2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and...
-
Upload
isalliance -
Category
Documents
-
view
214 -
download
0
Transcript of 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and...
-
7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation
1/20
Larry ClintonPresident
Internet Security [email protected]
703-907-7028
202-236-0001
-
7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation
2/20
ISAlliance Mission Statement
ISA seeks to integrate advancedtechnology with business economics
and effective public policy to create a
sustainable system of cyber security.
-
7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation
3/20
ISA Board of Directors
Ty Sagalow, Esq. ChairPresident, Innovation Division, ZurichTim McKnight Second V Chair,CSO, Northrop Grumman
Ken Silva, Immediate Past Chair, CSO VeriSignLt. Gen. Charlie Croom (Ret.) VP Cyber Security, Lockheed MartinJeff Brown, CISO/Director IT Infrastructure, RaytheonEric Guerrino, SVP/CIO, Bank of New York/Mellon FinancialPradeep Khosla, Dean Carnegie Mellon School of Computer SciencesJoe Buonomo, President, Direct Computer ResourcesBruno Mahlmann, VP Cyber Security, DellLinda Meeks, VP CISO Boeing CorporationJustin Somaini, CIO, SymantecGary McAlum, Sr. VP & CSO, USAAAndy Purdy, Chief Cyber Security Strategist CSC Corp.
J. Michael Hickey, 1st Vice ChairVP Homeland Security, VerizonMarc-Anthony Signorino, TreasureNational Association of Manufacturers
-
7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation
4/20
Roles and Responsibilites
The private sector owns 95% of the cyberinfrastructure
Government must provide for thecommon defense
The private sector must, by law, operate---not in the public interest---but to maximizeshareholder value
Economics must be at the core of thepublic private partnership
-
7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation
5/20
Cyber Security Economicsare Skewed
Responsibility, costs, harms andincentives are misaligned
Individual and Corporate Financial loss National Defense Core investment is undermined by edge
insecurity Enterprises are not structured to properly
analyze cyber risk
-
7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation
6/20
CURRENT ECONOMIC INCENTIVES
FAVOR ATTACKERS
Attacks are cheap and easy Vulnerabilities are almost infinite Profits from attacks are enormous
($ 1 TRILLION in 08)
Defense is costly (Usually no ROI) Defense is often futile Costs of Attacks are distributed
-
7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation
7/20
Historic Role of Insurance inCyber Security Policy
2002 The National Strategy to SecureCyber Space---market approach but noneed for incentives---policy makers think
insurance not ready for prime time
2004 Congress Creates CorporateInformation Security Working Group w/
Subgroup on incentives---cyber insuranceis advocated
-
7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation
8/20
Cyber Insurance in NationalPolicy
2006 ISA issues White Paper on the publicpolicy benefits of cyber insurancetestifies before Commerce and HLS
2007 ISA to Department of CommerceEconomic Security Working Group
2007 ANSI & ISA Publish 50 QuestionsCFOs Should Ask @ Cyber Security w/ Chon insurance & financial risk mangement
-
7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation
9/20
Public Policy & CyberInsurance History
2008 ISA Social Contract advocates useof cyber insurance
2009 President Obamas Cyber SpacePolicy Review advicates use of marketincentives
2009 Dept. of Homeland Security CrossSector Cyber Security Working Group (allcritical sectors) advocates incentivesincluding cyber insurance
-
7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation
10/20
History of Public Policy &Cyber Insurance
2010 White House holds spring conferececall w/industry academics and govt. on theuse of cyber insurance
FDIC holds conference on economics ofcyber security
Dept. of Commerce issues Notice ofInquiry on economics of cyber securityincluding use of cyber insurace
-
7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation
11/20
Legislation
Over 40 bills introduced covering Organizational ResponsibilitiesCompliance and Accountability
PII /data theft Cyber Security Education & R & D Critical Infrastructure/Vulnerability Analysis International Cooperation and Cyber crime Procurement Acquisition & Supply Chain
-
7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation
12/20
Some Major Bills
S 139 & HR 2221 Data Breach S 1438 & HR 4692 Internat Cyber CrimeS 921 FISMA Reform
HR 2071 Intel Reauthoriztion S 773 Comprehenseive (Commerce
Committee) S 3480 Comprehensive (Homeland
Security Committee)
HR 5026 Grid Reliability & Infrastructure
-
7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation
13/20
What (we think) is in the bill
Establish Private Sector Responsibility forCritical Infrastructure Protection
Govt. Role is oversight and assurecompliance (not fund)
Legislatively establish the cyber czarCreate mandatory technical standards forthe most critical infrastructure
Require bi-annual cyber security audits w/heavy civil fines for non-compliance
-
7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation
14/20
State of Play---Legislative
Majority Leader Reid has asked foragreement on a cyber security package
Combined Commerce/HLS bill circulatingamong other Senate Committies
New Draft expected shortlyHouse has not weighed in
White House has not weighed in Industry is fairly concerned
-
7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation
15/20
We need a total riskmanagement approach
The security discipline has so far beenskewed toward technologyfirewalls, ID
management, intrusion detectioninsteadof risk analysis andproactive intelligencegathering.
PWC Global Cyber Security Survey
-
7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation
16/20
Senior Exec do ARE NOT analyzing
Cyber Risk adequately
There is still a gap between IT andenterprise risk management. Surveyresults confirm the belief among IT
security professionals that Boards andsenior executives are not adequatelyinvolved in key areas related to the
governance of enterprise security.2010 Carnegie Mellon University CyLab Governance of
Enterprise Security Survey
-
7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation
17/20
Financial Management of
Cyber Risk
It is not enough for the information technologyworkforce to understand the importance ofcybersecurity; leaders at all levels of
government and industry need to be able tomake business and investment decisionsbased on knowledge of risks and potential
impacts.Presidents Cyber Space Policy Review May 30, 2009
page 15
-
7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation
18/20
White House Meeting onCyber Security July 14
President Obama, Sec Locke, Sec.Napolitano, Howard Schmidt (others)
Commerce speaks before DHS Schmidt: need to up costs for attackers Obama: interconnected nature of the
internet will make it difficult to regulate forsecurity
Legislation moving in different direction
-
7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation
19/20
Obamas Report on Cyber
Security (May 30, 2009)
The government, working with State and localpartners, should identify procurement strategies thatwill incentivize the market to make more secure
products and services available to the public.Additional incentive mechanisms that thegovernment should explore include adjustments toliability considerations (reduced liability in exchangefor improved security or increased liability for theconsequences of poor security), indemnification, tax
incentives, and new regulatory requirements andcompliance mechanisms.Presidents Cyber Space Policy Review May 30,2009 page vs.
Quoting Internet Security Alliance Cyber SecuritySocial Contract: Recommendations to the Obama
th
-
7/31/2019 2010 09 27 Larry Clinton Cyber Data Risk Insurance Event on Federal Regulatory Developments and Their Impact on Coverage and Litigation
20/20
Larry ClintonPresident
Internet Security [email protected]
703-907-7028
202-236-0001