Tag Archives : IT

Expert Views: Cyber risks, the SPICE Initiative at Airbus

Philippe Cotelle, Head of Insurance Risk Management at Airbus Defence and Space, member of AMRAE

Philippe Cotelle, Head of Insurance Risk Management at Airbus Defence and Space, member of AMRAE

Philippe Cotelle, Head of Insurance Risk Management at Airbus Defence and Space, describes the development of a response methodology to create resilience against cyber risks.

There are three main obstacles to a good understanding of cyber risks in our organisations, which I believe are common to most businesses:

1/ It has long been perceived as an IT issue only, which neglects addressing the related business impact. This is especially critical with the increase in connectivity of industrial systems.

2/ Confidentiality is a major element preventing a clear and open analysis of this risk as information management is a critical security issue; even creating a list of potential vulnerabilities is a huge concern.

3/ Finally there is a fear that disclosing a cyberattack suffered or even admitting a potential vulnerability could endanger the reputation of the company.

To get over these obstacles, the risk manager has to be able to demonstrate to the CEO or the executive committee the possible financial impact of a massive cyber attack in terms of business interruption and loss of business opportunity. For this, the risk manager needs data to show the organisation’s current state of cyber resilience, past and future cyber protection investments, and mitigation of the risk.

We must also be able to explain the legal and regulatory implications of dealing with data breaches, especially under US laws, and the protection of critical infrastructures under French and EU laws.
The risk manager needs a cyber risk map of the information system of the organisation showing the most sensitive assets to be protected. Finally he or she will use this information to engage with the insurance market.

We found that no convincing method had already been developed for doing this; we had to elaborate one. SPICE stands for scenario planning to identify cyber exposure, and it is an initiative sponsored by the CFO of Airbus Defense and Space, initiated by me as the Head of Insurance Risk management. It is a pilot programme for a business impact analysis to identify cyber-related disaster scenarios that could affect our operational capability and it is truly innovative.

No convincing method available
SPICE needs high level technical experts who know the cyber threat environment of the organisation. To start, we gathered representatives of all the functions as well as from IT and information management security to:
• Educate the operational managers to the new cyber threats;
• Discuss the security issues with great care;
• Openly consider some potential cyber attack scenarios – and not assume it could not happen to us;
• Support ‘impacted’ functions and information management security on quantification.

Building the scenario

Attacks: We focussed on identifying potentially catastrophic scenarios:
• Who might attack us and what would their motives be?
• What functions and assets would be impacted?
• How would we recover and how long would it take?

Cost: We calculated the business and operational impact with inputs from operations. We split the scenarios into four phases from security breach to recovery, including investment in remediation, to estimate the possible costs at each phase. What did we learn from this?
• The numbers relate to our financial exposure – but there is no final number.
• Management has to play a part.
• The objective is to reach a consensus that is acceptable to everyone and valid for our analysis.

Probability: Local information management security then evaluated the technical probability of the success of an occurrence at each step of the process. For this we used the Cyber Kill Chain developed by Lockhead Martin, which plots the stages of an attack from preparation, instruction and active breach against the time involved.

Lessons: This same method applied by experts at two different sites produced two different probability numbers. We learned that we need a homogenous approach, but that it also has to be associated with different types of attackers, from malicious individuals, to organised criminals or foreign government agencies. We have to ask – why would they undertake the specific attack which is the subject of our scenario?

Mitigation: SPICE helps us develop our mitigation security plan and link it to business needs. We measured the costs of implementing further IT security measures to reduce the probability of occurrence and as a consequence the resulting exposure. After making this IT investment, it makes economic sense to evaluate how to mitigate the residual exposure through insurance. We have the basis for a dialogue with the insurance market to complement this mitigation strategy with an insurance programme tailored to our needs.

Conclusions:

• We believe this methodology is key in obtaining valuable insight into our cyber risk exposures.
• This process needs to be performed regularly and as exhaustively as possible.
• We have to be able to roll out the process across the whole company, its products and its locations.
• We must be able to work with operations.
• SPICE provides elements for the risk manager to enlarge the current scope of ERM to encompass cyber risks.

When it comes to cyber risks, many challenges remain in front of us. There is simply no one response. At the same time, there is no alternative to the development of the digital economy, and industry has to adapt thanks to the new possibilities offered by technology to improve efficiency, reliability and profitability. This opportunity, however, generates in itself new risks which have to be addressed and for which a dedicated risk management policy has to be defined. We need a collective effort coordinated between industry, the insurance market and the public authorities. It is time to move from awareness to action.

Philippe Cotelle, Head of Insurance Risk Management at Airbus Defence and Space is a member of AMRAE and has been supporting FERMA in the development of its response to the European Commission’s consultation on cyber risk. He is also working with François Beaume, President of AMRAE’s commission on information systems.


Meeting the Cyber Risk Challenge

Information security and privacy have become significant areas of concern over the past three years for global executives, who are all too aware that the security and integrity of customer, client and internal data are vulnerable to attack. Commitment to security awareness, initiatives, and processes is rapidly becoming an important part of the corporate culture at the vast majority of companies, because leaders know that cyber security is fundamental to how they conduct business and manage their business relationships. Yet in a recent survey of risk managers in Europe, many companies believe they still face significant challenges. Continue reading


FERMA seeks answers on management of cyber risks

Cyber risks are continuously evolving as technology advances and our dependence on IT growth. Tackling such a rapidly moving target is a challenge for organisations and doesn’t necessarily fit within the existing structure of enterprise risk management.What is the role for the enterprise risk manager when the IT department has responsibility for cyber risks and even has a specialist IT risk manager? Will the manager of insurable risks be put in an awkward position because coverage is simply not easy to find or insurers are wary about the exposures? Continue reading


Who is managing the cyber risks?

In August this year, at least three major energy companies in the Middle East suffered computer virus attacks. The disruption was considerable, although only desk top computers and email were affected, and not production. These are unlikely to be isolated incidents. Experts warn that an increasing number of viruses will be aimed at the operations of specific industries, companies or countries. It’s not surprising that threats from cyber space are frequently among the top 10 risks quoted by risk managers today. Continue reading


Social media reputation damage high on risk managers’ list of concerns: Press Coverage

Social media reputation damage high on risk managers’ list of concerns (Press Coverage of FERMA Press release 23 October 2011) Continue reading


Cyber risk survey results

Social media are a great means of communicating and building communities. At the same time, their implications for company reputation are a real concern for risk managers. This is the finding of an online survey on cyber risks conducted by FERMA and the Institute of Risk Management (IRM). The survey, which took place just ahead of the Forum, received a total of 186 replies from members of the two organisations. They were asked which three cyber risks they regarded as the greatest threats to business in general and to their own organisation and then how these risks were managed. Continue reading


Social media reputation damage high on risk managers’ list of concerns

Social media and the potential they pose to reputation risk and protection of confidential information are significant risks to European businesses, according to a survey by the Federation of European Risk Management Associations in cooperation with the Institute of Risk Management (IRM). Risk professionals from both organisations were asked which three cyber risks they thought were the greatest threats to business in general and to their own organisations. A total of 186 replied to the online survey during August and September (2011) intended to inform the two organisations’ discussion about risks of the virtual world. Continue reading


Freedom from the conference curse

A new gadget, free for FERMA members at the Stockholm Forum, will vanquish the usual curse of the successful conference – a thick wedge of business cards that need to be typed into your address book and a big bag of literature to carry back. On registration, members will receive the JLT ClikIN device. Continue reading