Tag Archives : Cyber Risks

Expert Views: Cyber risks, the SPICE Initiative at Airbus

Philippe Cotelle, Head of Insurance Risk Management at Airbus Defence and Space, member of AMRAE

Philippe Cotelle, Head of Insurance Risk Management at Airbus Defence and Space, member of AMRAE

Philippe Cotelle, Head of Insurance Risk Management at Airbus Defence and Space, describes the development of a response methodology to create resilience against cyber risks.

There are three main obstacles to a good understanding of cyber risks in our organisations, which I believe are common to most businesses:

1/ It has long been perceived as an IT issue only, which neglects addressing the related business impact. This is especially critical with the increase in connectivity of industrial systems.

2/ Confidentiality is a major element preventing a clear and open analysis of this risk as information management is a critical security issue; even creating a list of potential vulnerabilities is a huge concern.

3/ Finally there is a fear that disclosing a cyberattack suffered or even admitting a potential vulnerability could endanger the reputation of the company.

To get over these obstacles, the risk manager has to be able to demonstrate to the CEO or the executive committee the possible financial impact of a massive cyber attack in terms of business interruption and loss of business opportunity. For this, the risk manager needs data to show the organisation’s current state of cyber resilience, past and future cyber protection investments, and mitigation of the risk.

We must also be able to explain the legal and regulatory implications of dealing with data breaches, especially under US laws, and the protection of critical infrastructures under French and EU laws.
The risk manager needs a cyber risk map of the information system of the organisation showing the most sensitive assets to be protected. Finally he or she will use this information to engage with the insurance market.

We found that no convincing method had already been developed for doing this; we had to elaborate one. SPICE stands for scenario planning to identify cyber exposure, and it is an initiative sponsored by the CFO of Airbus Defense and Space, initiated by me as the Head of Insurance Risk management. It is a pilot programme for a business impact analysis to identify cyber-related disaster scenarios that could affect our operational capability and it is truly innovative.

No convincing method available
SPICE needs high level technical experts who know the cyber threat environment of the organisation. To start, we gathered representatives of all the functions as well as from IT and information management security to:
• Educate the operational managers to the new cyber threats;
• Discuss the security issues with great care;
• Openly consider some potential cyber attack scenarios – and not assume it could not happen to us;
• Support ‘impacted’ functions and information management security on quantification.

Building the scenario

Attacks: We focussed on identifying potentially catastrophic scenarios:
• Who might attack us and what would their motives be?
• What functions and assets would be impacted?
• How would we recover and how long would it take?

Cost: We calculated the business and operational impact with inputs from operations. We split the scenarios into four phases from security breach to recovery, including investment in remediation, to estimate the possible costs at each phase. What did we learn from this?
• The numbers relate to our financial exposure – but there is no final number.
• Management has to play a part.
• The objective is to reach a consensus that is acceptable to everyone and valid for our analysis.

Probability: Local information management security then evaluated the technical probability of the success of an occurrence at each step of the process. For this we used the Cyber Kill Chain developed by Lockhead Martin, which plots the stages of an attack from preparation, instruction and active breach against the time involved.

Lessons: This same method applied by experts at two different sites produced two different probability numbers. We learned that we need a homogenous approach, but that it also has to be associated with different types of attackers, from malicious individuals, to organised criminals or foreign government agencies. We have to ask – why would they undertake the specific attack which is the subject of our scenario?

Mitigation: SPICE helps us develop our mitigation security plan and link it to business needs. We measured the costs of implementing further IT security measures to reduce the probability of occurrence and as a consequence the resulting exposure. After making this IT investment, it makes economic sense to evaluate how to mitigate the residual exposure through insurance. We have the basis for a dialogue with the insurance market to complement this mitigation strategy with an insurance programme tailored to our needs.

Conclusions:

• We believe this methodology is key in obtaining valuable insight into our cyber risk exposures.
• This process needs to be performed regularly and as exhaustively as possible.
• We have to be able to roll out the process across the whole company, its products and its locations.
• We must be able to work with operations.
• SPICE provides elements for the risk manager to enlarge the current scope of ERM to encompass cyber risks.

When it comes to cyber risks, many challenges remain in front of us. There is simply no one response. At the same time, there is no alternative to the development of the digital economy, and industry has to adapt thanks to the new possibilities offered by technology to improve efficiency, reliability and profitability. This opportunity, however, generates in itself new risks which have to be addressed and for which a dedicated risk management policy has to be defined. We need a collective effort coordinated between industry, the insurance market and the public authorities. It is time to move from awareness to action.

Philippe Cotelle, Head of Insurance Risk Management at Airbus Defence and Space is a member of AMRAE and has been supporting FERMA in the development of its response to the European Commission’s consultation on cyber risk. He is also working with François Beaume, President of AMRAE’s commission on information systems.


Cyber security is an enterprise risk, FERMA tells the European Commission

Cyber security requires an enterprise-wide approach, and the risk manager’s role is to help the company achieve effective, data-based enterprise risk management, the Federation of European Risk Management Associations (FERMA) has told the European Commission.

Click above to read the FERMA response to the Commission’s consultation on public-private partnerships in cyber security

Click above to read the FERMA response to the Commission’s consultation on public-private partnerships in cyber security

In its response to the Commission’s consultation on public-private partnerships in cyber security concluded last week, FERMA stated: “Businesses have difficulties with reaching a basic level of protection often due to a lack of risk insights and data driven risk mitigation.”

FERMA President Jo Willaert, commented: “The boards of organisations need to understand that cyber risk is not only an IT risk; it is an enterprise risk. In that respect, we advocate a central role for the risk management function. Without being an IT specialist, the risk manager provides expert advice to support the board and the CEO. He or she is working hand in hand with the operational units such as IT, legal and internal audit.”

FERMA stressed that this overview of cyber risks across an organisation, including into the supply chain, is critical especially with the development of the Internet of Things. Using  scenario-based analysis, the risk manager can quantify the overall cyber risk exposure and validate mitigation strategies on an enterprise basis.

FERMA also argues that public intervention is necessary in order to help organisations cope with the challenge of cyber risks. It urges the development of:

  • A framework for the clarification of cross-border liabilities in cyber incidents;
  • A global set of rules for cyber risk assessment that would safeguard confidentiality in incident disclosure and insurance claims;
  • The incorporation of cyber risk governance in legislation and guidance to create an integrated approach to the threats from top to bottom of the organisation.

Jo Willaert said: “Cyber threats are now of a systemic nature. Businesses, governments and insurers, therefore, need to collaborate. We must act now.”

CONTACTS
Ms Typhaine Beaupérin, FERMA CEO: typhaine.beauperin@ferma.eu, tel: +32 (2) 761 94 31
Lee Coppack, press contact: lee@coppack.co.uk, tel: +44 208 318 0330/ +44 7843 089904
All FERMA press releases can be found here.


Cyber insurance market: incentives and improved cybersecurity for organisations

French and British initiatives are taking the role of insurance for cyber risks into account in their national strategy for cybersecurity.

In June 2014, the UK Government launched a joint initiative with some major British insurers to increase the level of IT security in UK companies. Called the Cyber Essentials scheme, it is based on certificates and will ensure that certified organisations have a certain amount of security measures in place. Cyber Essentials has been developed in close consultation with the insurance industry and is backed by AIG, Marsh, Swiss Re, the British Insurance Brokers’ Association (BIBA) and the International Underwriting Association (IUA). Continue reading


Knowledge Corner

FERMA’s selection of recently published useful reports for risk managers. Continue reading


Paolo Rubini insights of the ANRA Annual Conference

On September 25th and 26th the 15th edition of the Annual ANRA Convention took place in Milan. An event which over the years has established itself as the most important opportunity to discuss and reflect on risk management issues in our country. Our latest edition was attended by over 400 guests, including over 100 Risk Managers and Insurance Managers, 161 insurers and reinsurers, 64 brokers, 46 company enterprise experts, 14 institutions, universities, associations, to which more than 60 staff members must be added. An unprecedented success in the history of ANRA, which puts us on a par with the most successful events in Europe, such as the one sponsored by FERMA, the European Federation of Risk Management Associations, and with major associations such as the AIRMIC in the UK, the AMRAE in France, DVS Germany. Continue reading


Why do cars have brakes?

Risks are evolving at an increasing rate and so does the role of Risk Managers. 

From global risks mapping to the transition from risk management to risk leadership, Julia Graham’s presentation to the FUEDI General Assembly brilliantly pinpoints the key challenges and opportunities presented to risk managers by our ever riskier world.

So why do cars have brakes? So you can drive safely.

But the driver first needs to know where the brakes are and how to use them…

 


Future Data Protection Regulation for holding private data?

The EU regulator is at the final stages to adopt the Data Protection Regulation which will set up new rules for operators on how private data must be managed.

In March 2014, the European Parliament strengthened several requirements such as making the applicable fines for breaching rules up to €100 million or 5% of annual worldwide turnover (whichever is greater) when the original proposal of the European Commission suggested fines “only” up to €1 million or 2% of annual worldwide turnover. Continue reading


FERMA participation at the 3rd Network & Information Security Platform plenary

Launched in February 2013 by the Cybersecurity Strategy of the European Union, the public-private Platform on Network and Information Security (NIS) is looking to develop secure and effective risk management practices for information and
communication technology. Continue reading


BELRIM Newsletter April 2014

Table of content

• People on Board – Our Vice-President
• FERMA Risk Management Benchmarking Survey
• Scientific Committee Kick-Off Meeting
• Bribery & Corruption
• Postponed due to Football – General Assembly cannot compete with Red Devils
• Cloud Computing – Revolution or Nightmare?
• New Effective Member
• New Affiliated Member
• New Affiliated Member
• Risk Management Katern
• Interview with Carl Leeman on Modern Risk Management
• Cloud Computing – the key questions Risk Managers should ask themselves Continue reading


Knowledge Corner

Starting from this edition, the FERMA newsletter will feature reports and good practice guides on risk management topics from FERMA members and selected other experts that can be useful for members. Suggestions for future editions are welcome. Please email href=”mailto:christel.jaumoulle@ferma.eu”>christel.jaumoulle@ferma.eu Continue reading