Cyber Risk, Profitability & Corporate Resiliency...s Intra-organizational benchmarking to compare...
Transcript of Cyber Risk, Profitability & Corporate Resiliency...s Intra-organizational benchmarking to compare...
NOT FOR DISTRIBUTION
Cyber Risk, Profitability & Corporate Resiliency June 1, 2017 1 NOT FOR DISTRIBUTION
19th Annual Norway Ship & Offshore Finance Forum
NOT FOR DISTRIBUTION
Who We Are
HudsonAnaly+x, Inc. offers integrated risk management and technical advisory services to the global mari@me industry. Clients include:
• Port Authori@es & Terminal Operators • Na@onal and regional port systems • Integrated oil/gas companies • Na@onal oil companies • Global mari@me transporta@on companies • Insurance Companies • Governments
Opera+ng Divisions: • HA -‐ Cyber -‐ Mari+me Cybersecurity & Risk Mgmt. • HudsonSystems -‐ SoLware Solu@ons • HudsonTrident -‐ Security (Physical & Opera@onal) • HudsonMarine -‐ Opera@onal Marine Management • HudsonTac+x -‐ Consequence Management
2
Key Facts:
• Established in 1986 • Worldwide Presence:
• Philadelphia (Global HQ) • Washington, DC • Sea[le, WA • San Diego, CA • Houston, TX • Copenhagen, Denmark • London, UK • Rome, Italy • Piraeus, Greece • Jakarta, Indonesia (JV) • Manila, Philippines
© 2017 HudsonAnaly@x, Inc.
NOT FOR DISTRIBUTION
Cyber Risk Management Practice
3
• Technology agnos@c
• Tailored execu@ve training and exercises
• Unique capabili@es tailored to the global mari@me and energy markets
• Blended, standards-‐based, maturity-‐model assessment approach -‐ the HACyberLogix plaform
• Tailored cyber threat intelligence -‐ informed by “a[ack side”
• Facilita@on of cyber risk transfer
• Global reach Ship-‐owners & Operators
Offshore
Ports & Terminal Operators
Waterside Facili+es
© 2017 HudsonAnaly@x, Inc.
NOT FOR DISTRIBUTION
Clausewitz and … Cyber Risk?
4
He Recognized: • War is a poli%cal, social and military phenomenon.
• Asymmetries can defeat the perceived superiority of the defense.
© 2017 HudsonAnaly@x, Inc.
NOT FOR DISTRIBUTION
What is Cybersecurity?
Cybersecurity is NOT: • Information Technology (“IT”) • Compliance (e.g. ISO; ISPS Code) • Solved by a “silver bullet” approach Cybersecurity IS: • A risk management activity delivering a standard of care • About cultural change and business transformation • The mission of protecting the entire business (the Balance Sheet) • A responsibility that starts at the top (you!)
5 © 2017 HudsonAnaly@x, Inc.
NOT FOR DISTRIBUTION
Cyber Risk Begins and Ends with the Human
6 © 2017 HudsonAnaly@x, Inc.
• Service-‐Oriented Ecosystems
• Crime-‐as-‐a-‐Service • Targe%ng-‐as-‐a-‐Service
• Networking / Social events • Tac@cs, techniques, procedures and strategies are shared
• Training / lessons-‐learned • Broker ecosystems • Na@onal teams • “Trench @me”
NOT FOR DISTRIBUTION
– Involves everyone!
• Home • Work
– It is asymmetrical – Easily executable – Affects the entire organization – Is persistent – Financially rewarding – Evolved from a luxury to a necessity
7
Exploiting Trust Relationships
© 2017 HudsonAnaly@x, Inc.
NOT FOR DISTRIBUTION
The IRISL Hack (2011)
8
• Servers were compromised • Logis@cs systems crashed • En@re fleet of 172 vessels was
compromised • False informa@on input into systems:
• Compromised manifests • Falsifica@on of rates • Containers ‘cloaked’ • Delivery dates • Client / Vendor Data
• Major Business Interrup@on!
© 2017 HudsonAnaly@x, Inc.
NOT FOR DISTRIBUTION
So What’s Vulnerable? (Hint: Everything)
• Supervisory Control & Data Acquisi@on (SCADA) equipment and Industrial Control Systems (ICS) for loading / unloading of bulk / containerized cargo
• Cargo / Terminal Management Systems • Domain Awareness / Naviga@onal Systems -‐ RADAR, AIS, VTS/
VTMS, ECDIS, VDR, etc. • Any Business SoLware Applica@on (e.g. email, financial, human resources, finance, logis@cs, business opera@ons Think “ERP”) • Any Opera@ng System (e.g. MicrosoL, Linux) • Any Security System -‐ CCTV, Access Control • Any Mobility device and plaform (RFID) • Communica@ons Systems • Employees (insiders) and Contractors
9 © 2017 HudsonAnaly@x, Inc.
NOT FOR DISTRIBUTION
Nor Shipping 2017
Cyber Risk 10
Is this a modern ba[lefield?
NOT FOR DISTRIBUTION
Business Leaders Are Left with a Range of Unanswered Questions
11
• What do we invest in? • How much do we budget? • What are our priori+es? • How do we know what to buy? • How can we measure the effec@veness of our investments?
• Are our cybersecurity investments sustainable?
© 2017 HudsonAnaly@x, Inc.
NOT FOR DISTRIBUTION 12
WHAT CAN YOU DO ABOUT IT?
© 2017 HudsonAnaly@x, Inc.
NOT FOR DISTRIBUTION
What is Cybersecurity Capability Maturity?
13 © 2017 HudsonAnaly@x, Inc.
Cybersecurity Capability Maturity analysis defines an organiza@on’s cyber ecosystem, iden@fies the depth and breadth of deployed capabili@es, establishes benchmarks to support long-‐term measurement, and serves as the primary mechanism for sustaining the organiza@on’s cybersecurity strategy and investments.
NOT FOR DISTRIBUTION
Cybersecurity Capability and the Cyber Risk Reduction Curve
• Ini@al investments should be in cyber capability development— to protect.
• As risk curve fla[ens, cyber insurance becomes an efficient means to further reduce risk.
• Cybersecurity capability maturity informs risk transfer.
• Harmonizing investments in technological and financial controls requires be[er exposure and loss metrics.
Axio provides cyber risk engineering services and data an-alytics to support the improved management of cyber risk, including the deployment of cyber insurance. We work with private and public sector organizations to help them better understand and manage their exposure to cyber risk through cybersecurity program evaluations and cyber loss scenario development and analysis.
ABOUT US
Much of our work is performed for or in collaboration with the insurance industry; we are on the forefront of developing and enabling improved cyber insurance products that protect firms in the energy sector and other sectors for which physical damage, environmental damage, and bodily injury from cyber risk are real concerns.
The core of our data analytics work is the Axio knowledge center, which aggregates data from our ser-vices and other sources to provide a basis for cyber program capability benchmarks, modeling, and other data sciences to improve the understanding of cyber risk losses and associated predictive indicators. Our vision is that the rich data provided through our collaboration with the insurance industry will ultimately provide insight into predictive indicators for cyber loss that materially advance cybersecurity knowledge.
AXIO PROCESS Equiatem poreni ut ipienda et et ilic tem quid unt prae sapis samus simusci dessimus as suntota turem. Itatem sus. Equiatem poreni ut ipienda et et ilic tem quid unt prae sapis samus simusci dessimus as suntota turem. Itatem sus.
CYBER INSURANCE AS A CONTROL The Ultimate Value Proposition: Insight and analysis from Axio’s Cyber Risk Knowledge Center enables
clients to deploy risk transfer capacity to lower their overall risk.
SERVICES Equiatem poreni ut ipienda et et ilic tem quid unt prae sapis samus simusci dessimus as suntota turem.
Itatem sus. Equiatem poreni ut ipienda et et ilic.
ABOUT US CYBER INSURANCEAXIO PROCESS OUR SERVICES AXIO KNOWLEDGE CENTER
MORE INFORMATION
CONTACT US
“Et ati as ut eum cus nisim vel in nossi ut rehendunt auditatusa voloriorum sam qui dolupta
verios ant eum qui doluptatio. Et volorrore necum quibus eosam fugitam.”
“Et ati as ut eum cus nisim vel in nossi ut rehendunt auditatusa voloriorum sam qui dolupta
verios ant eum qui doluptatio. Et volorrore necum quibus eosam fugitam.”
“Et ati as ut eum cus nisim vel in nossi ut rehendunt auditatusa voloriorum sam qui dolupta
verios ant eum qui doluptatio. Et volorrore necum quibus eosam fugitam.”
“Et ati as ut eum cus nisim vel in nossi ut rehendunt auditatusa voloriorum sam qui dolupta
verios ant eum qui doluptatio. Et volorrore necum quibus eosam fugitam.”
1 2 3 4 5
Policy AnalysisIdentify gaps in current insurance coverage.
Understand the types of impacts from potential cyber events that are not covered by
your currentinsurance.
Cyber Loss ScenariosDevelop notional and feasible cyber loss scenarios.
Workshop to brainstorm several cyber lossscenarios that could lead to covered and uncovered impacts; estimate total potential cost of each.
ProgramEvaluationEvaluate cyber risk management capability and maturity.
Evaluation based on Cybersecurity
Capability Maturity
Model (C2M2).
Cyber Risk EngineeringDetailed impact analysis, frequency estimation, and loss control.
More in-depth cyber loss scenario development and analysis than in step 2.
Insurance PlacementWith brokers and insurers, secure meaningfulcoverage.
Various new coverage forms and enhanced existing forms are becoming available.
Catastrophic cyber risktranfer capacity lowersthe curve overall.
CYBERSECURITY CAPABILITY
RISK
INVEST IN
TECHNOLOGYINVEST IN
TRANSFER
FOR INSURERS
Scalable cybersecurity program evaluations and benchmarking to
support underwriting, ranging from online self-evaluations to onsite
in-depth evaluations.
Data collection and analysis to monitor systemic and aggregation risk
and to improve cyber loss models.
Technology support for evaluations, data collection, and analysis.
Training and consulting services to better enable insurers and broker
partners to address the full range of cyber risk with clients.
FOR POLICYHOLDERS
Policy analysis to identify and understand cyber exclusions in
existing policies.
Scenario workshops to develop and analyze cyber loss scenarios.
Scalable cybersecurity program evaluations and benchmarking, ranging
from online self-evaluations to onsite in-depth evaluations.
Intra-organizational benchmarking to compare cyber risk management
capabilities among parallel business units for in-depth analysis of
large organizations.
Cyber risk engineering services to in-depth loss scenario analysis,
control, and modeling.
FOR BROKERS
Policy analysis to identify and understand cyber exclusions in existing
policies in support of specific clients or market analysis.
Consulting services for design and placement of bespoke cyber
insurance solutions such as captives to address unique client needs.
Training and consulting services to better enable brokerage teams to
address the full range of cyber risk with clients.
Axio Knowledge Center Equiatem poreni ut ipienda et et ilic tem quid unt prae sapis samus simusci dessimus as suntota turem.
Itatem sus. Equiatem poreni ut ipienda et et ilic.
Sign me up! Email Us
NEWSLETTER Iquem turit iniquideo, consum patus liquamIquem turit iniquideo,
CONTACT US
Address
address
Phone 000.000.0000
ABOUT US
NEWS
ENGAGE WITH US
LEGAL
Benchmarks
Cybersecurityprogram
evaluations
Loss and claims for insurance
partners
Pedictive Models
Aggregation and systemic risk analysis
Publications
Cyber risk and insurance
training and consulting
Loss scenariodevelopment
and engineering
Aggregated data from Risk Engineering services,
open sources, and
insurance industry
DATA SOURCES
KNOWLEDGE CENTER
INVEST IN CYBER CAPABILITIES!
SUSTAIN CAPABILITY & INVEST IN INSURANCE!
Courtesy: Axio
© 2017 HudsonAnaly@x, Inc. 14
Compliance
NOT FOR DISTRIBUTION
Not All Threats Are Created Equal™
Delivering Unique, Maritime-Specific Cybersecurity Insights and Support
© 2017 HudsonAnaly@x, Inc. 15
NOT FOR DISTRIBUTION
What is HACyberLogix?
16
What is HACyberLogix? It’s an easy-‐to-‐use, cloud-‐based tool specifically designed to support
shipping companies in cost-‐effec@vely assessing and managing cyber risk.
Who is HACyberLogix for? It was designed for shipping company owners and execu@ves with profit
and loss responsibili@es.
What does HACyberLogix do? It facilitates organiza%on-‐wide cybersecurity self-‐assessments and
provides customized guidance for managing the complexi@es of cyber risk.
Why use HACyberLogix?
To drive con@nuous improvement in cybersecurity capability across the en@re company by efficiently alloca@ng precious resources:
people, tools and funding.
© 2017 HudsonAnaly@x, Inc.
NOT FOR DISTRIBUTION
Getting to the Point: Informing the Decision - Making Process
© 2017 HudsonAnaly@x, Inc. 17
NOT FOR DISTRIBUTION
Recommendations are Automated and Prioritized
© 2017 HudsonAnaly@x, Inc. 18
NOT FOR DISTRIBUTION
Key Outputs…
© 2017 HudsonAnaly@x, Inc.
Mari<me Transporta<on Cybersecurity Capability Assessment* cover page (date & @me stamped)
Execu+ve Summary includes dynamic visualiza@on of
assessment ac@vity (heat map represents aggregated results)
Scoring is aggregated, normalized and
dynamically visualized by for the overall assessment
and by DMIL Survey.
Recommenda+ons are generated and priori@zed based on assessment
inputs. Related document management supports
audit efforts.
19
NOT FOR DISTRIBUTION
Managing Cyber Risk Begins at the Top
Managing Directors, CEOs and Board Members are increasingly being held accountable for their organiza@on’s cybersecurity. Cyber risk management must be owned by leadership. Cyber risk affects an organiza@on’s:
• Balance Sheet / Profit & Loss • Legal Exposure • Opera+onal Effec+veness • Customers (Reputa+on!) • Vendors • Partners • Employees • You
20 © 2017 HudsonAnaly@x, Inc.
NOT FOR DISTRIBUTION
Thank You!
Ferry Terminal Building Suite 300 2 Aquarium Drive Camden, NJ 08103 Office: +1.856.342.7500 Mobile: +1.301.922.5618 Email: max.bobys@[email protected]
Max Bobys VP, HA -‐ Cyber
Ferry Terminal Building Suite 300 2 Aquarium Drive Camden, NJ 08103 Office: +1.856.342.7500 Mobile: +1.609.505.6878 Email: cynthia.hudson@[email protected]
Cynthia Hudson CEO & Founder
© 2017 HudsonAnaly@x, Inc. 21
Floor: K -‐ 2 Room: “ARIEL”