Vous êtes sur la page 1sur 20
Larry Clinton President lclinton@isalliance.org 703-907-7028

Larry Clinton President lclinton@isalliance.org

703-907-7028

ISA Board of Directors Ty Sagalow, Esq. Chair , Executive Vice President & Chief Innovation

ISA Board of Directors

Ty Sagalow, Esq. Chair, Executive Vice President & Chief Innovation Officer, Zurich North America Tim McKnight, 1 st Vice Chair, Vice President & Chief Information Security Officer, Northrop Grumman Jeff Brown, Secretary / Treasurer, Vice President, Infrastructure and Chief Information Security Officer, Raytheon

Pradeep Khosla, Founding Director of Cylab, Carnegie Mellon University

Marc Sachs, Vice President Government Affairs, Verizon

Lt. Gen. Charlie Croom (Ret.), Vice President Cyber Security, Solutions Lockheed Martin

Eric Guerrino, Managing Director Systems and Technology, Bank of New York Mellon

Joe Buonomo, President, DCR

Bruno Mahlmann, Vice President Cyber Security Division, Dell

Kevin Meehan, Vice President Information Technology & Chief Information Security Officer, Boeing

Rick Howard, iDefense Manager, VeriSign

Justin Somaini, Chief Information Security Officer, Symantec

Gary McAlum, Chief Security Officer, USAA

Paul Davis, Chief Technology Officer, NJVC

Andy Purdy, Chief Cybersecurity Strategist, CSC

John Havermann, II, Vice President & Director, Cyber Programs , Intelligence & Information, SAIC

ISA Mission Statement ISA’ mission is to integrate advanced technology with economics and public policy

ISA Mission Statement

ISA’ mission is to integrate advanced technology with economics and public policy to create a sustainable system of cyber security.

The Internet Changes Everything •   Concepts of Privacy •   Concepts of National Defense

The Internet Changes Everything

Concepts of Privacy

Concepts of National Defense

Concepts of Self

Concepts of Economics

We have been focused on the HOW cyber attacks we need to focus on the WHY ($)

Cyber security is an economic/strategic issue as much operational/technical one

Cyber Security Economics are Skewed •   Responsibility, costs, harms and incentives are misaligned •

Cyber Security Economics are Skewed

Responsibility, costs, harms and incentives are misaligned

Individual and Corporate Financial loss

Core investment is undermined by edge insecurity • Gov & Private Sector differ perspectives on Risk

Enterprises are not structured to properly analyze cyber risk (ANSI-ISA study)

We are not cyber structured •   In 95% of companies the CFO is not

We are not cyber structured

In 95% of companies the CFO is not directly involved in information security

2/3 of companies don’t have a risk plan

83% of companies don’t have a cross organizational privacy/security team

Less than ½ have a formal risk management plan—1/3 of the ones who do don’t consider cyber in the plan

ANSI-ISA Program •   Outlines an enterprise wide process to attack cyber security broadly and

ANSI-ISA Program

Outlines an enterprise wide process to attack cyber security broadly and economically • CFO strategies • HR strategies • Legal/compliance strategies • Operations/technology strategies • Communications strategies • Risk Management/insurance strategies

What we do know is all bad •   All the economic incentives favor the

What we do know is all bad

All the economic incentives favor the attackers, i.e. attacks are cheap, easy, profitable and chances of getting caught are small

Defense inherently is a generation behind the attacker, the perimeter to defend is endless, ROI is hard to show • Until we solve the cyber economics equation we will not have cyber security

Bad News and Good News Bad: The situation is getting worse Good: We know how

Bad News and Good News

Bad: The situation is getting worse

Good: We know how to stop/mitigate 80 to 90% of cyber attacks

Bad: Although attacks are up, investment is down in 50-66% of American firms (PWC/CSIS/)

Regulation is not the answer •   Compliance (not security) already eats up much of

Regulation is not the answer

Compliance (not security) already eats up much of the “security” budget

Specific regulations can’t keep up with attacks

Vague regulations show no effect

Regulations increase costs uniquely for American companies

Regulations can be counter productive “ceilings” (Campaign Finance)

Obama’s Cyber Space Policy Review “If the risks and consequences can be assigned monetary value,

Obama’s Cyber Space Policy Review

“If the risks and consequences can be assigned monetary value, organizations will have greater ability and incentive to address cybersecurity. In particular, the private sector often seeks a business case to justify the resource expenditures needed for integrating information and communications system security into corporate risk management and for engaging partnerships to mitigate collective risk. Government can assist by considering incentive- based legislative or regulatory tools to enhance the value proposition and fostering an environment that encourages partnership.”

--- President’s Cyber Space Policy Review May 30, 2009 page 18

Current DC Activity •   No bills had cyber insurance provisions in last Congress •

Current DC Activity

No bills had cyber insurance provisions in last Congress

New Congress • White House • Senate • House

New Attention to Cyber Insurance •   WH Conference with ISA on cyber insurance last

New Attention to Cyber Insurance

WH Conference with ISA on cyber insurance last spring • House Homeland Security Committee considering cyber SAFETY Act • Senate Commerce Committee set of questions on cyber insurance for new bill---meetings to follow

WH Perspectives 6 Reasons Market Has not responded 1.   Companies not being charged for

WH Perspectives 6 Reasons Market Has not responded

1.Companies not being charged for all their inputs and not being paid for outputs 2.Insuffiecent motives for long term 3.Lack of information for comparative market choices 4.Markets must be “seeded” with products 5.Misalignment from Gov regs & litigation 6.Entry barriers cause lack of alternatives

Congress Questions 1.   How does insurance factor material risl in underwriting trad. Commercial policies?

Congress Questions

1.How does insurance factor material risl in underwriting trad. Commercial policies? 2.Do traditional policies cover damage/loss of IP or interuption from cyber events? 3.Is cyber typically excluded from D&O, prop/liability? How do Cts view these? 4.Are carriers clear @ policy limits? 5.What standards are used to assess cyber risk? How is compliance measured?

Congress Questions 6. What kind of insurance for D & O who must meet Payment

Congress Questions

6. What kind of insurance for D & O who must meet Payment Card security stand.?

7. What are the hurddles to developing cyber risk insurance—how overcome?

8. Are problems with expanding cyber

insurance similar to crop/flood? 9. How can fed govt help create more acc data for the industry?

Congress Questions 10. What impact would come from SEC clarification on material cyber risk ?

Congress Questions

10. What impact would come from SEC

clarification on material cyber risk ?

11. What is impact of use of” untrustworthy vendors on insurance?

ISA Social Contract Model •   Model on Electric/Telephone “Social Contract 1.0” (November 2008) •

ISA Social Contract Model

Model on Electric/Telephone “Social Contract 1.0” (November 2008)

Cyber Space Policy Review (May 2009)

Social Contract 2.0 (January 2010)

Incentive based model for Cybersecurity •   Rely on status quo methods to create cyber

Incentive based model for Cybersecurity

Rely on status quo methods to create cyber security standards and practices

Test for effectiveness (e.g. FDA)

Create tiered levels based on risk profile

Apply market incentives to voluntary adoption

Embraced by CSPR (tax/liability/procurement / insurance) & legislation

Larry Clinton President lclinton@isalliance.org 703-907-7028

Larry Clinton President

lclinton@isalliance.org

703-907-7028