Cyber Risk, Profitability & Corporate Resiliency...s Intra-organizational benchmarking to compare...

NOT FOR DISTRIBUTION

Cyber Risk, Profitability & Corporate Resiliency June 1, 2017 1 NOT FOR DISTRIBUTION

19th Annual Norway Ship & Offshore Finance Forum


Who We Are

HudsonAnaly+x, Inc. offers integrated risk management and technical advisory services to the global mari@me industry. Clients include:

•  Port Authori@es & Terminal Operators •  Na@onal and regional port systems •  Integrated oil/gas companies •  Na@onal oil companies •  Global mari@me transporta@on companies •  Insurance Companies •  Governments

Opera+ng Divisions: •  HA -‐ Cyber -‐ Mari+me Cybersecurity & Risk Mgmt. •  HudsonSystems -‐ SoLware Solu@ons •  HudsonTrident -‐ Security (Physical & Opera@onal) •  HudsonMarine -‐ Opera@onal Marine Management •  HudsonTac+x -‐ Consequence Management

2

Key Facts:

•  Established in 1986 •  Worldwide Presence:

•  Philadelphia (Global HQ) •  Washington, DC •  Sea[le, WA •  San Diego, CA •  Houston, TX •  Copenhagen, Denmark •  London, UK •  Rome, Italy •  Piraeus, Greece •  Jakarta, Indonesia (JV) •  Manila, Philippines

© 2017 HudsonAnaly@x, Inc.


Cyber Risk Management Practice

3

•  Technology agnos@c

•  Tailored execu@ve training and exercises

•  Unique capabili@es tailored to the global mari@me and energy markets

•  Blended, standards-‐based, maturity-‐model assessment approach -‐ the HACyberLogix plaform

•  Tailored cyber threat intelligence -‐ informed by “a[ack side”

•  Facilita@on of cyber risk transfer

•  Global reach Ship-‐owners & Operators

Offshore

Ports & Terminal Operators

Waterside Facili+es



Clausewitz and … Cyber Risk?

4

He Recognized: •  War is a poli%cal, social and military phenomenon.

•  Asymmetries can defeat the perceived superiority of the defense.



What is Cybersecurity?

Cybersecurity is NOT: •  Information Technology (“IT”) • Compliance (e.g. ISO; ISPS Code) • Solved by a “silver bullet” approach Cybersecurity IS: • A risk management activity delivering a standard of care • About cultural change and business transformation • The mission of protecting the entire business (the Balance Sheet) • A responsibility that starts at the top (you!)

5 © 2017 HudsonAnaly@x, Inc.


Cyber Risk Begins and Ends with the Human


•  Service-‐Oriented Ecosystems

•  Crime-‐as-‐a-‐Service •  Targe%ng-‐as-‐a-‐Service

•  Networking / Social events •  Tac@cs, techniques, procedures and strategies are shared

•  Training / lessons-‐learned •  Broker ecosystems •  Na@onal teams •  “Trench @me”


–  Involves everyone!

• Home • Work

–  It is asymmetrical – Easily executable – Affects the entire organization –  Is persistent – Financially rewarding – Evolved from a luxury to a necessity

7

Exploiting Trust Relationships



The IRISL Hack (2011)

8

•  Servers were compromised •  Logis@cs systems crashed •  En@re fleet of 172 vessels was

compromised •  False informa@on input into systems:

•  Compromised manifests •  Falsifica@on of rates •  Containers ‘cloaked’ •  Delivery dates •  Client / Vendor Data

•  Major Business Interrup@on!



So What’s Vulnerable? (Hint: Everything)

•  Supervisory Control & Data Acquisi@on (SCADA) equipment and Industrial Control Systems (ICS) for loading / unloading of bulk / containerized cargo

•  Cargo / Terminal Management Systems •  Domain Awareness / Naviga@onal Systems -‐ RADAR, AIS, VTS/

VTMS, ECDIS, VDR, etc. •  Any Business SoLware Applica@on (e.g. email, financial, human resources, finance, logis@cs, business opera@ons Think “ERP”) •  Any Opera@ng System (e.g. MicrosoL, Linux) •  Any Security System -‐ CCTV, Access Control •  Any Mobility device and plaform (RFID) •  Communica@ons Systems •  Employees (insiders) and Contractors



Nor Shipping 2017

Cyber Risk 10

Is this a modern ba[lefield?


Business Leaders Are Left with a Range of Unanswered Questions

11

•  What do we invest in? •  How much do we budget? •  What are our priori+es? •  How do we know what to buy? •  How can we measure the effec@veness of our investments?

•  Are our cybersecurity investments sustainable?


NOT FOR DISTRIBUTION 12

WHAT CAN YOU DO ABOUT IT?



What is Cybersecurity Capability Maturity?


Cybersecurity Capability Maturity analysis defines an organiza@on’s cyber ecosystem, iden@fies the depth and breadth of deployed capabili@es, establishes benchmarks to support long-‐term measurement, and serves as the primary mechanism for sustaining the organiza@on’s cybersecurity strategy and investments.


Cybersecurity Capability and the Cyber Risk Reduction Curve

•  Ini@al investments should be in cyber capability development— to protect.

•  As risk curve fla[ens, cyber insurance becomes an efficient means to further reduce risk.

•  Cybersecurity capability maturity informs risk transfer.

•  Harmonizing investments in technological and financial controls requires be[er exposure and loss metrics.

Axio provides cyber risk engineering services and data an-alytics to support the improved management of cyber risk, including the deployment of cyber insurance. We work with private and public sector organizations to help them better understand and manage their exposure to cyber risk through cybersecurity program evaluations and cyber loss scenario development and analysis.

ABOUT US

Much of our work is performed for or in collaboration with the insurance industry; we are on the forefront of developing and enabling improved cyber insurance products that protect firms in the energy sector and other sectors for which physical damage, environmental damage, and bodily injury from cyber risk are real concerns.

The core of our data analytics work is the Axio knowledge center, which aggregates data from our ser-vices and other sources to provide a basis for cyber program capability benchmarks, modeling, and other data sciences to improve the understanding of cyber risk losses and associated predictive indicators. Our vision is that the rich data provided through our collaboration with the insurance industry will ultimately provide insight into predictive indicators for cyber loss that materially advance cybersecurity knowledge.

AXIO PROCESS Equiatem poreni ut ipienda et et ilic tem quid unt prae sapis samus simusci dessimus as suntota turem. Itatem sus. Equiatem poreni ut ipienda et et ilic tem quid unt prae sapis samus simusci dessimus as suntota turem. Itatem sus.

CYBER INSURANCE AS A CONTROL The Ultimate Value Proposition: Insight and analysis from Axio’s Cyber Risk Knowledge Center enables

clients to deploy risk transfer capacity to lower their overall risk.

SERVICES Equiatem poreni ut ipienda et et ilic tem quid unt prae sapis samus simusci dessimus as suntota turem.

Itatem sus. Equiatem poreni ut ipienda et et ilic.

ABOUT US CYBER INSURANCEAXIO PROCESS OUR SERVICES AXIO KNOWLEDGE CENTER

MORE INFORMATION

CONTACT US

“Et ati as ut eum cus nisim vel in nossi ut rehendunt auditatusa voloriorum sam qui dolupta

verios ant eum qui doluptatio. Et volorrore necum quibus eosam fugitam.”







1 2 3 4 5

Policy AnalysisIdentify gaps in current insurance coverage.

Understand the types of impacts from potential cyber events that are not covered by

your currentinsurance.

Cyber Loss ScenariosDevelop notional and feasible cyber loss scenarios.

Workshop to brainstorm several cyber lossscenarios that could lead to covered and uncovered impacts; estimate total potential cost of each.

ProgramEvaluationEvaluate cyber risk management capability and maturity.

Evaluation based on Cybersecurity

Capability Maturity

Model (C2M2).

Cyber Risk EngineeringDetailed impact analysis, frequency estimation, and loss control.

More in-depth cyber loss scenario development and analysis than in step 2.

Insurance PlacementWith brokers and insurers, secure meaningfulcoverage.

Various new coverage forms and enhanced existing forms are becoming available.

Catastrophic cyber risktranfer capacity lowersthe curve overall.

CYBERSECURITY CAPABILITY

RISK

INVEST IN

TECHNOLOGYINVEST IN

TRANSFER

FOR INSURERS

Scalable cybersecurity program evaluations and benchmarking to

support underwriting, ranging from online self-evaluations to onsite

in-depth evaluations.

Data collection and analysis to monitor systemic and aggregation risk

and to improve cyber loss models.

Technology support for evaluations, data collection, and analysis.

Training and consulting services to better enable insurers and broker

partners to address the full range of cyber risk with clients.

FOR POLICYHOLDERS

Policy analysis to identify and understand cyber exclusions in

existing policies.

Scenario workshops to develop and analyze cyber loss scenarios.

Scalable cybersecurity program evaluations and benchmarking, ranging

from online self-evaluations to onsite in-depth evaluations.

Intra-organizational benchmarking to compare cyber risk management

capabilities among parallel business units for in-depth analysis of

large organizations.

Cyber risk engineering services to in-depth loss scenario analysis,

control, and modeling.

FOR BROKERS

Policy analysis to identify and understand cyber exclusions in existing

policies in support of specific clients or market analysis.

Consulting services for design and placement of bespoke cyber

insurance solutions such as captives to address unique client needs.

Training and consulting services to better enable brokerage teams to

address the full range of cyber risk with clients.

Axio Knowledge Center Equiatem poreni ut ipienda et et ilic tem quid unt prae sapis samus simusci dessimus as suntota turem.

Itatem sus. Equiatem poreni ut ipienda et et ilic.

Sign me up! Email Us

NEWSLETTER Iquem turit iniquideo, consum patus liquamIquem turit iniquideo,

CONTACT US

Address

address

Phone 000.000.0000

ABOUT US

NEWS

ENGAGE WITH US

LEGAL

Benchmarks

Cybersecurityprogram

evaluations

Loss and claims for insurance

partners

Pedictive Models

Aggregation and systemic risk analysis

Publications

Cyber risk and insurance

training and consulting

Loss scenariodevelopment

and engineering

Aggregated data from Risk Engineering services,

open sources, and

insurance industry

DATA SOURCES

KNOWLEDGE CENTER

INVEST IN CYBER CAPABILITIES!

SUSTAIN CAPABILITY & INVEST IN INSURANCE!

Courtesy: Axio

© 2017 HudsonAnaly@x, Inc. 14

Compliance


Not All Threats Are Created Equal™

Delivering Unique, Maritime-Specific Cybersecurity Insights and Support



What is HACyberLogix?

16

What is HACyberLogix? It’s an easy-‐to-‐use, cloud-‐based tool specifically designed to support

shipping companies in cost-‐effec@vely assessing and managing cyber risk.

Who is HACyberLogix for? It was designed for shipping company owners and execu@ves with profit

and loss responsibili@es.

What does HACyberLogix do? It facilitates organiza%on-‐wide cybersecurity self-‐assessments and

provides customized guidance for managing the complexi@es of cyber risk.

Why use HACyberLogix?

To drive con@nuous improvement in cybersecurity capability across the en@re company by efficiently alloca@ng precious resources:

people, tools and funding.



Getting to the Point: Informing the Decision - Making Process



Recommendations are Automated and Prioritized



Key Outputs…


Mari<me Transporta<on Cybersecurity Capability Assessment* cover page (date & @me stamped)

Execu+ve Summary includes dynamic visualiza@on of

assessment ac@vity (heat map represents aggregated results)

Scoring is aggregated, normalized and

dynamically visualized by for the overall assessment

and by DMIL Survey.

Recommenda+ons are generated and priori@zed based on assessment

inputs. Related document management supports

audit efforts.

19


Managing Cyber Risk Begins at the Top

Managing Directors, CEOs and Board Members are increasingly being held accountable for their organiza@on’s cybersecurity. Cyber risk management must be owned by leadership. Cyber risk affects an organiza@on’s:

•  Balance Sheet / Profit & Loss •  Legal Exposure •  Opera+onal Effec+veness •  Customers (Reputa+on!) •  Vendors •  Partners •  Employees •  You



Thank You!

Ferry Terminal Building Suite 300 2 Aquarium Drive Camden, NJ 08103 Office: +1.856.342.7500 Mobile: +1.301.922.5618 Email: max.bobys@[email protected]

Max Bobys VP, HA -‐ Cyber

Ferry Terminal Building Suite 300 2 Aquarium Drive Camden, NJ 08103 Office: +1.856.342.7500 Mobile: +1.609.505.6878 Email: cynthia.hudson@[email protected]

Cynthia Hudson CEO & Founder


Floor: K -‐ 2 Room: “ARIEL”

Cyber Risk, Profitability & Corporate Resiliency...s Intra-organizational benchmarking to compare...

Documents

Transcript of Cyber Risk, Profitability & Corporate Resiliency...s Intra-organizational benchmarking to compare...