BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216
1. Managing Digital Earnings
In an Unknowable Environment
Transformation Begins From Within
The Art of Healing
Cyber Risk Management Intelligence
B L A C K D I A M O N D Q U A N T I T A T I V E C Y B E R R I S K M A N A G E M E N T G R O U P
M I T C H E L L G R O O M S
D R . R O B E R T M A R K
M I C H A E L F . A N G E L O
3. Cyber Risk Management Strategy
3
Cycle
NetProfits
Maximize Net Profits while
mitigating risks
in a changing
Cyber Environment
Time
4. Tectonic Shifts Impact Net Profits
Credit Risk Seismic Shift 2007
• Risk Models break down
• Black Swans arrive
• Significant decline in Asset valuations
• Faulty Risk measures in stress markets
• Unprecedented market disruptions
• Funding Liquidity crisis
• Major corporate failures
• Failure to harmonize and integrate risk:
uncover Unknowns Unknowns
• Great Recession
Cyber RM Seismic Shift Q4 2015
• Shift in attack surface (malware to
accelerated privileges) with increasing
vulnerability
• Visible, high complexity attacks: scaled,
staged with exponential impact
• Increasing frequency, rising severity
• Limited measures of Cyber Risk
• Corporate ecosystems under attack
• June 7th, 2016 SWIFT Alert
• Corporate Infrastructure overrun,
weakest failing first
• Failure to harmonize and integrate risk:
uncover Unknowns Unknowns
• Breaches challenge company survivability
in a stress environment, i.e. Verizon,
SWIFT
4
5. Cyber Survival Cycle
5
30
40
50
60
70
80
90
100
Init Time 1 Attack Analysis Recover Normal Attack Analysis Recovery Attack Will
Activates
Death
Cycle
Failure
Business Goal = 95%
Attacks lower score
Analysis halts drop
Remediation Raises Score
Blue is US Treasury Kill Line
Cybersecurity event is a protracted disruption or event that severely impacts reputational risk
Living Will Initializes by the parameters above causing orderly resolution to start
Death
7. Cyber Risk Management Embedded Options
7
Frequency : Likelihood of a successful cyber event
Severity: Magnitude of a successful cyber event
Choice: Mitigate vs Accept Potential Cyber Risk
Price Insurance: Function of frequency & severity
Mitigate Cyber Risk
Accept Cyber Risk
Mitigate
Cyber Risk
Likelihood: Frequency (number of years)
You are out of
business!
Acceptable cost
of risk
8. Who’s Testing Your Security?
8
We hope you are more successful than the hackers, but…
Even, with all the investment, the bad guys still getting in!!!
Why?
- We don’t have what we think we have,
and there are gaps even in what we do.
- The bad guys always exploit the gaps.
9. Our Solution: 3 Steps
9
Scoring the Personalization of Your Infrastructure
Normalizing Your Cyber Risk Database
Cyber Risk & Cyber Capital Management Program
Step 1 – Scoring, the Personalization of Your Infrastructure
Complete Cyber-Eco System Analysis
Cross Mapping to multiple standards
Risk Scoring
Attack Analysis and Risk Scoring
Step 2 – Normalizing Your Cyber Risk Database
Changing the past to wisdom
Step 3 – Cyber Risk & Cyber Capital Management Program
Mastery, Healing, Managing Net Profits
10. Security Risk Intelligence (Cyber
Defense)
• Fighting as a strategy
• Costs directed at corporate shield
• No Scoring Metrics
• Threat Hunting
• Not aligned with business vision,
goal
• Reactive
• Uncover unknown unknowns
Plus Cyber Risk Intelligence
• Risk measures plus culture
• Net profit orientation, costs directed at
making risk transparent
• Scoring Metrics
• Makes Cyber Risk transparent at the
infrastructure level, evolving risk
metrics with increasing digitization of
the business
• Aligned with business vision, goal and
Risk return tradeoffs
• Proactive
• Discover the unknown unknowns
Harmonizing & Integrating Intelligence
10
11. Call to Action – Time to Show Up!
11
Create a Cyber Risk Management Committee
Complexity of Cyber makes it the greatest Risk challenge ever
R&D in the quantification of Cyber Risk must be innovative
Create a Cyber Risk Management Committee
Organizationally the authority needs to be as high up as possible – ideally at the Board
Complexity of Cyber makes it the greatest Risk challenge ever
Create Two Actionable Teams
The Composition of the Teams are Security and Risk Management members with the necessary capabilities and skills
How to populate the teams?
Teams must create a common means of communication and harmonize, integrate, Security and Risk Management into a workable, actionable,
Cyber Risk Management Intelligence Unit that is competitive and differentiating in nature as per the organizations corporate vision
R&D in the quantification of Cyber Risk must be innovative
the introduction of new elements into the evolving attack surface
IoT 2020 = 50B connections
Assume 10% measured
12. The Future is Now, What Will You Do?
If you can’t measure the Cyber Risk, you can’t manage it, can you measure your
Cyber Risk?
Given everything you have done to protect your organization, you are still getting
hacked, do you know why?
Do you have you an appropriate allocation of Cyber Risk with a transfer pricing
mechanism across your Business Units?
Do you have a value driven Cyber Risk Capital Management program?
Do you know how to capture your orderly resolution in your Living Will in the
event of a protracted business disruption and/or reputational risk impairment
due to a high impact Cyber attack?
Is the primary focus of your company, Security Risk Management “fighting” or
Cyber Risk Management of your net profits while mitigating risks?
12
Hinweis der Redaktion
At each point in the cycle, A, B, C, D, the strategy for a healthy company, profits, is difference. Asset values, i.e., mortgages, appreciate from A-C and their value must be protected from C-A. Every new cycle peak exceeds the previous cycle peak. Over the course of the history of Risk Management we have learned how to measure and manage risk by understanding the embedded options in a risk complexity that is behind the etiology of a specific risk, i.e., by understanding the embedded options associated with mortgages we were able to manage the granularity of mortgage related risk. The solution once known caused the normalization of systems of record of financial institutions to produce successful risk management results. The same methodology and processes can be applied to Cyber Risk to quantify and manage the complexities of Cyber Risk. Cyber Risk is the greatest, most complex risk encountered to date. The nature of Cyber Risk is unlike any other discovered risk. It is also one of the most damaging risk ever discovered because of it’s exponentially and ability to change forms.
Cyber Risk events are operational and morph to credit risk events exponentially in an organization. The impact of cyber risk frequency and severity causes dramatic swings in net profits, based on the unique corporate attack surface, infrastructure, of a company. The etiology of the impact, whether the incident(s) are terminable or remediable, is a function of two critical inventories, 1) connectivity and 2) externalities.
We have had more tectonic Risk events in the Cyber Risk era (2005 to Present) than all other risks combined over the last 50 years. The great breakdown in the history of Risk Management is happening today because of the failure to create, design, implement a viable risk management solution to measure and manage Cyber Risk. The June 7th SWIFT alert, which is a Cyber Risk event, is evidence of the system-wide failure of Security Risk. The Verizon hack is a close second. The recent Oracle hack is yet to be understood. It is very likely that Fireeye will also be hacked. Large financial institutions are already modeling the implications of a SWIFT meltdown. First Data is a very likely next up hack. Near term a protracted large institutional disruption is high probable. Many of these hacks will be successful because the Security focus was on fighting hackers versus protecting critical corporate infrastructure first via Scoring. The SWIFT alert is likely to generate a minimum Regulatory response that mandates the closing of the Cyber Risk infrastructure gap.
In a 100 point Scoring methodology, financial intermediaries are obligated to maintain a constant score of 98.5, corporation are obligated to maintain a constant score of 95. A score of 50 or less is a terminable risk for any institution or corporation. A sampling of companies and financial intermediaries would currently reflect levels that are substandard for conducting business (at or below 50). A score of 50 or less could trigger the execution of the orderly resolution of a financial institution and this process must be accounted (how it would be executed) for in the Living Will requirements defined by Dodd Frank and managed by Regulators.
S&P – does a rating based on criteria that excludes an explicit view of the quality of risk management in a system. Rating Agencies believe if you are not doing good RM the rating drops. This is included in their ratings review. Ratings, by means of Cyber Risk Scoring, which is a personalization of the unique infrastructure of a company to capture all of the embedded options or key risk indicators from a Cyber Risk perspective, i.e., the IT and Process assessment based on an ERM framework of the two key inventories that comprise the infrastructure in a digital economy, 1) connectivity and, 2) externalities (FFIEC definition), can measure the Cyber Risk so you can manager the Cyber Risk. The entire ERM framework is the basis of quantification, business intelligence, transparency, safety and soundness.
The key to success is the harmonization and integration of Security Risk and Cyber Risk Management. Mastery is accomplished through the quantification of Cyber Risk including all the necessary elements of Risk Management, frequency, severity, weighting, modeling, model vetting, valuation, pricing (specifically, Cyber Insurance Premiums) , Cyber Risk Transfer Pricing, Cyber Risk Management, Cyber Risk Capital Management, Cyber Risk Stress Testing and more.
We hope you are more successful than the hackers, but…
So why, with all the investment, are the bad guys still getting in?
We don’t have what we think we have, and there are gaps even in what we do really.
The bad guys exploit the gaps.
So why, with all the investment, are the bad guys still getting in?
The intrinsic model is – 1) Personalization, 2) Normalization, 3) Mastery. Phase I Scoring moves the ball from reactive, which is the domain of Security Risk Management and Security Intelligence to preventative, proactive, Cyber Risk Management, Cyber Risk Intelligence. Closing the current infrastructure Scoring gap shrinks the corporate attack surface from the existing corporate score to 98.5 for financial institutions and 95 for corporations. At the end of Phase I account decisions about Cyber Insurance pricing and the purchase of Cyber Risk Insurance are possible based on an accurate assessment of the existing corporate infrastructure. No Insurance company or vendor has accomplished a valuation or pricing rationale for Cyber Insurance that is viable to date. This is the heart of the current breakdown regarding Cyber Risk, we can provide the breakthrough with our Scoring and quantification solutions to solve this breakdown and cause a viable, transparent, breakthrough in measuring and managing Cyber Risk.
The goal is to maintain operational excellence above 98.5% for financial institutions and 95% for all other corporations and business entities. Fighting can not be the end all be all of Cyber Risk. The goal of Cyber Risk Intelligence is to manage net profits, ultimately viability, while mitigating risks. This methodology is designed to be able to measure the risk so you can manage the risk. The process is transparent. The solution is proactive, aligned with the business vision, goals and risk return tradeoffs.
Create a Cyber Risk Management Committee
Organizationally the authority needs to be as high up as possible – ideally at the Board
Complexity of Cyber makes it the greatest Risk challenge ever
Create Two Actionable Teams - 1) The Infrastructure Security Assessment Team, 2) the Business Innovation Team
The Composition of the Teams are Security and Risk Management members with the necessary capabilities and skills, i.e., IT, Business Process, Quantitative Risk Management Analytics, Big Data
How to fill? Choose 1) Internal team, 2) External team, 3) Combining, harmonizing, integrating of 1 & 2 successfully accomplishes your results
Teams must create a common means of communication and harmonize, integrate, Security and Risk Management into a workable, actionable, Cyber Risk Management Intelligence Unit that is competitive and differentiating in nature as per the organizations corporate vision
R&D in the quantification of Cyber Risk will be innovative because of the introduction of new elements into the evolving attack surface, AI, VR, etc.
In 2020 IoT will have 50B connections, 10% measured.
Special Note: Think about the HC System of Records issue as it relates to a Cyber Risk Management normalized database, there are two paths 1) an external team (95% of the time this path is chose) and an internal team (5%), compare and contrast the two paths.
Roadmap to results, which by necessity incorporates a transformation of the corporate Digital Enterprise strategy that is led by creating a secure infrastructure technology architecture (SITA) to ensure trust and deliver critical information property (Consumer, SBA, other) services, products and value propositions to clients. Security Risk Management is a secondary albeit necessary activity which is aligned with Cyber Risk Management which is focused on managing net profits and corporate viability. CRO’s will drive the quantification of Cyber Risk to incorporate Digital Risk and Cyber Security into the historical domains of ERM, i.e., Credit, Market and Operational Risk.