Tag Archives : data

Risk Conversation at Board level: 5th webinar with ecoDa and AIG – Transparency

5th joint webinar with FERMAand ecoDa/AIG dedicated to transparency in our series “Risk Conversation at Board level”

Increased Risk Reporting Requirements

09 March 2017 from 14:00 – 15:30

Click above for more details and complete biographies

Our webinar will illustrate how risk managers can support their boards in expressing the risk appetite of the organisation and provide input in the ‘annual report’ process. The EU system will be compared to the US approach.

  • role of the risk manager as a strategic advisor when it comes to respond to Board questions on transparency requirements (risk reporting, reputation…)
  • role of the risk manager about the quality of the reported data about risks, their identification, collection and assessment

A strong disclosure regime that promotes real transparency is a pivotal feature of market-based monitoring of companies and is central to shareholders’ ability to exercise their shareholder rights on an informed basis.

Over the past years, transparency has largely been the leitmotiv for regulators to require additional disclosures that goes beyond the financial and operating results of the company.

What are the costs of not being prepared (regulatory risk, reputation risk)?

 

Speakers:

  • Helle Friberg, FERMA board member
  • Alexandra Lajoux, Chief Knowledge Officer Emeritus, National Association of Corporate Directors
  • Daniel Lebègue, President of Transparency International France
  • Eric Miller, Head of EMEA tax advisory at AIG

 


Cyber awareness challenge

 

How cyber aware are you? Here are some questions that will provide food for thought. The answers are a mixture of fact and judgement.

When will the EU Data Protection Regulation start to apply?

A. 25 May 2018
B. 25 March 2017
C. 1 June 2017
2. How quickly do you need to notify a data protection breach to your supervisory authority under the EU Data Protection Regulation?
A. Within 24 hours
B. Within 72 hours
C. It’s voluntary
3. What is the maximum fine a business can face for a breach of the EU Data Protection Regulation?
A. 2% of global turnover
B. 4% of global turnover
C. € 20 million
D. €10 million
4. What digital risks are you most concerned about?
A. Theft of personal data
B. Loss of intellectual property
C. Hacks for ransom
5. What is a bit coin?
A. A euro cent
B. Something left over from your holiday
C. A unit of digital currency
6. How does your organisation cover the cost of cyber risks?
A. Through existing property/casualty policies
B. Stand-alone cyber insurance in addition to existing coverages
C. We don’t think any insurance will make enough difference to a big data breach or hack
7. How satisfied are you with your organisation’s procedures for dealing with data breach and cyber attack?
A. Reasonably satisfied but it needs updating
B. Satisfied, but it can always be improved
C. Something I worry about

ANSWERS 

  1. A
  2. B.
  3. B: but all are possible, depending on the circumstances;
  4. Data breach is the most likely but all are possible.
  5. C.
  6. All are possible.
  7. B, hopefully.

All the answers correct? Share and consolidate your knowledge by attending the digital risks roundtable and interactive cyber security workshop at the FERMA Seminar on 4 October.

Most of the answers right: The FERMA Seminar on 4 October is a good place to build your knowledge.

Less than half the answers right: You definitely need to come to the FERMA Seminar digital risks roundtable and workshop on cyber risks on 4 October. Bring a colleague.

http://archives.ferma.eu/ferma-seminar-2016/session/session-5-benchmarking-or-national-association/


Expert Views: Cyber risks, the SPICE Initiative at Airbus

Philippe Cotelle, Head of Insurance Risk Management at Airbus Defence and Space, member of AMRAE

Philippe Cotelle, Head of Insurance Risk Management at Airbus Defence and Space, member of AMRAE

Philippe Cotelle, Head of Insurance Risk Management at Airbus Defence and Space, describes the development of a response methodology to create resilience against cyber risks.

There are three main obstacles to a good understanding of cyber risks in our organisations, which I believe are common to most businesses:

1/ It has long been perceived as an IT issue only, which neglects addressing the related business impact. This is especially critical with the increase in connectivity of industrial systems.

2/ Confidentiality is a major element preventing a clear and open analysis of this risk as information management is a critical security issue; even creating a list of potential vulnerabilities is a huge concern.

3/ Finally there is a fear that disclosing a cyberattack suffered or even admitting a potential vulnerability could endanger the reputation of the company.

To get over these obstacles, the risk manager has to be able to demonstrate to the CEO or the executive committee the possible financial impact of a massive cyber attack in terms of business interruption and loss of business opportunity. For this, the risk manager needs data to show the organisation’s current state of cyber resilience, past and future cyber protection investments, and mitigation of the risk.

We must also be able to explain the legal and regulatory implications of dealing with data breaches, especially under US laws, and the protection of critical infrastructures under French and EU laws.
The risk manager needs a cyber risk map of the information system of the organisation showing the most sensitive assets to be protected. Finally he or she will use this information to engage with the insurance market.

We found that no convincing method had already been developed for doing this; we had to elaborate one. SPICE stands for scenario planning to identify cyber exposure, and it is an initiative sponsored by the CFO of Airbus Defense and Space, initiated by me as the Head of Insurance Risk management. It is a pilot programme for a business impact analysis to identify cyber-related disaster scenarios that could affect our operational capability and it is truly innovative.

No convincing method available
SPICE needs high level technical experts who know the cyber threat environment of the organisation. To start, we gathered representatives of all the functions as well as from IT and information management security to:
• Educate the operational managers to the new cyber threats;
• Discuss the security issues with great care;
• Openly consider some potential cyber attack scenarios – and not assume it could not happen to us;
• Support ‘impacted’ functions and information management security on quantification.

Building the scenario

Attacks: We focussed on identifying potentially catastrophic scenarios:
• Who might attack us and what would their motives be?
• What functions and assets would be impacted?
• How would we recover and how long would it take?

Cost: We calculated the business and operational impact with inputs from operations. We split the scenarios into four phases from security breach to recovery, including investment in remediation, to estimate the possible costs at each phase. What did we learn from this?
• The numbers relate to our financial exposure – but there is no final number.
• Management has to play a part.
• The objective is to reach a consensus that is acceptable to everyone and valid for our analysis.

Probability: Local information management security then evaluated the technical probability of the success of an occurrence at each step of the process. For this we used the Cyber Kill Chain developed by Lockhead Martin, which plots the stages of an attack from preparation, instruction and active breach against the time involved.

Lessons: This same method applied by experts at two different sites produced two different probability numbers. We learned that we need a homogenous approach, but that it also has to be associated with different types of attackers, from malicious individuals, to organised criminals or foreign government agencies. We have to ask – why would they undertake the specific attack which is the subject of our scenario?

Mitigation: SPICE helps us develop our mitigation security plan and link it to business needs. We measured the costs of implementing further IT security measures to reduce the probability of occurrence and as a consequence the resulting exposure. After making this IT investment, it makes economic sense to evaluate how to mitigate the residual exposure through insurance. We have the basis for a dialogue with the insurance market to complement this mitigation strategy with an insurance programme tailored to our needs.

Conclusions:

• We believe this methodology is key in obtaining valuable insight into our cyber risk exposures.
• This process needs to be performed regularly and as exhaustively as possible.
• We have to be able to roll out the process across the whole company, its products and its locations.
• We must be able to work with operations.
• SPICE provides elements for the risk manager to enlarge the current scope of ERM to encompass cyber risks.

When it comes to cyber risks, many challenges remain in front of us. There is simply no one response. At the same time, there is no alternative to the development of the digital economy, and industry has to adapt thanks to the new possibilities offered by technology to improve efficiency, reliability and profitability. This opportunity, however, generates in itself new risks which have to be addressed and for which a dedicated risk management policy has to be defined. We need a collective effort coordinated between industry, the insurance market and the public authorities. It is time to move from awareness to action.

Philippe Cotelle, Head of Insurance Risk Management at Airbus Defence and Space is a member of AMRAE and has been supporting FERMA in the development of its response to the European Commission’s consultation on cyber risk. He is also working with François Beaume, President of AMRAE’s commission on information systems.


Risk Conversation at Board level: 2nd webinar with ecoDa and AIG

The second webinar dedicated to data protection and cybersecurity in our series “Risk Conversation at Board level”

PART I – How to adapt the risk governance to the changing regulatory landscape for personal data ?

23 February 2016 from 10:30 – 12:00

 

Speaker Biographies

Speaker Biographies

The two parts of the webinars are:

Webinar PART I Data Protection – how to adapt the risk governance to the changing regulatory landscape for personal data (Data Protection Officer, breach notifications, sanctions, hosting, transfer and treatment of personal data)?

Webinar PART II Cyber security – managing the consequences. How to identify, assess and mitigate the cyber risks? What should be the level of awareness of the Board? The Insurance part: the US example led by the existing regulations (mandatory breach and IT incident notification…)

The good management of data is now an essential part of the business model of many organisations. But with new dependencies linked to the increased use of external hosting, collection, treatment and transfer of data, it is also posing heavy challenges legal, IT and strategic issues.

If it is no longer a pure IT or legal issues; who is required to take the strategic decisions to allocate the right resources (staff and budget)? What role for the Board?

Should data protection be higher on the Board agenda?

How the Board members should get the right information on the specific data risks of their organisation to be in a deciding position?

Who will be the interface between the practical concerns and the need for strategic decisions?
Is there a role for the risk manager as the instrument to collect, consolidate and analyse the relevant information related to the data protection and the cybersecurity of the organization?


Big Data on Personal Insurances – AGERS Biomedicine Forum

Madrid, 4th Dec – AGERS.- The Spanish Risk Management and Insurance Association (AGERS) celebrated today its Biomedicine Forum “Big Data on Personal Insurances”, about all the data that internet users have on the web and the effect that this fact is provoking in the personal insurance sector.

AGERS event, that started at 9.30 in the morning and finished at 11.30 at CEOE headquarters, began with the intervention of Mr. José Miguel Rodríguez Pardo, teacher in Carlos III University and member of the Biomedicine Comission in AGERS, and was moderated by Mr. Fernando Ariza, Head of the Solvency area in Mutualidad de la Abogacía. Continue reading


Future Data Protection Regulation for holding private data?

The EU regulator is at the final stages to adopt the Data Protection Regulation which will set up new rules for operators on how private data must be managed.

In March 2014, the European Parliament strengthened several requirements such as making the applicable fines for breaching rules up to €100 million or 5% of annual worldwide turnover (whichever is greater) when the original proposal of the European Commission suggested fines “only” up to €1 million or 2% of annual worldwide turnover. Continue reading