, and Marcus Evans conferences. He has taught actuarial mathematics at Columbia University, was published in The Actuary, and has been included in Society of Actuaries' exam syllabus. He authored the March 2017 cover article for the CAS/CIA/SOA Joint Risk Management Section. Mr. Levine holds a Masters in Mathematics from the University of Maryland at College Park and a BA in Statistics/Mathematics from the State University of New York at Buffalo, where he graduated Summa cum Laude, Phi Beta Kappa, and received the Best Undergraduate in Mathematics award. He is a Chartered Financial Analyst (CFA) and Certified Risk and Compliance Management Professional (CRCMP) with over 20 years' experience in ERM, cyber risk management, COSO, ORSA, insurance, quantitative modeling, asset management, and consulting. Damon Levine Director Enterprise Risk Consulting
Background 44 Doug Richter joined Focal Point in 2017 as a Manager in its Enterprise Risk Consulting practice in New York City. Mr. Richter brings extensive experience in the areas of ERM, corporate risk management, insurance, and project management (PMO) in the staffing, insurance, manufacturing, oil & gas, technology, pharmaceutical, and construction industries. Immediately prior to joining Focal Point, Mr. Richter was a Manager with Alvarez & Marsal Insurance and Risk Advisory Services (A&M) in New York and a member of its ERM team. While at A&M, Mr. Richter has helped lead multiple engagements that has included project work with a large healthcare insurer, state governments, and a staffing company, working across multidisciplinary teams on a variety of projects. Mr. Richter also served as Director of M&A Transaction Services at The Hauser Group based in New York. Mr. Richter was responsible for performing and managing the Risk Management and Insurance due diligence process and developing the go-forward recommendations for Hauser’s Private Equity partners and related portfolio companies. Prior to joining Hauser, Mr. Richter was a Management Consultant with Deloitte Consulting LLP’s Actuarial, Risk and Analytics (ARA) practice in New York City for over four years where he regularly served some of Deloitte’s largest clients. Amongst his risk management and insurance work, Mr. Richter led two major PMO insurance & risk management work streams on Coca-Cola’s acquisition of Coca-Cola Enterprises and Pfizer’s merger with Wyeth. Mr. Richter also managed the day-to-day PMO of Deloitte’s Audit engagement of MetLife, covering its global operations. Prior to joining Deloitte in January 2008, Mr. Richter was a risk manager with Volt Information Sciences, Inc., a Fortune 1000 multi- services company. He was responsible for managing, monitoring, and responding to various risks and losses at several thousand domestic and international company and client-worksite locations of a contingent workforce of nearly 55,000 and an annual workers’ compensation program in excess of $30 million. Mr. Richter also worked for Allstate Insurance Company where he served as Associate, servicing personal and commercial lines of insurance coverage. Among his responsibilities included field-level underwriting of new business risks as well as performing initial loss assessments in processing policyholder’s property and casualty claims. Mr. Richter has co-authored numerous thought leadership articles on a variety of risk management and insurance topics including product recall, safety analytics, directors & officers liability, and sustainability. Mr. Richter earned a bachelor's degree in Economics with a concentration in Business from Indiana University, Bloomington. Mr. Richter also holds the Associate in Risk Management (ARM) designation. Doug Richter Manager Enterprise Risk Consulting
Background 45 Soraya Wright, is a Consultant in Focal Point’s Enterprise Risk Consulting practice and has over 30 years of experience managing complex risks for global businesses. She leverages her experience to identify and evaluate enterprise risks and determine appropriate mitigation and risk finance strategies. Soraya previously held executive positions, including VP-Global Risk Management & Crisis Management at The Clorox Company where she was responsible for leading Clorox’s enterprise risk management program, the Company’s global insurance strategy, crisis management and business continuity for worldwide operations, and President-Board of Directors of the Company’s captive insurance subsidiary which she formed; and, VP-Enterprise Risk Management at Target where she was recruited to launch the strategy and centralized oversight of Target’s post-breach enterprise risk management program. Soraya is committed to community service and has served in a leadership capacity at over a dozen community and professional organizations, including the Board of Trustees at Holy Names University, Oakland’s Children’s Hospital Foundation, and the East Oakland Youth Development Center’s Board of Directors. In recognition for her community service, The United Way honored Soraya with the Adele K. Corvin Outstanding Agency Board Volunteer Award. Sought out for her expertise, Soraya has served on the Client Advisory Board of several insurance companies and commercial insurance brokerage firms including ACE (Chubb), FM Global, and MARSH. She is a frequent speaker at Risk and Insurance Management Society (RIMS), Advisen, and Hawaiian Captive Insurance Forum conferences, covering a broad range of risk management topics including Enterprise Risk Management (ERM) strategies, managing executive risks, forming captive insurance companies and managing complex claims. Soraya received her BA in Business Administration & Economics from Holy Names University. She is a member of the Executive Leadership Council (ELC) and Delta Sigma Theta Sorority, Inc. In December 2015, Soraya was named by Business Insurance as a “Woman to Watch”. Soraya Wright Consultant Enterprise Risk Consulting
Contact Us Headquarters 201 E. Kennedy Blvd. Suite 1750 Tampa, FL 33602 Focal-point.com Focal Point Data Risk @focalpointdr Yvette Connor CRO | Enterprise Risk Consulting Leader yconnor@focal-point.com 206.669.7440
PARKING LOT
Our Integrated Cyber Risk Measurement Process 48 Identify Risks Through A NIST-CSF and/or CRE Evaluation Assess Evaluation Outputs, Perform Modeling, and Measure Cyber Risk Impacts & Profile Clear Analysis/Visualizations Inform Risk-based Decisions
Using An Integrated Approach To Cyber Measure 49 Technology & Security Enterprise-wide Risk Based Decision Making Governance, Risk and Compliance Cyber Risk ERM ORSA NAIC NY DFS ERM Compliance Audit GRC ERM NAIC NY DFS NIST COBIT 5 ISO
Key Considerations Addressed In Three Steps 50 What are our key cyber risks: would they adversely impact our operations and/or income? Evaluate over an annual 12 month timeline Align with risk factors and enterprise risk categorization Risk Identification: What is the likelihood this risk would occur over the next year? If the risk occurred, what is the average value of an expected financial loss? What are our current responses and how are we mitigating risk impacts? Risk Quantification & Mitigation: How does this information drive risk-based decision making and results? What actions do we need to take now and which ones can we defer? How do we monitor and report on our risk and mitigation activities? Risk Reporting & Monitoring: Model Simulation NIST Assessment Risk Decision Making
51 Risk Manage Risk Transfer Many enterprises’s primarily focus its traditional cybersecurity spend to develop suitable risk management measures to put in place the right protection, detection, and basic response measures. Cyber insurance, as an example, is typically used to provide response, recovery, and liability management support. Company Primary Responsibility Insurance Support Cyber Risk Management Lifecycle Organization’s Primary Responsibility Insurance Carrier Responsibility Protect Detect Respond Recover Insurance & Risk Transfer Leverage Quantified Results To Drive More Robust Insurance And Operational Risk Decision Making
Conduct Modeling and Scenario Testing 52 ➢ Focal Point applies NIST evaluation outputs and assumptions, estimates, scenarios, and any relevant inputs into our Ellipse quantification and simulation tool to derive cyber risk exposure and loss estimates. ➢ Each defined cyber risk scenario runs through Ellipse to estimate the potential losses for that scenario. The Ellipse model uses various model inputs within a Monte Carlo simulation, and in combination with other statistical techniques, develops cyber loss estimates. These scenarios will help inform the basis of our Client’s cyber risk exposure/profile. ➢ The cyber loss estimates are estimated at the 95% confidence level, as well as 55% and 75%.
Example Finding: Value Of Insurance And Risk Transfer 53 We modeled cyber losses for both organizational entities together, since they will be insured together, and considered implementation of two-factor authentication given this was a likely investment decision: ● Our modeling showed average cyber losses of $16.54 M before insurance ● With current insurance, cyber liabilities would be reduced to $9.79 million ● With another $5M of insurance coverage would be reduced to $7.3 million ● On an average basis, this additional coverage would be worth $2.5 million. $0mm $5mm $10mm $15mm $20mm with higher $15 M insurance limit with current $10 M insurance limit without insurance Cyber Losses ($ million)
Example Recommendation: Determine Value of Risk Transfer And Insurance 54 ● Our recommendation is to adopt two-factor authentication (2FA): ● Our modeling estimates that 2FA would reduce the frequency of an Access Control event by 50% ● Without insurance, 2FA would reduce average losses by $4 million ● With current insurance, 2FA would reduce average losses by $3 million. $0mm $1mm $2mm $3mm $4mm $5mm under current insurance without insurance Potential Loss Reduction from Two-Factor Authentication ($ million)
Final Results Visualized (illustrative Access Control example) 55

More Related Content

PDF
Cyber Risk Quantification | Safe Security
Rahul Tyagi
 
PDF
Vendor Cybersecurity Governance: Scaling the risk
Sarah Clarke
 
PDF
Guide to high volume data sources for SIEM
Joseph DeFever
 
PDF
Information Technology Vendor Risk Management
Deepak Bansal, CPA CISSP
 
PPTX
BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216
Mitchell Grooms
 
PPTX
Information Security Risk Management
Nikhil Soni
 
PDF
From checkboxes to frameworks
Andréanne Clarke
 
PDF
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
Cyber Risk Quantification | Safe Security
Rahul Tyagi
 
Vendor Cybersecurity Governance: Scaling the risk
Sarah Clarke
 
Guide to high volume data sources for SIEM
Joseph DeFever
 
Information Technology Vendor Risk Management
Deepak Bansal, CPA CISSP
 
BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216
Mitchell Grooms
 
Information Security Risk Management
Nikhil Soni
 
From checkboxes to frameworks
Andréanne Clarke
 
How close is your organization to being breached | Safe Security
Rahul Tyagi
 

What's hot (20)

PDF
DataShepherd Security
Jason Newell
 
DOCX
BDQCRM Service Offering Phase I Scoring
Mitchell Grooms
 
PDF
A Practical Approach to Managing Information System Risk
amiable_indian
 
PDF
Why Corporate Security Professionals Should Care About Information Security
Resolver Inc.
 
PPTX
Information Secuirty Vulnerability Management
tschraider
 
PDF
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
South Tyrol Free Software Conference
 
PPTX
Information systems risk assessment frame workisraf 130215042410-phpapp01
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
PDF
Pitfalls of Cyber Data
Phil Huggins FBCS CITP
 
PPTX
The Economics of Cyber Security
John Gilligan
 
PDF
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
SlideTeam
 
PPTX
Risk assessment
kajal kumari
 
PPTX
Adapted from an ESG report - Seeing Is Securing - Protecting Against Advanced...
Proofpoint
 
PPT
Information Serurity Risk Assessment Basics
Vidyalankar Institute of Technology
 
PPTX
Information risk management
Akash Saraswat
 
PDF
Weakest links of an organization's Cybersecurity chain
Sanjay Chadha, CPA, CA
 
PDF
Bridging the Gap Between Threat Intelligence and Risk Management
Priyanka Aash
 
PDF
SANS 2013 Report: Digital Forensics and Incident Response Survey
FireEye, Inc.
 
PDF
How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
Tony Martin-Vegue
 
PDF
Incident response methodology
Piyush Jain
 
PPTX
4 Cyber Security KPIs
Steven Aiello
 
DataShepherd Security
Jason Newell
 
BDQCRM Service Offering Phase I Scoring
Mitchell Grooms
 
A Practical Approach to Managing Information System Risk
amiable_indian
 
Why Corporate Security Professionals Should Care About Information Security
Resolver Inc.
 
Information Secuirty Vulnerability Management
tschraider
 
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
South Tyrol Free Software Conference
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Pitfalls of Cyber Data
Phil Huggins FBCS CITP
 
The Economics of Cyber Security
John Gilligan
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
SlideTeam
 
Risk assessment
kajal kumari
 
Adapted from an ESG report - Seeing Is Securing - Protecting Against Advanced...
Proofpoint
 
Information Serurity Risk Assessment Basics
Vidyalankar Institute of Technology
 
Information risk management
Akash Saraswat
 
Weakest links of an organization's Cybersecurity chain
Sanjay Chadha, CPA, CA
 
Bridging the Gap Between Threat Intelligence and Risk Management
Priyanka Aash
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
FireEye, Inc.
 
How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
Tony Martin-Vegue
 
Incident response methodology
Piyush Jain
 
4 Cyber Security KPIs
Steven Aiello
 
Ad

Similar to w-cyber-risk-modeling Owasp cyber risk quantification 2018 (20)

PPTX
PPT-Security-for-Management.pptx
RSAArcher
 
PDF
How To Handle Cybersecurity Risk Powerpoint Presentation Slides
SlideTeam
 
PDF
Cybersecurity Incident Management Powerpoint Presentation Slides
SlideTeam
 
PDF
Cybersecurity Incident Management PowerPoint Presentation Slides
SlideTeam
 
PPTX
Assessing Quality in Cyber Risk Forecasting
Jack Freund, PhD
 
PDF
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
jbasney
 
PPTX
Stay Ahead of Threats with Advanced Security Protection - Fortinet
MarcoTechnologies
 
PDF
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
 
PDF
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
 
PDF
Cybersecurity risk assessments help organizations identify.pdf
TheWalkerGroup1
 
PPTX
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 
PDF
NIST critical_infrastructure_cybersecurity.pdf
ssuserb3094b
 
PDF
OSB50: Operational Security: State of the Union
Ivanti
 
PPTX
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
robbiesamuel
 
PPTX
NIST Critical Security Framework (CSF)
Priyanka Aash
 
PDF
Quantifying Cyber Risk
Phil Huggins FBCS CITP
 
PDF
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Cohesive Networks
 
PPTX
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
AkramAlqadasi1
 
PPTX
Cybersecurity Capability Maturity Model (C2M2)
Maganathin Veeraragaloo
 
PPT-Security-for-Management.pptx
RSAArcher
 
How To Handle Cybersecurity Risk Powerpoint Presentation Slides
SlideTeam
 
Cybersecurity Incident Management Powerpoint Presentation Slides
SlideTeam
 
Cybersecurity Incident Management PowerPoint Presentation Slides
SlideTeam
 
Assessing Quality in Cyber Risk Forecasting
Jack Freund, PhD
 
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
jbasney
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
MarcoTechnologies
 
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
 
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
 
Cybersecurity risk assessments help organizations identify.pdf
TheWalkerGroup1
 
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 
NIST critical_infrastructure_cybersecurity.pdf
ssuserb3094b
 
OSB50: Operational Security: State of the Union
Ivanti
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
robbiesamuel
 
NIST Critical Security Framework (CSF)
Priyanka Aash
 
Quantifying Cyber Risk
Phil Huggins FBCS CITP
 
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Cohesive Networks
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
AkramAlqadasi1
 
Cybersecurity Capability Maturity Model (C2M2)
Maganathin Veeraragaloo
 
Ad

More from Open Security Summit (8)

PDF
Thinking in Graphs
Open Security Summit
 
PDF
Working in cross functional teams - The benefits (and Moonpig’s learnings)
Open Security Summit
 
PDF
OSS2018 Outcomes: Create Wardley Maps for multiple security scenarios
Open Security Summit
 
PDF
#w-owasp-cld-sec-wkshp Owasp cloud security workshop
Open Security Summit
 
PDF
Slack bot v0.4
Open Security Summit
 
PDF
#w-cell-struc-security Wardley Maps: Cell Bases structures for Security
Open Security Summit
 
PDF
Crossing the river by feeling the stones
Open Security Summit
 
PDF
#u-wardley-mapping Wardley Maps: practical session - 2 hour
Open Security Summit
 
Thinking in Graphs
Open Security Summit
 
Working in cross functional teams - The benefits (and Moonpig’s learnings)
Open Security Summit
 
OSS2018 Outcomes: Create Wardley Maps for multiple security scenarios
Open Security Summit
 
#w-owasp-cld-sec-wkshp Owasp cloud security workshop
Open Security Summit
 
Slack bot v0.4
Open Security Summit
 
#w-cell-struc-security Wardley Maps: Cell Bases structures for Security
Open Security Summit
 
Crossing the river by feeling the stones
Open Security Summit
 
#u-wardley-mapping Wardley Maps: practical session - 2 hour
Open Security Summit
 

Recently uploaded (20)

PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
KodekX | Application Modernization Development
KodekX
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 

w-cyber-risk-modeling Owasp cyber risk quantification 2018

  • 1. Cyber Risk Quantificaiton for insurance and underwriting transactions Proprietary & Confidential For Discussion Purposes Only
  • 2. 2 SKILLS YOU NEED A unique combination of capabilities allows Focal Point to solve the biggest and most complex challenges facing your organization, without requiring a web of different vendors. DATA IN OUR DNA Our focus on the data helps you look at your business from a new vantage point – so you can understand your risks in a way not otherwise possible. DELIVERABLES WITH INSIGHT We skip the jargon and get to the point. We deliver actionable insights, prioritized recommendations, and practical strategies for achieving your business goals. What Makes Focal Point Different
  • 3. WHAT WE DO We measure, improve, and manage your risks - protecting your most important assets and helping you achieve your business goals. HOW WE DO IT Top experts from the most in-demand fields are embedded into each engagement and build deliverables that have a meaningful impact on your business. WHO USES FOCAL POINT Many of the most innovative organizations in the world, including 5 of the 10 largest companies in the U.S., rely on Focal Point to manage their key risks. Enterprise risk management Cybersecurity Identity governance Data privacy Project advisory Workforce development Data analytics Internal and IT audit 3 CORE SERVICE AREAS About Focal Point
  • 5. Roadmap To Cyber Risk Measurement: Improving Insurance Strategy and Purchasing Decision Making 5 Step 1 LEVERAGE: Leverage Client’s NIST CSF, if available. Step 3 MEASURE: Outputs Inform Model/Scenario Testing to: Measure Scenario-based Impacts. Measure Mitigation Options / ROIs. Measure Overall Cyber Risk Profile. Step 4 INFORM: Helps Define an Appropriate Risk Strategy (e.g., Commercial and/or Captive use). Assists Alignment of Identified Gaps with Potential Solutions. Drives Optimization of Insurance Pricing, Coverage, Limits, and Deductible/SIR’s. Helps CISO’s Selection/Business Case around Security & Resiliency Investments. Step 2 EVALUATE: Client may opt to take an Online NIST Self- Evaluation (only), and/or undergo a deeper Cyber Readiness Evaluation (CRE) at a level matching Client’s needs. Leverage Information + Evaluate Risks + Measure Exposure = Inform Strategies & Solutions
  • 7. Basis for starting point risk model analysis: The NIST Cybersecurity Framework (NIST CSF) 7 The National Institute Of Standards & Technology (NIST) Cybersecurity Framework (CSF), or NIST CSF, is a risk-based framework created through collaboration between the U.S. government and private sector that frames a standardized set of cybersecurity concepts into best practices to help organizations manage cyber risks. The Framework consists of three (3) parts; the Core, Implementation Tiers and the Profile. The Framework Core provides a set of five activities to achieve specific cybersecurity outcomes, divided into five functions: Identify, Protect, Detect, Respond, and Recover. The Implementation Tiers provide context on how you view cybersecurity risk and your processes currently in place to manage risk. The Framework Profile represents the alignment of your cybersecurity activities with business requirements, risk tolerances, and resources. The Framework enables you to describe your current and target cybersecurity postures, identify and prioritize opportunities for improvement, and evaluate your progress toward your target state.
  • 8. 8 NIST CSF: Leverage Client Outputs – Apply An Existing NIST Cyber Evaluation (if any)
  • 9. Step 2: NIST CSF Online Scoring and/or Detailed Evaluation
  • 10. Online NIST CSF Self-Evaluation: Easy Answer/Framework Selection and Document Referencing 10 Samples
  • 11. Online NIST CSF Self-Evaluation: Sample Scoring Outputs 11 Current and Target Risk Comparison Comparative Scoring Analysis Detailed Scoring Results (optional)Summary Scoring & Benchmarking Results Samples
  • 12. Cyber Readiness Evaluation (CRE) Components: A Deeper Analysis To Inform More Robust Cyber Measurement 12 • Evaluate and score current state of cybersecurity framework using NIST standards, mapped to the NIST Cybersecurity Framework (CSF).NIST CSF Evaluation • Identify existing vulnerabilities (people, process, technology) that could be exploited by malicious actors. Cyber Vulnerability Evaluation • Identify current or historical compromise of information/data through analysis of system artifacts. Cyber Compromise Evaluation • Conduct a cyber threat simulation exercise that enables executives and staff to build practical experience responding to cyber threats. Cyber Threat Management Exercise • Validate the maturity of the incident response and cyber protection controls through a targeted cyber attack. Cyber Attack & Response (Pen Testing) • Review data access policies/standards and determine opportunities for internal and external threat actors to access sensitive corporate or other protected information. Internal and External Threat Actor Profiling
  • 13. Cyber Readiness Evaluation (CRE) Sample Deliverables: A Deeper Analysis To Inform More Robust Cyber Measurement 13 Current And Target State Positions Sample Written Recommendations
  • 15. 15 Framework Implementation Tiers Scoring and Gap Prioritization Tier 1 – Partial: cybersecurity risk management practices are either not formulated or are ad-hoc Tier 2 – Risk Informed: cybersecurity risk management practices are not organization-wide Tier 3 – Repeatable: there is an organization-wide management of cybersecurity risk Tier 4 – Adaptive: cybersecurity risk management is part of the organizational culture Use An Organized NIST CST Risk Taxonomy: Leveraging NIST Framework/Outputs For Model Preparation
  • 16. 16 Monte Carlo Simulation Overview: What Is It And Why We Use It Modeling a real system to learn about its behavior Building a set of mathematical and logical relationships Establishing and varying conditions to test different scenarios Providing a helpful solution when you do not have historical loss data
  • 17. 17 Monte Carlo Outputs: Understanding The Monte Carlo Simulation Process • Simulates the uncertainty in the assumptions • The program selects a value for the assumption, recalculates the spreadsheet, plots the forecast and repeats Random Number Generation • We build frequency and severity distributions for each selected Cyber Risk Factor (e.g., Access Control, Protective Technology, etc.) • We perform up to 50,000 year loss simulations and apply it to selected Cyber Risk Factors • The model simulates different loss outcomes and applied correlation and aggregate views to link results • This then provides an overall loss distribution along with a view of the associated variability around mean estimate (average) calculations Application of Model
  • 18. 18 Develop Key Modeling Assumptions: Samples Derivation of Assumptions:  Used the scores from the Cyber Risk Evaluation to estimate ABC's frequency scores.  Used ABC's revenue numbers and general industry patterns to estimate ABC's severity scores.  Used offsets from ABC's frequencies and severities to estimate XYZ's frequencies and severities. Key Assumptions:  The frequencies of each of the cyber risks range between a 6 and a 10 (between 3% and 50%).  The severities of each of the cyber risks follows profiles which are common in the industry.  The average severity loss among the cyber risks is around $17 million: a significant part of ABC’s revenue is from conferences.  XYZ’s risks are mostly around 1/2 as severe as ABC’s, since despite small revenue, its liabilities will grow rapidly given the new cloud exposure.
  • 19. Conduct Simulated Cyber Loss Scenarios: Inform Your Cyber Risk Profile And Optimize Your Risk Strategies 19 Total potential losses with no insurance Total potential losses after insurance Total potential losses beyond $50k deductible Total potential losses using two-factor authentication Example See Appendix For Larger Views
  • 21. Final Results Summarized: Informing Strategies And Solutions 21 What you asked us to do? Focus on the security and privacy exposures of ABC, especially in the light of the first year of XYZ’s development and operations Provide specific recommendations on insurance coverage structure, terms and conditions, and policy wording where appropriate How did we proceed? Applied the NIST CSF and scored your cyber risk profile. We reviewed policies, networks, systems, vendors, and interviewed ABC and XYZ management We identified and quantified cyber vulnerabilities and calculated potential losses based on the NIST framework We developed operational and cyber insurance coverage recommendations using the cyber loss profile results and coordinated with insurance broker to position account for a more strategic insurance placement What did we find? 1 There is over a 70% chance of a cyber loss 2 With the current $10 m limit, there is a 10% chance of a cyber loss exceeding $38 m including $50k deductible 3 A breach could reduce (or eliminate) future revenue or enrolment due to direct or consequential reputational impacts What do we recommend? 1 Adopt two-factor authentication to cut likelihood of breach and help lessen reputational impacts of a breach 2 Maintain current deductible, if possible, and increase the limit to $15 m to reduce average losses from $9.8 m to $7.3 m, using a $50 k deductible 3 Improve insurance policy features through alignment with the NIST CSF framework Example
  • 22. Baseline Risk Measurement: High concentrations of potential loss in controlling access with protective technology 22 Issue: How to evaluate Baseline cyber risk exposure without insurance and operational mitigation? Approach: – Use NIST taxonomy to drive review – Use risk experts to test and score likelihood and impact of potential cyber risk events associated with each NIST risk driver Findings: 10% chance of loss greater than $38 million with average losses around $17 million 1. Over 70% chance that a cyber loss could occur 2. Loss concentrated around Access Control and Protective Technology: both high frequency and high severity 3. Either could exceed current insurance limit levels Example
  • 23. Baseline Risk Measurement: Understanding Operational Risk Impacts and Reduction 23 Example
  • 24. How Can You Respond To Cyber Risk? Recommendation (1 of 3): Invest In 2FA To Help Reduce A Chance Of A Breach 24 ➢ Issue: How do we evaluate an emergent and insurgent risk and understand operational mitigations? ➢ Approach: – Use NIST taxonomy to drive comprehensive review – Simulate the range of potential losses associated with each NIST risk driver – Apply simulation to operational mitigations ➢ Insight: 10% chance of loss greater than $38 million with average losses around $17 million, highly concentrated around Access Control and Protective Technology. ➢ A failure in Access Control can present a significant reputational risk to the ability to attract and maintain clients, particularly during its early years. An Access Control failure in one part of the business can have a consequential reputational impact on others. RECOMMENDATION ➢ Idea: Operationally protect core revenues and start-up situations. Implement Two Factor Authentication (2FA) which reduces by at least 10% the chance of loss impact, by $1 - $2 million This may also reduce reputational impacts from a breach 2-Factor Authentication May Reduce the Losses from a Breach 34 35 36 37 38 10%ChanceofLess($million) Loss Mitigation Remaining Loss Note: 2FA offers a noteworthy reduction in the attack horizon, however the attack surface (as with all networks with any kind of inter web connectivity) still remains high for other types of attacks (phishing, SQL cross-site, etc.) that are not quantifiable as a percentage with any accuracy. Even IF 2FA reduced the exposure by a measurable amount a protected connection is still vulnerable if the connecting system is already infected. Example
  • 25. How Can You Respond To Cyber Risk? Recommendation (2 of 3): Optimize Insurance Coverage Relative To Potential Cyber Losses 25 Use Insurance Coverage to Reduce Potential Cyber Losses 20 25 30 35 10%ChanceofLess($million) Loss Mitigation Remaining Loss Note: Loss Mitigation estimates include an assumption for a $50,000 insurance deductible. ➢ Issue: How do we evaluate an emergent and insurgent risk and understand potential mitigations? ➢ Approach: ➢ Use NIST taxonomy to drive comprehensive review ➢ Simulate a range of losses for each risk driver ➢ Apply simulation to financial mitigations ➢ Insight: 10% chance of loss greater than $38 million with average losses around $17 million RECOMMENDATION ➢ Idea: Financially protect core revenues and new membership enrolment Increase Cyber Insurance Policy Limit by $5 million Reduce the estimated loss impact to $23 million Reduce the average loss to approx. $7.3 million Example
  • 26. 26 ● Host Scripts ● Commercial Tools ● Client Interviews ● System Logs ● Volatile Data ● File Metadata ● Network information ● User Account Information ● Find Malware ● Identify Exfiltration ● Enumerate Compromised Users ● Locate All Affected Systems Issue: How do we manage policies to mitigate an emerging and insurgent risk like cyber? Approach: – Provide an in-depth policy coverage review – Map NIST framework to policy items – Discuss potential gaps with broker and determine the market’s ability to customize coverage – Assist in preparing underwriting documents to educate markets and obtain customized solution – Review quotes and coverage against NIST Map when received Insight: Some NIST-based risks are not covered cleanly in many existing cyber policies (e.g., Reputational impacts) RECOMMENDATION Idea: Design and acquire customized cyber coverage better matching to actual risk variables & controls How Can You Respond To Cyber Risk? Recommendation (3 of 3): Improve Policy Structure Working with brokers, provide underwriting markets with clear coverage requirements matching risk exposures to customize coverage to reduce risk of coverage issues in case of a claim. Example
  • 27. How Can You Manage Cyber Risk? Recommendation (3 of 3): Align Your Framework To Cyber Insurance Coverages 27 A FAILURE IN… WOULD LIKELY TRIGGER COVERAGE UNDER… Security & Privacy Liability Multimedia & IP Liability Technology Services Misc. Prof. Services Network Interruption & Recovery Event Support Expense Privacy Regulatory Defense & Penalties Network Extortion Electronic Theft & Computer Fraud Reputational Damage Cyber ID and Governance Y No Coverage Y No Coverage Y Y No Coverage Access Control Y No Coverage Y No Coverage Y Y Y Y Y No Coverage Awareness and Training No Coverage No Coverage Y No Coverage Data Security Y No Coverage Y No Coverage Y Y Y Y Y No Coverage Maintenance Y No Coverage Y No Coverage Y Y Y No Coverage Protective Technology Y No Coverage Y No Coverage Y Y Y Y Y No Coverage Detection Y No Coverage Y No Coverage Y Y Y Y No Coverage Response & Recovery No Coverage No Coverage Y Y No Coverage Example
  • 28. For Future Consideration: Updating and Extending Analysis ▸ Determine an acceptable risk tolerance level ▸ Select Operating Margin or Net Income (vs Revenue) as a basis for analysis ▸ Update analysis on an annual basis ▸ Add new inputs, looking at the effects of other operational changes ▸ Add new external data about different insurance coverage options available in the market 28 Example
  • 31. Simulated Losses: Total Potential Cyber Losses – Excluding Insurance 31 Example
  • 32. Simulated Losses After Insurance: Total Cyber Losses After Current Insurance 32 Shows $9.7m average net residual loss exposure (uninsured losses) Example
  • 33. Simulated Losses Beyond Deductible: Total Cyber Losses Beyond $50k Deductible 33 Shows $17m of exposure remaining which can be mitigated through higher insurance limits Example
  • 34. Simulated Losses Under Two-Factor Authentication: Total Losses Using 2FA 34 Shows improvement in the value of cyber losses (less) post implementation of two-factor authentication (2FA) technology (mitigation solution)
  • 35. Enterprise Risk Impacts: Correlated Cyber Risk Impact Views 35 Example
  • 37. Case Study Example: Solving For An Enterprise-wide Cyber Loss Profile 37 • Assisted a prominent global healthcare research organization with qualifying and quantifying operational risks, and doing so with a key focus on identifying emerging cyber risk related loss exposures. • The operational risk assessment involved estimating and quantifying the value of a vast amount of longitudinal research studies (a key organizational product sold into the marketplace) that were critical to annual revenue. • The product was largely warehoused in a proprietary IT system that was undergoing operational changes. Worked with internal client teams to assess the cyber risk profile and apply NIST/COBIT/ISO27K control and risk frameworks and develop a gap analysis’. • Proposed appropriate risk mitigation strategies involving personnel, enhanced processes and additional technology. Specific insurance solutions were also examined.
  • 38. Case Study Example: Solving For An Enterprise-wide Cyber Loss Profile 38 • This organization then asked to: • deeply test its cyber security environment across multiple IT networks and across both mature and immature technology environments; • categorize, quantify, and model its operational cyber risks; and • understand how its cyber risk profile impacts its enterprise wide risk mitigation strategies and insurance (limits and coverage). • Responses and solutions included: • performing numerous ERM and operational cyber risk assessments (e.g., vulnerability & compromise assessments, external network scans, ERM risk maturity assessments and reports.) to produce qualitative and quantitative reporting of operational risks; • developing a risk taxonomy that is useful for operational risk assessment; more fully aligned with the NIST framework. Developed a unique approach to a cyber risk scoring methodology; and • using operational risk modeling results to help inform various operational risk and financial risk hedging strategies the organization can undertake as part of its overall ERM and risk management strategies.
  • 40. Background 40 Yvette Connor joined Focal Point in 2017 as its Chief Risk Officer and head of the Enterprise Risk Consulting practice. Ms. Connor has more than 20 years of experience building, and implementing and testing enterprise risk frameworks. She is a thought leader on emerging risk and efficient ways to effectively manage and link enterprise risk frameworks with regulatory, InfoSec, compliance, and audit platforms. Ms. Connor focuses on identifying opportunities for value creation, including building decision-driven models informed by risk awareness and organizational behavior. Immediately prior to joining Focal Point, Yvette Connor was a Managing Director with Alvarez & Marsal Insurance and Risk Advisory Services in Chicago, where she focused on global Enterprise Risk Management engagements and developed an approach for Enterprise- wide cybersecurity risk valuation. Ms. Connor’s research is focused on ways companies identify risk priorities broadly throughout an organization or more narrowly, by going deeper into a specific risk topic. Her master’s thesis,: “Does Risk Management Matter to Shareholders,” describes a methodology to financially assess the impacts of “sophisticated” risk management on both profitability and growth. Prior to A&M, Ms. Connor served as the Director of Client Engagement for Marsh,, Inc. where she lead a proprietary global servicing model designed to define clients’ business needs and risk priorities, design optimal risk management responses, and deliver value-add solutions (Marsh 3D). Ms. Connor is the lead designer of the Dynamic Risk Mapping tool utilized by Marsh, Inc, within their global iMap analytics offering. Prior to joining Marsh in 2010, Ms. Connor was the Director of Risk Management at Vulcan Inc., a privately held company, with a diverse portfolio of over 200 operating companies. While at Vulcan, Ms. Connor led the development of a multi-disciplinary risk management department and rolled out an enterprise-wide risk management framework across a portfolio of stakeholders and companies.. Ms. Connor was the Vice President of Risk Management at Roll International (now, the Wonderful Company), a global food producer, distributor and product manufacturer, as well as Director of Insurance and Risk Financing at Sutter Health. Ms. Connor earned a master’s of science degree in risk management at NYU and an MBA in finance at University of California, Davis., graduating Beta Gamma Sigma (highest honors). In 2013, Business Insurance magazine named Ms. Connor as one of the “Women to Watch” in Risk Management and Insurance, confirming her talents as a leader and innovator for risk management excellence. In 2008, Treasury and Risk magazine named her as one of the up and coming key leaders in treasury risk, as part of their “40 under 40 list.” Yvette Connor Chief Risk Officer & Lead Engagement Partner Enterprise Risk Consulting
  • 41. Background 41 Bill Foote joined Focal Point in 2017 as a Senior Director/Strategic Advisor in its Enterprise Risk Consulting practice in New York City and is focused on supporting and delivering ERM solutions to Focal Point clients. Dr. Foote has over 40 years of risk and performance modeling and consulting experience in private and public sector organizations. Dr. Foote has led several public and sector enterprise risk quantification and management initiatives, and he has specialized expertise across several functional domains including quantitative and qualitative modeling of market, credit, and operational risk. Immediately prior to joining Focal Point, Mr. Foote was a Director with Alvarez & Marsal’s Insurance and Risk Advisory Services in New York. While at A&M, Dr. Foote has designed, developed and built an enterprise risk management process, governance, quantification, and reporting capability for impending ORSA and existing business decision making requirements. He also built enterprise risk measurement and reporting for mitigation decisions and regulatory disclosure by senior management of a major U.S. asset manager. Dr. Foote has built market, credit, and operational risk functionality for financial services, energy, manufacturing, and public sector firms. Specifically for credit, he implemented credit risk governance, risk factor identification and quantification, transaction structuring, collateral and counterparty management, and the production of reviews, reports, presentations for regulators, investors, management, and public disclosure. He also provided expert testimony in legal and regulatory proceedings regarding credit risk practices, transactions and risk management systems, collateral valuation, analysis of credit events and their impact on asset portfolios. Dr. Foote has participated in the structuring of transactions to mitigate credit risk and provided specialist valuation services for management and external auditors. On other projects at Paraclete, Dr. Foote advised a major pharmaceutical to improve margins and reduce treasury, marketing, and sales process costs on an operating annual budget by designing integrated valuation, risk control assessment and assurance, value chain, decision, real options pricing, and KPI taxonomies to deliver enterprise risk and performance strategy for CFO business planning and budgeting function; constructed business simulation, scenario analysis, stress testing, capital modeling and review to support project management based on integrated taxonomies. Prior to working with Alvarez & Marsal, Dr. Foote started his career, and was credit trained, at Manufacturers Hanover, and was more recently a Senior Manager with Ernst & Young, a Firm Director with Deloitte & Touche, a Vice President with Charles River Associates, and most recently a Principal at Paraclete Risk Solutions. Dr. Foote holds his M.A. and Ph.D. in Economics from Fordham University, and also has a B.A. in Classical Languages and Philosophy from Fordham. Bill Foote Senior Director Enterprise Risk Consulting
  • 42. Background 42 Daniel Barwick is a Director with Focal Point’s Enterprise Risk Consulting practice. He specializes in market, credit and operational risk analysis and mitigation. With more than 14 years of Risk Management experience, Mr. Barwick’s primary areas of concentration are with the analytics/models for risk metrics and valuations and the associated systems and methods to gather the data to drive these models. Prior to joining Focal Point, Mr. Barwick was a Director in Alvarez & Marsal (A&M)’s Enterprise Risk Management practice where he worked on complex risk quantification projects related to Technology risk, among others. Prior to A&M, Mr. Barwick served as a subject matter expert for bulge bracket banks working on their CCAR (Capital adequacy reviews) reviews of their market risk models for CVA, trade and derivative models. Along with the review of these models Mr. Barwick also added insight and opined on the system layouts and governance processes currently in place, suggesting new measures where applicable to mitigate procedural and operational risk to the companies. Mr. Barwick has experience in the auto leasing industry where serving as an analyst he helped to model the residual values for autos. He also performed analysis on the potential resale values and impacts of tax benefits such as like kind exchange on the pricing and value of the portfolio at large. Before his transition to consulting, Mr. Barwick served as a financial engineer for Fannie Mae in Washington DC, where he helped to specify the design of and roll out new risk system updates to the models and systems responsible for various market risk, credit default, prepayment and trade analytics across the company. Additionally, prior to his service at Fannie Mae, Mr. Barwick gained valuable counterparty risk experience at Ditech mortgage in Fort Washington PA, where functioning as a risk manager assessing the companies aggregate market exposure to third parties and ensuring these assessed risk were within established tolerances. While at Ditech, Mr. Barwick helped to redesign their counterparty risk system during the company’s divestiture from Ally Bank form scratch into a more cost effective form to meet the needs of the new formed small business. Mr. Barwick earned a bachelor’s degree in finance from Virginia Polytechnic and State University and a master’s degree in Finance from George Washington University. Daniel Barwick Director, Enterprise Risk Consulting
  • 43. Background 43 Damon Levine is a published enterprise risk management thought leader, industry speaker, and practitioner, serving as a Director in Focal Point’s Enterprise Risk Management practice. Mr. Levine has more than 20 years’ experience in enterprise risk management, asset management, quantitative modeling, consulting, and insurance. His specialties include risk-reward optimization, risk appetite and limit systems, risk modeling, risk training, and linking ERM to strategy and company value. Mr. Levine emphasizes a business-enabling approach to risk management that reflects a company’s culture, business goals, and resources. Mr. Levine has researched and developed approaches to improve risk culture, embed ERM in operating companies, and optimize both return on capital and earnings as a function of product allocation. He is the winner of the Actuarial Foundation's ERM Research Excellence Award for his whitepaper "Enterprise Risk-Reward Optimization: Two Critical Approaches" and the Joint CAS/CIA/SOA Award for Practical Risk Management Applications for "Growth in Stock Price as the ERM Linchpin". Prior to joining Focal Point, Mr. Levine served as Vice President, Enterprise Risk Management for Assurant Inc., where he developed and implemented its risk framework and risk governance infrastructure while serving on the ERM, Information Security, and Benefit Plan Investment Committees of this global Fortune 300 insurer. In that role, he partnered with all business lines and functional areas to manage risk exposures and mitigations for financial, credit, market, operational, and insurance risks. He is a frequent speaker at RIMS, the Enterprise Risk Management Symposium, Insurance Nexus, the Actuarial Society of NY, and Marcus Evans conferences. He has taught actuarial mathematics at Columbia University, was published in The Actuary, and has been included in Society of Actuaries' exam syllabus. He authored the March 2017 cover article for the CAS/CIA/SOA Joint Risk Management Section. Mr. Levine holds a Masters in Mathematics from the University of Maryland at College Park and a BA in Statistics/Mathematics from the State University of New York at Buffalo, where he graduated Summa cum Laude, Phi Beta Kappa, and received the Best Undergraduate in Mathematics award. He is a Chartered Financial Analyst (CFA) and Certified Risk and Compliance Management Professional (CRCMP) with over 20 years' experience in ERM, cyber risk management, COSO, ORSA, insurance, quantitative modeling, asset management, and consulting. Damon Levine Director Enterprise Risk Consulting
  • 44. Background 44 Doug Richter joined Focal Point in 2017 as a Manager in its Enterprise Risk Consulting practice in New York City. Mr. Richter brings extensive experience in the areas of ERM, corporate risk management, insurance, and project management (PMO) in the staffing, insurance, manufacturing, oil & gas, technology, pharmaceutical, and construction industries. Immediately prior to joining Focal Point, Mr. Richter was a Manager with Alvarez & Marsal Insurance and Risk Advisory Services (A&M) in New York and a member of its ERM team. While at A&M, Mr. Richter has helped lead multiple engagements that has included project work with a large healthcare insurer, state governments, and a staffing company, working across multidisciplinary teams on a variety of projects. Mr. Richter also served as Director of M&A Transaction Services at The Hauser Group based in New York. Mr. Richter was responsible for performing and managing the Risk Management and Insurance due diligence process and developing the go-forward recommendations for Hauser’s Private Equity partners and related portfolio companies. Prior to joining Hauser, Mr. Richter was a Management Consultant with Deloitte Consulting LLP’s Actuarial, Risk and Analytics (ARA) practice in New York City for over four years where he regularly served some of Deloitte’s largest clients. Amongst his risk management and insurance work, Mr. Richter led two major PMO insurance & risk management work streams on Coca-Cola’s acquisition of Coca-Cola Enterprises and Pfizer’s merger with Wyeth. Mr. Richter also managed the day-to-day PMO of Deloitte’s Audit engagement of MetLife, covering its global operations. Prior to joining Deloitte in January 2008, Mr. Richter was a risk manager with Volt Information Sciences, Inc., a Fortune 1000 multi- services company. He was responsible for managing, monitoring, and responding to various risks and losses at several thousand domestic and international company and client-worksite locations of a contingent workforce of nearly 55,000 and an annual workers’ compensation program in excess of $30 million. Mr. Richter also worked for Allstate Insurance Company where he served as Associate, servicing personal and commercial lines of insurance coverage. Among his responsibilities included field-level underwriting of new business risks as well as performing initial loss assessments in processing policyholder’s property and casualty claims. Mr. Richter has co-authored numerous thought leadership articles on a variety of risk management and insurance topics including product recall, safety analytics, directors & officers liability, and sustainability. Mr. Richter earned a bachelor's degree in Economics with a concentration in Business from Indiana University, Bloomington. Mr. Richter also holds the Associate in Risk Management (ARM) designation. Doug Richter Manager Enterprise Risk Consulting
  • 45. Background 45 Soraya Wright, is a Consultant in Focal Point’s Enterprise Risk Consulting practice and has over 30 years of experience managing complex risks for global businesses. She leverages her experience to identify and evaluate enterprise risks and determine appropriate mitigation and risk finance strategies. Soraya previously held executive positions, including VP-Global Risk Management & Crisis Management at The Clorox Company where she was responsible for leading Clorox’s enterprise risk management program, the Company’s global insurance strategy, crisis management and business continuity for worldwide operations, and President-Board of Directors of the Company’s captive insurance subsidiary which she formed; and, VP-Enterprise Risk Management at Target where she was recruited to launch the strategy and centralized oversight of Target’s post-breach enterprise risk management program. Soraya is committed to community service and has served in a leadership capacity at over a dozen community and professional organizations, including the Board of Trustees at Holy Names University, Oakland’s Children’s Hospital Foundation, and the East Oakland Youth Development Center’s Board of Directors. In recognition for her community service, The United Way honored Soraya with the Adele K. Corvin Outstanding Agency Board Volunteer Award. Sought out for her expertise, Soraya has served on the Client Advisory Board of several insurance companies and commercial insurance brokerage firms including ACE (Chubb), FM Global, and MARSH. She is a frequent speaker at Risk and Insurance Management Society (RIMS), Advisen, and Hawaiian Captive Insurance Forum conferences, covering a broad range of risk management topics including Enterprise Risk Management (ERM) strategies, managing executive risks, forming captive insurance companies and managing complex claims. Soraya received her BA in Business Administration & Economics from Holy Names University. She is a member of the Executive Leadership Council (ELC) and Delta Sigma Theta Sorority, Inc. In December 2015, Soraya was named by Business Insurance as a “Woman to Watch”. Soraya Wright Consultant Enterprise Risk Consulting
  • 46. Contact Us Headquarters 201 E. Kennedy Blvd. Suite 1750 Tampa, FL 33602 Focal-point.com Focal Point Data Risk @focalpointdr Yvette Connor CRO | Enterprise Risk Consulting Leader yconnor@focal-point.com 206.669.7440
  • 48. Our Integrated Cyber Risk Measurement Process 48 Identify Risks Through A NIST-CSF and/or CRE Evaluation Assess Evaluation Outputs, Perform Modeling, and Measure Cyber Risk Impacts & Profile Clear Analysis/Visualizations Inform Risk-based Decisions
  • 49. Using An Integrated Approach To Cyber Measure 49 Technology & Security Enterprise-wide Risk Based Decision Making Governance, Risk and Compliance Cyber Risk ERM ORSA NAIC NY DFS ERM Compliance Audit GRC ERM NAIC NY DFS NIST COBIT 5 ISO
  • 50. Key Considerations Addressed In Three Steps 50 What are our key cyber risks: would they adversely impact our operations and/or income? Evaluate over an annual 12 month timeline Align with risk factors and enterprise risk categorization Risk Identification: What is the likelihood this risk would occur over the next year? If the risk occurred, what is the average value of an expected financial loss? What are our current responses and how are we mitigating risk impacts? Risk Quantification & Mitigation: How does this information drive risk-based decision making and results? What actions do we need to take now and which ones can we defer? How do we monitor and report on our risk and mitigation activities? Risk Reporting & Monitoring: Model Simulation NIST Assessment Risk Decision Making
  • 51. 51 Risk Manage Risk Transfer Many enterprises’s primarily focus its traditional cybersecurity spend to develop suitable risk management measures to put in place the right protection, detection, and basic response measures. Cyber insurance, as an example, is typically used to provide response, recovery, and liability management support. Company Primary Responsibility Insurance Support Cyber Risk Management Lifecycle Organization’s Primary Responsibility Insurance Carrier Responsibility Protect Detect Respond Recover Insurance & Risk Transfer Leverage Quantified Results To Drive More Robust Insurance And Operational Risk Decision Making
  • 52. Conduct Modeling and Scenario Testing 52 ➢ Focal Point applies NIST evaluation outputs and assumptions, estimates, scenarios, and any relevant inputs into our Ellipse quantification and simulation tool to derive cyber risk exposure and loss estimates. ➢ Each defined cyber risk scenario runs through Ellipse to estimate the potential losses for that scenario. The Ellipse model uses various model inputs within a Monte Carlo simulation, and in combination with other statistical techniques, develops cyber loss estimates. These scenarios will help inform the basis of our Client’s cyber risk exposure/profile. ➢ The cyber loss estimates are estimated at the 95% confidence level, as well as 55% and 75%.
  • 53. Example Finding: Value Of Insurance And Risk Transfer 53 We modeled cyber losses for both organizational entities together, since they will be insured together, and considered implementation of two-factor authentication given this was a likely investment decision: ● Our modeling showed average cyber losses of $16.54 M before insurance ● With current insurance, cyber liabilities would be reduced to $9.79 million ● With another $5M of insurance coverage would be reduced to $7.3 million ● On an average basis, this additional coverage would be worth $2.5 million. $0mm $5mm $10mm $15mm $20mm with higher $15 M insurance limit with current $10 M insurance limit without insurance Cyber Losses ($ million)
  • 54. Example Recommendation: Determine Value of Risk Transfer And Insurance 54 ● Our recommendation is to adopt two-factor authentication (2FA): ● Our modeling estimates that 2FA would reduce the frequency of an Access Control event by 50% ● Without insurance, 2FA would reduce average losses by $4 million ● With current insurance, 2FA would reduce average losses by $3 million. $0mm $1mm $2mm $3mm $4mm $5mm under current insurance without insurance Potential Loss Reduction from Two-Factor Authentication ($ million)
  • 55. Final Results Visualized (illustrative Access Control example) 55