12th Swiss Cyber Think Tank
“Cyber Risk & Insurability: Cyber Security and GDPR are one of the same topic: Secure Manufacturing & Secure Production”
Hosted by Roche and AIG
Planned for 7 February 2019
11th Swiss Cyber Think Tank
“Cyber Risk & Insurability: Cyber Security and GDPR are one of the same topic: Data Management”
Hosted by CA Technologies
27 September 2018
Moderation: Petra Wildemann
from 14:30 on: Welcome and Coffee
15:10 Technical and Pricing models
16:30 Coffee Break
16:45 Hacking & Cyber Attacks
18:00 Closing and Apéro
Pro-active cyber insurance pricing model
By Petra Wildemann
Chair and Founder of the Swiss Cyber Think Tank
Petra Wildemann presented the research work of the “Proactive cyber insurance pricing model”, where there is a need for a better framework to interpret data from cyber attacks/cyber crime within the constraint of the lack of historical data in many cases. Cyber risks are man-made in a fast-changing, technology driven world and that is one of the challenges we all face.
In her presentation, she made note of the controversy concerning the refusal, by Everest Insurance, of a claim made by National Bank of Blacksbury. For a cyber-related claim of only $2.3 million, the insurer refused to pay for two consecutive cyber attacks on ATM machines within 8 months despite the fact that the bank had a cyber cover for $8 million. With due respect to the accumulation risks, potentially as high as billions of dollars, which understandably frighten insurers, the reputational effects of this non-payment might well be ultimately more damaging to the insurance industry.
The White Paper swhich she referred to Proactive Cyber Insurance Pricing Model / Cyber Insurance Incentive Modela simple concept of effective execution of the written incident response plan, was extensively discussed. The cyber risk model was compared to auto insurance (which still costs insurers more than cyber risks), health insurance (with its attendant risk of loss or theft of personal data) and property risk models. The cyber risk model differs because the risk factors have an influence on the insured risks, while in the traditional risk models, there is no direct influence between the risk factors and the insured risks.
Find your IT-risk culprits: your user! (and your practices)
By Mark Korondi
Managing Director, Korondi Cloud Consulting
Mark Korondi presented an easy-to-grasp summarization of real-world threats that affects companies from small to large businesses, when it comes to IT-security.
In this presentation, the audience learned that in our computerized world, contrary to common sense beliefs, cyber crimes affect mainly not companies whose activities are related to IT services but those who usually don’t have the personell to implement security practices and educate employees and end users.
A brief technical outlook helped understanding how the modern, cryptography-based secure protocols work that all of us are using in our life; HTTPS is ubiquitous across desktop computers, mobile devices and thanks to the IoT revolution, soon even in our households.
At the end of the presentation, with a two-minute video it was demonstrated, how easy it is to trick nearby people at an airport into leaking their passwords.
10th Swiss Cyber Think Tank
“Cyber Risk & Insurability: EU eGovernment Benchmark & GDPR”
Hosted by Vaudoise
28 June 2018
The 10th Swiss Cyber Think Tank (SCTT) was hosted by Vaudoise and took place at Vaudoise in Lausanne. I would like to thank the host for the organization and the commitment to our 10th Swiss Cyber Think Tank. The motto of this SCTT was “Cyber Risk & Insurability: EU eGovernment Benchmark & GDPR”.
A special thank to Jesús Pampin for the celebration cake of the 10th Swiss Cyber Think Tank!
10th Swiss Cyber Think Tank at Vaudoise in Lausanne
Thank you to Vaudoise for hosting the 10th Swiss Cyber Think Tank
A warm thank you to our presenters Andreas von Ow of Kudelski Security, Daniel von Büren of Microsoft, Petra Wildemann of Arocha & Associates.
Kudelsky Security presented the Lessons Learned of the Incident Responses. During the presentation, Andy von Ow gave key answers to the question, where Incident Response fits in relation to an incident. With inspiring examples, he pointed out that incident responses in action require three steps from the Detection and Analysation through Containment, Eradication and Recovery to Post-Incident Handling. Andy von Ow mentioned that all steps need to be performed. The lack of missing only one step can disturb an environment as he explained in his example where a global organization with factories all over the world was facing a malware attack. The hidden malware in their computer environment deleted random files on their networks. In a second example of a global manufactory company with offices and factories world-wide, the attacker asked for ransom payment in exchange for the descryption key. In his conclusion, Andy von Ow pointed out that preparation and appropriate planning is required before an incident and that incident responses are required during an incident and afterwards, where one of the two main parts are documentation and analysation of the Lessons Learned!
Microsoft presented the technical solution of GDPR compliance fundamentals and what GDPR means to Microsoft, who is GDPR-compliant accross Microsoft’s cloud services when enforcement has begun as of 25 May 2018. The trusted cloud principles range from Security, Privacy & Control and Compliance up to the Transparency, where customers know what is happening with their data and who has access to their data. Daniel von Büren explained in his presentation the different steps for Microsoft internally having achived GDPR compliance and to bring the technical solution to their customers in order to be GDPR compliant as well. Daniel von Büren pointed out that the definition of the scope not only includes the legal requirements but also the business requirements leading into controls, milestones and workstreams. In his presentation, Daniel von Büren showed the tasks of the compliance manager from a real-time risk assessment to recommended actions, workflows and audit-ready reports for cloud services within different compliance standards. Internal webinars, train-the-trainer programs and technical and privacy documentation for customers are available in order to fulfill the regulatory obligations.
"GDPR is not only an IT-topic, although managers like to look for a tool to solve the compliant issue." mentioned Daniel von Büren
Petra Wildemann of Arocha&Associates presented the topic GDPR Implications in Actuarial work. The impact of big data and the requirements of dealing with portfolios in order to calculate premiums, reserves and liabilities, actuarial service requires modern and compliant technologies in a safe cloud environment. The complexity of the GDPR compliance requirements are huge and require the integration of multiple technology solutions, processes and procedures. Actuaries of different business lines in Life, Health, Pension and Property&Casualty insurance require access to aggegated data. Petra Wildemann explained the different steps in the Risk-Alert plan and the requirements of the seven compliance areas from recording, structuring and valuating data for the underwriting processes and the calculation of reserves and liabilities. The anonymisation of data is a very important topic so that Actuaries can perform their services and be compliant in addition to working with cloud technologies where the data is safe and compliant according to the regulations. Petra Wildemann gave examples of the complexity of the distributed data for different insurance lines. In particular, she pointed out the difficulty for the health insurance portfolios with respect to big patient data distributed in various third party locations. She gave expamles to underly the risk in the Health sector in the UK because data of individuals sell high in the darkweb and records of breaches in the health department are often reported as a high risk.
GDPR compliance is a complex undertaking that will impact every department, including legal, compliance, privacy, finance, and others. Therefore, organisations may need to integrate multiple technology solutions, as well as update internal processes and procedures, to comply.
9th Swiss Cyber Think Tank
“Cyber Risk & Insurability: A Holistic Approach to Cyber Risk”
Hosted by Microsoft and Optimity Advisors
25 January 2018
The 9th Swiss Cyber Think Tank (SCTT) was hosted by Microsoft and Optimity Advisors and took place at Microsoft in Wallisellen. I would like to thank both hosts for the organization and the commitment to our 9th Swiss Cyber Think Tank. The motto of this SCTT was “Cyber Risk & Insurability: A Holistic Approach to Cyber Risk”.
A warm thank you to our presenters Dr. Doron Zimmermann of PostMail, Dustin Ingalls, Daniel von Büren and SasaVidanovic of Microsoft, Alex Verboon and Tamás Szivós-Aradi of Swiss Re, Daniel Caduff and Dario Walder of the Federal Office for National Economic Supply FONES.
Microsoft presented the Core Principles of the Threat & Identity Management solutions. It is important to be ahead of those who do harm to technology and systems and to understand how criminals operate. This not only requires the understanding of the Internet of Things, but also of the complexity and the underlying security processes of the Cloud Technology. The presenters demonstrated the Intelligent Security Graph through the real-life scenario of an email with a criminal purpose entering the network. A use case demonstrated five key pillars of a modern security strategy: Identity, Threat Protection, Information Protection, Security Management and Intelligence and how it is important that all five pillars are part of the overall Cyber security strategy. The presenters also showed how people in Microsoft Cyber Defense Operating Center protect, detect and respond to cyber-threats in real time as well as how Microsoft Digital Crime Unit is helping fighting Cyber crime on a global level.
Dr. Doron Zimmermann presented the topic: “The Antagonists - the Risks of Insider Threats and Counter-Intelligence”. The generally underestimated spectrum of insider threats includes not only the near stereotypical disgruntled employee, but also increasingly espionage, embezzlement and sabotage. His practical examples illustrated the tangible reality of the insider threat. Self-satisfaction, willful ignorance and outright denial of the insider threat is ubiquitous and therefore problematic. The impact of the insider threat may well lie in the realm of trust and reputation damage; it is not all about money.
The presenters Daniel Caduff and Dario Walder from the Federal Office for National Economic Supply FONES presented the ICT Minimal Standards (for the power and food supply industries) which protect Switzerland from damage due to Cyber Risks. For both industries, the early detection of, resilience to, and reduction of cyber risks are important factors. The ICT Minimal Standards and the activities for a risk-based approach were shared with the audience.
Comment to the 9th Swiss Cyber Think Tank: “Cyber Risk & Insurability: A Holistic Approach to Cyber Risk”
8th Swiss Cyber Think Tank
“Cyber Risk & Insurability: Economic Impact / Market View and Loss Accumulation Scenarios”
Hosted by TransRe
26 October 2017
The 8th Swiss Cyber Think Tank (SCTT) was hosted by TransRe and took place at TransRe in Zürich. I would like to thank the host for the organization and the commitment to our 8th Swiss Cyber Think Tank. The motto of this SCTT was “Cyber Risk & Insurability: Economic Impact / Market View and Loss Accumulation Scenarios”.
A warm thank you to our presenters Rhett Hewitt of TransRe, Daniel Schirat of AXPO, Martin Lampart of Optimity Advisors and Simon Dejung of Scor.
Rhett Hewitt presented one view of a reinsurer to the insurance market, with respect to claims and the latest modelling challenges. The problems of traditional Cyber Insurance claims are systemic, with numerous areas exposed to cyber-attacks. Modeling cyber-risks is a challenge, although there are solutions on the market.
In his presentation of the basic coverage for power supply, Daniel Schirato presented the project “Operational Technology” of the ICT Security department in order to give recommendations and directions to medium-sized companies in Switzerland. He presented the assessment tool for minimal standards, including an evaluation of insured risks.
Martin Lampart demonstrated that cyber-risks are not only the largest risks for enterprises in the upcoming five years, but also those which enterprises are not prepared for. He presented a real-life self-assessment process, which can be undertaken to enable companies to become GDPR-compliant with respect to the new EU regulation and the consequences for Swiss companies.
“The economic impact of cyber accumulation scenarios” is a document developed by the SVV together with several experts on the market from a number of insurers, technology and security firms. Simon Dejung presented the paper along with his view and interpretation. Several use-cases have been mentioned to express the views of regulators, brokers, airlines, hospitals and insurers, as well as of transportation and manufacturing firms. They all have in common that a power grid outbreak after a cyber-attack is critical to a business and everyone involved with it. Future discussions will include BI-effects, the complexity and costs of specific and non-specific attacks, and the declaration of cyber events and cyber warfare.
7th Swiss Cyber Think Tank
“Cyber Risk & Insurability: Minimum Standards and Potential Accumulation Loss”
Hosted by AXA-Winterthur
15 June 2017
The 7th Swiss Cyber Think Tank (SCTT) was hosted by AXA-Winterthur and took place at AXA-Winterthur in Winterthur. I would like to thank the host for the organization and the commitment to our 7th Swiss Cyber Think Tank. The motto of this SCTT was “Cyber Risk & Insurability: Minimum Standards and Potential Accumulation Loss”.
A warm thank you to our presenters Jeffrey Bholasing and Nienke Meester of KPMG, Umberto Annino of Infoguard, Roman Hohl of Palo Alto Networks, Stefan Walder of Staatsanwaltschaft Kanton Zürich and Dr. Carin Gantenbein of Zurich Insurance.
Roman Hohl presented industry trends in cyber-attacks on healthcare and insurance industries, which has grown to become a $1+ trillion industry. He highlighted changes in the identity of attackers as well as in the techniques they use. Healthcare facilities have complex IT environments with unique challenges and are a target industry, largely because health care records are worth ten times more than credit card records.
Information Security - “it’s a trap!” Umberto Annino said in his presentation, in which he discussed the security requirements from Safety and ICT Security to Cyber and Information Security. The critical assets and the risk appetite require a corporate shield for protection and recovery, with most corporations paying attention on Board and C-level to plan investments for protection in the Security process.
Stefan Walder presented Cyber Crime from the view of the Kantonspolizei making clear the seriousness with which they regard this topic and explaining the measures they are taking to combat it.
The regulation which lays down rules to protect personal data and to insure the free movement of personal data - GDPR compliance – was presented by Jeffrey Bholasing. GDPR uses a risk-based approach for data protection assessments and determining the obligation for data breach notifications.
Dr. Carin Gantenbein discussed cyber-insurance and the role of the government with respect to minimum standards, reporting and obligatory coverages for cyber incidents. Data theft and business interruptions together make up the majority of cyber-crimes. At this stage, only 2.5% of corporations are protected, mostly large ones. New government regulations could certainly increase this percentage, but she would not recommend obligatory insurance coverage, neither from an insurance nor from a macro-economic perspective.
6th Swiss Cyber Think Tank
“Cyber Risk & Insurability: The Role of the State”
Hosted by Swiss Re
15 March 2017
The 6th Swiss Cyber Think Tank (SCTT) was hosted by Swiss Re and took place at Swiss Re in Zürich. I would like to thank the host for the organization and the commitment to our 6th Swiss Cyber Think Tank. The motto of this SCTT was “Cyber Risk & Insurability: Cyber Risk & Insurability: The Role of the State”.
A warm thank you to our presenters Lutz Wilhelmy, Dr. Maya Bundt and Eric Dunand of Swiss Re, Christian Biener of University of St. Galen, and Marc Henauer of Melani.
Dr. Christian Biener presented his thoughts on Cyber Risk and the role of the state, pointing out the demand for risk coverage in a small insurance market caused by unresolved supply-driven insurability issues. He talked about the pros and cons of state intervention, and what the role of the state could be.
Reasons for insurance regulation were presented by Lutz Wilhelmy, who discussed the public interest of insurance. Insurance contracts are intrinsically multilateral and prone to produce market failures, leading to the requirement for insurance regulation.
Marc Henauer presented the question of whether regulations and standards are the right tools and methods to protect the industry from cyber attacks, criminal or otherwise. The support of insurers for due diligence and international collaboration are important for the economy in general.
In several discussions in smaller groups, the participants discussed the role of the state from various points of view.
5th Swiss Cyber Think Tank
“Cyber Risk & Insurability: Risk Transfer”
Hosted by AIG and PartnerRe
6 October 2016
The 5th Swiss Cyber Think Tank (SCTT) was hosted by PartnerRe and AIG and took place at PartnerRe in Zürich. I would like to thank the host for the organization and the commitment to our 5th Swiss Cyber Think Tank. The motto of this SCTT was “Cyber Risk & Insurability: Risk Transfer”.
A warm thank you to our presenters Oliver Delvos of AIG, Scott Walker of NYA International, Petra Wildemann of Metabiota, Russel Kennedy of Brit Insurance, Michel Dacorogna of Nanyang University and from Partner Re: Markus Bassler, Catherine Rudow and Christopher McEvoy.
Petra Wildemann talked about the difficulty of mitigating cyber security risk in the absence of sufficient historical and financial data. She discussed the question of whether cyber-attacks are the biggest risk category that global business are unprepared for, and compared them to the global risks of pandemics with respect to data and models.
Is Cyber Insurance at a halfway mark? The question was raised by Oliver Delvos in his presentation, in which he talked about the integrated approach to cyber resilience from an insurance perspective. Cyber insurance is more than a policy, as premiums depend on the industry and the geography in which the insured party operates.
Christopher McEvoy and Catherine Rudow discussed the most exposed industries in the US, which are financial and healthcare providers, retailers, hospitality and the food supply industries. In the US, the focus is on data breach, whereas outside of the US, the focus is on Business Interruption coverages. At this stage, the Cyber Insurance market is mostly US business.
Markus Bassler discussed the interaction of Supply Chain and Business Interruption with respect to Cyber Risk. The more always-connected technology we have, the more we have to critically examine complex global supply chains. Greater vulnerability through globalization, targeting of critical infrastructure, cloud computing, and the demand for constant availability are critical challenges in underwriting cyber risk.
The panel sessions provided additional thoughts from experts in the audience.
4th Swiss Cyber Think Tank
“Cyber Risk & Insurability: A Walking Tour through Security Labs”
Hosted by NAGRA Kudelski Group
28 June 2016
The 4th Swiss Cyber Think Tank (SCTT) was hosted by Kudelski Security and took place at Kudelski Security in Lausanne. I would like to thank the host for the organization and the commitment to our 4th Swiss Cyber Think Tank. The motto of this SCTT was “Cyber Risk & Insurability: A Walking Tour through Security Labs”.
A warm thank you to our presenters at Kudelski Security under the lead of Andreas von Ow and Karl Zurbriggen.
“Creating the overarching framework for a cybersecurity program is a complex process. Our cyber advisors are experienced at guiding clients in strategy and governance. Combining industry vertical perspectives, cybersecurity knowledge, and business acumen, our experts provide clear, actionable advice that helps set strategic direction, define metrics, optimize compliance efforts, and support an agile governance structure.” (Kudelski’s strategy and governance)
In a variety of presentations and demonstrations of cyber security processes, the audience observed advanced labs and recent innovative developments to protect data against cyber-crimes.
3rd Swiss Cyber Think Tank
“Cyber Risk & Insurability: Risk & Insurability: Are We Prepared?”
Hosted by SCOR
19 April 2016
The 3rd Swiss Cyber Think Tank (SCTT) was hosted by SCOR and took place at SCOR in Zürich. I would like to thank the host for the organization and the commitment to our 3th Swiss Cyber Think Tank. The motto of this SCTT was “Cyber Risk & Insurability: Are We Prepared?”.
A warm thank you to our presenters Simon Dejung of Scor, Alexander Schmidl of Münich Re, Michel Dacorogna of Nanyang University, Petra Wildemann of FTI Consulting, Dario Tizianel of IBM, Umberto Annino of Infoguard, Eireann Leverett of University of Cambridge.
Simon Dejung presented the key issues and potential of cyber insurance, raising the key issues of the demand for good predictions, the need to raise awareness and the question of whether insurers are equipped to assess IT security. He pointed out that the interaction of IT Security and Cyber Insurers must be based on established practices in the same way as for health, car, fire and other traditional insurance covers.
From the standpoint of forensic research in cyber risks, Petra Wildemann gave an overview of the growth of cyber risks and the costs of cyber-attacks, offering a comprehensive forecast for the coming ten years. Business Value and Financial Value depend on access to financial and business data in order to mitigate increasing cyber risks. This differs from traditional risk structures.
Cyber Risk from the “Engineering Line” perspective was presented by Alexander Schmidl. The IMIA Cyber Risk working group had already begun to discuss the risks arising from the storage, use, computation and/or transmission of electronic data. Traditionally, in engineering lines, cyber risk has been perceived as causing only non-physical damage, which can take the form of data theft or the corruption of data.
In a number of workshops and two panel discussions, the presenters and the audience discussed:
- The interface of IT Security and Insurance,
- The modeling of IT systems and infrastructure,
- The modeling and cat-scenarios on portfolios and
- Silent covers, white backs and stand-alone cyber covers.
2nd Swiss Cyber Think Tank
“Cyber Risk & Insurability: The National Strategy for Switzerland’s Protection against Cyber-Risks”
Hosted by MELANI
19 January 2016
The 2nd Swiss Cyber Think Tank (SCTT) was hosted by MELANI and took place at MELANI in Bern. I would like to thank the host for the organization and the commitment to our 2nd Swiss Cyber Think Tank. The motto of this SCTT was “Cyber Risk & Insurability: The National Strategy for Switzerland’s Protection against Cyber-Risks”.
A warm thank you to our presenters Marc Henauer of MELANI and Petra Wildemann of FTI Consulting.
Petra Wildemann presented questions and discussion points concerning IT standards and security as well as the current issues raised by IT Forensic with respect to events and Cat topics for cyber risks. In her discussion, she raised the question of whether cyber clauses are a valid method for evaluating future cyber risks.
Switzerland is one of the countries with a national strategy to protect against cyber risks. Marc Henauer presented the logical framework of the NCS, with security measures for organizational structures. The strategy for cyber resilience is based on different levels, including prevention, reaction and continuity. MELANI has a Reporting and Analysis Center for Information Assurance, which is based on the MELANI Mandate and its Network and Partners, within Switzerland and abroad.
1st Swiss Cyber Think Tank
“Cyber Risk & Insurability: Managing Cyber-Risk Exposures”
Hosted by FTI Consulting
24 September 2015
The 1st Swiss Cyber Think Tank (SCTT) was hosted by FTI Consulting and took place at “Zunfthaus zur Waage” in Zürich. I would like to thank the host for the organization and the commitment to our 1st Swiss Cyber Think Tank. The motto of this SCTT was “Cyber Risk & Insurability: Managing Cyber Risk Exposures”.
A warm thank you to our presenters Petra Wildemann, Jerry McArthur and Dan Healy of FTI Consulting.
Managing cyber risks and insurability is the topic of the Swiss Cyber Think Tank. Petra Wildemann discussed the growth of the market and noted an increase of 40% in cyber security deals in 2015. She gave an overview of cyber risks in the US and in Europe, where cyber attacks are considered among the top 5 risks globally. Cyber risk in the transport industry is a growth market for hackers. In particular, data and IT-systems in transport are difficult risk areas to measure. She gave examples of the airline industry, the marine business, and travel on ground by car and rail. The Internet of Things is new to millions of people who lack knowledge of the personal data they transfer. There is little awareness of the enormity of the potential for misuse of hacked information. The key question “Can we insure cyber-risks” is part of the Swiss Cyber Think Tank.
Dan Healy presented the incidence of cyber breaches within corporations. A concern is the awareness of data breaches on Management and Board levels. Answers to surveys sent to corporations illuminate the potential level of harm, whether deliberate or accidental. He pointed out that a company’s own employees are a major source of risk.
The Swiss Cyber Think Tank will work with their members to answer the following questions over the coming years:
- We constantly send data to different servers - but do we know where these servers are and who can access them?
- The more technology we have in place, the more vulnerable we become.
- Do we inadvertently open doors to criminal or non-criminal hackers?
- In any case, the key questions remain: Can we insure these risks? And what are our risk-modeling needs?
- We stand at the beginning of a long and difficult path, faced with a great deal of uncertainty.
- The insurance industry must carefully consider how it can overcome this uncertainty and prepare us for this new world.