Baker Tilly refers to Baker Tilly Virchow Krause, LLP,

an independently owned and managed member of Baker Tilly International.

Business continuity

management and cyber

resiliency

Introductions

Eric Wunderlich, CRMA, ABCP

Senior Manager – Risk and Internal Audit

Eric.Wunderlich@bakertilly.com

312 729 8185

Agenda

> Business Continuity Management Overview

> Top Threats and Vulnerabilities

> Trends and Other Considerations

The Cost of Disruption

$11.6MAverage cost of cyber attack

and data breach

Up to $58MAverage costs for

remediation

$53,210Minor incidents, average cost per

minute of downtime

Up to $14.25MAverage cost of IT outage over 24

months

2nd

Rank for sources of supply chain

disruption

Up to $360,000Average cost of severe weather

related events

IT OUTAGECYBER / DATA

BREACH

SEVERE

WEATHER

Source: Business Continuity Institute, “Counting the Cost”, 2014

> Higher incidence of cybersecurity

threats and attacks

– 2nd most frequently hacked sector

and top ten sub-sector

– 41 known security breaches in the

insurance sector

– 3.5 million identities stolen in the

finance/insurance industry in 2016

> Common attacks include

phishing and ransomware

– 60% of all attacks were ‘insiders’

– Of that 60%, roughly two-thirds of

these insider attacks were carried out

with ‘malicious intent’

– Ransomware is mostly distributed via

e-mail, with an average of 1,200+

global ransomware detections daily

Cybersecurity in Insurance

FBI estimates that $400 billion in

intellectual property is leaving the

US each year

Business Continuity Defined

“Business Continuity Management is a management process that

identifies risk, threats and vulnerabilities that could impact an entity’s

continued operations and provides a frame-work for building

organizational resilience and the capability for an effective response.”

- Disaster Recovery Institute

“Business Continuity Management is defined as a holistic management

process that identifies potential threats to an organization and the

impacts to business operations those threats, if realized, might cause,

and which provides a framework for building organizational resilience

with the capability of an effective response that safeguards the interests

of its key stakeholders, reputation, brand and value-creating activities.”

- ISO 22301:2012

Business Continuity Overview

PROGRAM

INITIATION AND

PLANNING

BUSINESS

IMPACT

ANALYSIS (BIA)

DEVELOP

CONTINUITY

PLANS

4

TRAINING AND

IMPLEMENTATION

1 32

RISK

EVALUATION

AND CONTROL

5 6

TESTING AND

MAINTENANCE

ONGOING PROJECT MANAGEMENT AND COMMUNICATION

Business Continuity Overview

Plan ResponsibilityFocus of

PlanObjectives

Emergency

ResponseFacility

Get the people

out safely

Develop procedures and policies to ensure the

safety of employees, visitors, and community

immediately after the occurrence of an event.

Crisis

Management

Crisis

Management

Team

Protect the

company

Focus corporate efforts to respond to any incident

that has a significant negative impact to the

enterprise.

Business

Continuity

Facility or Major

Function

Get the

business up

and running

Establish procedures that provide for the

continuation of business operations in the event of

a crisis on the corporate, divisional, or site level.

Disaster

Recovery IT

Get the

systems up

Establish system recovery plans to restore

technology (access to data and systems) in the

event of a disaster.

Crisis Management

Business Continuity Plan

Objective: back-to-normal as quickly as possible

Timeline

Emergency Response

Business Continuity

IT Disaster Recovery

Within minutes

after the onset of

an event

Minutes to days –

depending on what’s

needed to survive

Minutes

to days

Incident –

Time Zero

Minutes

to days

Back to Normal

Business Continuity Overview

> Establish the need for BCM

– Regulatory and/or contractual

– Organizational objectives

– Competitive advantages

> Obtain leadership and management

support for BCM

– Develop mission statement and/or charter

– Establish objectives and program structure

– Identify budget and resource needs

– Develop project plans and timelines

– Assign responsibilities

> Communicate, communicate,

communicate

– Establish clear communication channels

– Disseminate across the organization

Program Initiation and Planning

> Gain agreement on risk assessment

and tolerance

– Understand organization’s risk tolerance

– Establish measurement criteria

> Conduct information gathering

activities

– Develop risk universe

– Collaborate with other groups and

functions

> Evaluate and classify risk impacts

and vulnerabilities

– Evaluate impacts of risks related to

availability of personnel, information

technology, and communication

> Identify and evaluate effectiveness of

controls and safeguards

Likelihood

Imp

act

High Impact

Moderate Likelihood

Moderate Impact

High Likelihood

High Impact

High Likelihood

Moderate Impact

Moderate Likelihood

Risk Evaluation and Control

> Establish process and methodology

– Define objectives and scope

– Identify criteria to quantify and qualify

impact

– Determine data collection and information

gathering approaches

> Conduct data gathering activities

– Processes and/or functions

– Minimum resource requirements

– Interdependencies

> Prioritize processes and determine

order of recovery

– Identify gaps between current recovery

capabilities and results of BIA

Business Impact Analysis

Initial

Data Loss

Post-Disruption Data Loss

(Backlog)…

RTO and RPO Illustration

Time

RTO

Time

Data

Backup

Recovery of

operations

(BC strategy

activated)

Function / Service

/ Application

operational to

owner’s definition

Business

process

functional

Disruption

> Identify available continuity and

recovery strategies

– Requirements for business functions and

operations to meet RTO and RPO

– Internal and external options

» i.e. Repair/rebuild, alternate site, manual

workaround, reciprocal agreement, etc.

– Assess viability of recovery strategies

> Develop emergency response

strategies

– Protection of life, property, and environment

– Consult and coordinate with public agencies

for response strategies

– Develop crisis communication plan and

identify authorized spokesperson

> Document recovery plans

– Site level plans, functional or departmental

plans, scenario-based plans, etc.

Develop Continuity Plans

> Establish objectives of the training

and exercise programs

– Obtain support of senior management and

plan sponsors

– Identify desired level of expertise to be

achieved

– Align activities with recovery priorities and

tactical requirements

> Identify appropriate audiences

– Prioritize groups based on awareness and

training needs

– Goal is to increase awareness and

establish confidence

> Develop a realistic, progressive, and

cost effective program

– Start simple and build on mastery

Training, Testing, and Maintenance

Top Threats and Vulnerabilities

Threats and Vulnerabilities

Source: Business Continuity Institute, “2016 Horizon Scan Report”

Threats and Vulnerabilities (cont’d)

Source: Business Continuity Institute, “2016 Horizon Scan Report”

Cybersecurity – Are You Prepared?

Many companies lack the technical means to detect intrusion and

data exfiltration activities

– 69% of data breaches were externally discovered by law enforcement or

customers (Source: Mandiant M-Trends 2015 Report)

– Median number of days from earliest compromise to detection: 205 (Source: Mandiant M-Trends 2015 Report)

Business Continuity and Incident Response plans are critical to

minimizing exposure from cyber attacks

– Involving Business Continuity Management saved on average $9 per record

breached (Source: 2016 Cost of Data Breach Study: Global Analysis from Ponemon

Institute)

Communication and notification protocols can help to ensure timely

and relevant information for internal and external stakeholders

– Customer/Supplier notification protocols

– Media response and spokesperson

Consider these …

Cybersecurity – Are You Prepared?

Retail/Wholesale:

10% of Spear

Phishing attacks

Services:

31% of Spear

Phishing attacks

Finance,

Insurance,

Real Estate:

18% of Spear

Phishing

attacks

Manufacturing:

20% of Spear

Phishing attacks

All other

Industries:

21% of

Spear

Phishing

attacks

INDUSTRIES

AT RISK

Hackers

CYBERSECURITY

POLICY & PROGRAM

DEVELOPMENT

CYBERSECURITY/PRIVACY

COMPLIANCE READINESS

VULNERABILITY

ASSESSMENT/

PENETRATION

TESTING

CYBERSECURITY

ARCHITECTURE &

IMPLEMENTATION

SOC REPORTING

CYBERSECURITY

RISK ASSESSMENTS

Identity

thieves

Espionage

Regulations

Malware

Source: Symantec

Internet Security

Threat Report 2015

Trends and Other Considerations

How does BCM fit into your organization?

What does your response plan cover?

How often do you perform simulations?

Who is involved in the simulations?

How often are plans invoked and why?

What scenarios should we plan for?

Feedback from BCP Invocation

Use of Technology

• Do we have a plan to reduce risk to our customers?

• What is the risk of losing a critical customer or channel?Customers

• Are we reliant on a single supplier? Do we have alternatives identified?

• Do we know the financial health of our suppliers?Supply Chain

• Do staff contracts give us flexibility (i.e. hours, location) to deal with major disruption?

• Do staff know what to do if office or facility is inaccessible?Staff

• Have we prepared messages for dealing with a major disruption or crisis?

• Do we have trained spokespeople for communicating with media?Reputation

• Have we identified all critical information and IT applications?

• Is all critical information backed up and readily accessible?

• Have we appropriately addressed cyber security risks?

Information Technology

• Do alternative office and facility locations exists? Are employees aware?

• Have we identified and communicated with local agencies and municipalities for emergency response protocols?

Sites & Facilities

Self Assessment Questions

– Awareness and

training programs

– Clear lines of

communication

Critical Success Factors

Communication

and Awareness

Leadership Support

and Buy-In

Continuous

Improvement

Structured and

Disciplined Approach

01 02

03 04

– Awareness and

training programs

– Clear lines of

communication

– One size does not fit all

– Align to organizational

objectives and

requirements

– Ensure program and

plan include relevant

components (The 3 P’s)

– Measure and track

performance

– Testing and

maintenance

activities

"The time to repair the roof is

when the sun is shining." John F. Kennedy

Baker Tilly refers to Baker Tilly Virchow Krause, LLP,

an independently owned and managed member of Baker Tilly International.

Eric Wunderlich, CRMA, ABCP

Senior Manager – Risk and Internal Audit

Eric.Wunderlich@bakertilly.com

312 729 8185