The Future of Cyber Risk

24 Jul 2019

09:00 -19:00

Times are shown in local time.

Open to: All

Cambridge Judge Business School

Trumpington St

Cambridge

CB2 1AG

United Kingdom

Overview

Cyber risk changes rapidly from one month to the next. Typically, analysts are prepared to assess cyber risk for the next year ahead. Business executives however, need to plan for multiyear investments, returns on capital, and longer-term assessments of risks to their business strategies. In this conference we challenge cyber risk specialists and business risk managers to consider how the risk could be very different in a five to 10 year horizon, particularly the potential paradigm shifts that could provide strategic shock, and how enterprise risk management strategies can be developed to cope with the uncertain future. 

We invite presentations and attendance from a wide variety of specialists and business managers, including cyber security specialists, ethical hackers, academics studying aspects of cyber crime, motivation, and technology, Chief Information Security Officers and their teams, cyber insurance practitioners, and advisors and specialists.

For an overview of the final session and audience voting on The Future of Cyber Risk, and summary of attendee feedback.

Summary of voting and attendee feedback

Future of cyber risk event.
Meeting partners

Programme

Wednesday 24 July 2019

09:00 – 9:30

Registration and coffee

09:30 – 09:40

Welcome

Professor Daniel Ralph, Academic Director, Cambridge Centre for Risk Studies, and Professor of Operations Research, Cambridge Judge Business School

09:40 – 10:00

The Future of Cyber Risk

Dr Andrew Coburn, Chief Scientist, Cambridge Centre for Risk Studies

10:00 – 10:30

Expecting Strategic Surprise: How our Adversaries Could Evolve Their Tactics

Conrad Prince, RUSI Distinguished Fellow and Senior Adviser Pool Reinsurance; formerly Director General for Operations GCHQ, and UK Cyber Ambassador

10:30-11:00

Plus Ça Change: Cybercrime, Past Present and Future

Dr Richard Clayton, Director of Cambridge Cybercrime Centre, Cambridge Computer Laboratories, University of Cambridge

11:00 – 11:30

Coffee break

11:30-13:00

Parallel sessions 1

Lecture Theatre 1

Chair: Tom Harvey, Head of Cyber Product Management, Risk Management Solutions

  • Software Liability, Hackbacks, and Deep Fakes – Erin Burns, Concinnity Risks
  • War Games, Simulations, and Scenarios: Preparing Organisations for Long Term Cyber Resilience – Justin Clarke-Salt, Managing Director, Cyber Security, Aon Cyber Solutions
  • Cybergeddon vs. Cybertopia: Key variables in determining the future of cyber risk – Dr Jennifer Daffron, Cyber Research Lead, Cambridge Centre for Risk Studies

Lecture Theatre 2

Chair: Maria Bada, Research Associate, Cambridge Cybercrime Centre, Cambridge Computer Laboratories, Cambridge University

  • Trends in Hacker Business Models: Lessons from Negotiating with Extortionists – Winston Krone, Managing Director of Kivu Consulting, Kivu Europe
  • Game Theory Approaches to Understanding Future Strategies of Threat Actors – Dr Gordon Woo, Catastrophist, Risk Management Solutions
  • Journey from Black Hat to White Hat: The Psychology, the Tactics and the Future of Cyber Crime – Mike Jones, Security Researcher

Lecture Theatre 3

Chair: Vincent Gilcreest, Tenable.io

  • Red on Blue: Infinity War – Sille Laks, Cyber Security Expert, Clarified Security
  • The Evolution of Cyber Security Risk Ratings – Jasson Casey, Chief Technology Officer at SecurityScorecard
  • Tracked, Jacked & Extorted: Today & Tomorrow’s Threat Landscape – Timothy Olsen, Vice President of Cyber Risk and Breach Response, Symantec

13:00 – 14:00

Lunch at Cambridge Judge Business School

14:00-15:30

Parallel sessions 2

Lecture Theatre 1

Chair: Dr Raveem Ismail, Director, (Re)insurance, QOMPLX: Insurance

  • Managing Cyber Risk in Digital Transformation – Stephen Boyer, CTO and Founder, BitSight
  • Cyber Risk Quantification: Risk Dependency and Its Impact on Modeling and Underwriting – Professor MingYan Liu, Chair of Electrical and Computer Engineering, University of Michigan
  • Interdisciplinary Approaches to Cyber Security for Organisations – Dr Jason Nurse, Assistant Professor in Cyber Security, University of Kent

Lecture Theatre 2

Chair: Dave Ruedger, CISO, RMS

  • The Changing Face of Privacy Law and Future Costs of Cyber Liabilities – James Clark, Senior Associate, DLA Piper
  • Changing Workplace Behaviour: Improving the Human Firewalls of Organizations – Stephen Burke, CEO & Founder, Cyber Risk Aware
  • The Future of Cyber Risk Management in Large Organisations – Domenico del Re, Director, PwC UK

Lecture Theatre 3

Chair: Kelly Malynn, Senior Risk Manager, Beazley Group

  • Cyber Insurance in 2025 – Sarah Stephens, FINPRO Cyber, Media & Technology Practice Leader
  • The Cyber Market’s Present and Future Challenges; the Reinsurers’ View and Expectations – Eric Durand, Swiss Re
  • Future Analytics of Cyber Risk Quantification – Dr Christos Mitas, Vice President of Model Development, Risk Management Solutions

15:30 – 16:00

Tea break

16:00-17:15

Track Reports and Discussion: Bringing together the Multiple Aspects of the Future of Cyber Risk

The chair of each of the parallel sessions reports back to the plenary attendees about their session. This will be followed by Q&A with the audience and the chairs.

Moderated by: Dr Andrew Coburn

  • Cyber Risk Landscape – Tom Harvey, Head of Cyber Product Management, Risk Management Solutions
  • Cyber Threat Actors – Maria Bada, Research Associate, Cambridge Cybercrime Centre, Cambridge Computer Laboratories, Cambridge University
  • Future Technology and Tools – Vincent Gilcreest, Tenable.io
  • Advances in Security – Dr Raveem Ismail, Director, (Re)insurance, QOMPLX: Insurance
  • Changes in Risk Management – Dave Ruedger, CISO, RMS
  • Cyber Insurance – Kelly Malynn, Senior Risk Manager, Beazley Group

17:15 – 17:30

Concluding Remarks

Simon Ruffle, Director of Research and Innovation, Cambridge Centre for Risk Studies

17:30-19:00

Networking Reception

Cambridge Judge Business School

Keynote session

Welcome Address for The Future of Cyber Risk

Professor Daniel Ralph

Academic Director, Cambridge Centre for Risk Studies, and Professor of Operations Research, Cambridge Judge Business School

Professor Daniel Ralph is a Founder and Academic Director of the Centre for Risk Studies, Professor of Operations Research at the University of Cambridge Judge Business School, and a Fellow of Churchill College. Daniel’s research interests include identification and management of systemic risk, risk aversion in investment, economic equilibria models and optimisation methods. Management stress test, via selection and construction of catastrophe scenarios, is one focus of his work in the Cambridge Centre for Risk Studies. Another is the role and expression of risk management within organisations. Daniel engages across scientific and social science academia, a variety of commercial and industrial sectors, and government policy making. He was Editor-in-Chief of Mathematical Programming (Series B) from 2007-2013.

Abstract

Cyber risk has been a topic of research at the Cambridge Centre for Risk Studies since it was originally founded 10 years ago. Cyber was originally cited as an ’emerging risk’ – a poorly understood threat to business and the economy that featured in the first published CCRS taxonomy of threats.

The Centre’s research initially focused on developing scenarios to understand the potential for cyber attacks to cause systemic losses across multiple organisations – a poorly understood concept at the time. Over subsequent years, the Centre’s research has explored many different aspects of cyber risk, including categorising causal mechanisms, quantifying loss processes, and monitoring changes in our annual cyber risk outlooks. The Centre’s work on cyber has ranged from applications in supporting the development of the cyber insurance market, understanding risk in critical national infrastructure, potential for cyber to be used by terrorists, and how large businesses should manage their own cyber risk.

At our 10th anniversary, cyber research now forms over a third of the research programme of the Centre. Over that time, cyber risk has transformed and shifted. Loss processes have evolved, different attack technologies have been deployed, and new defence techniques have been developed. The business community has accepted that cyber risk is something that can be assessed at a particular moment in time, and that annual updates of cyber risk are the appropriate outlook for a risk that is this dynamic.

However, the 10th anniversary of the Centre for Risk Studies is also an opportunity to speculate about how the risk could potentially change over the next 10 years. Several of our research partners and community of business supporters have posed questions to us of how organisations should develop strategic multi-year business plans that can be robust against the changes in cyber risk that could potentially occur during the next decade.

This conference is our response to that challenge. We have invited speakers from many different disciplines and areas of cyber expertise. We have brought together practitioners, advisors and risk capital providers to explore the future of cyber risk. We have posed questions to all of the presenters and participants: how might cyber risk continue to change over the next decade? How should businesses plan to accommodate risks to their digital business systems, suppliers, and counterparties in the longer term?

View Andrew’s presentation

Dr Andrew Coburn

Chief Scientist, Cambridge Centre for Risk Studies

Dr Andrew Coburn is Chief Scientist of the Centre for Risk Studies, coordinating the inputs of consumers of research into the Centre’s risk agenda. Andrew is the principal coordinator of the research programme on ‘System Shock’ at the Centre.

Andrew is one of the leading contributors to the creation of the class of catastrophe models that over the past 20 years has come to be an accepted part both of business management in financial services and of public policy making for societal risk. He has extensive experience in developing models and using them for business decision support. Andrew has also provided research inputs into government policy, such as House of Congress legislation on terrorism risk management policy and urban planning for disaster mitigation in Mexico, Metro Manila, and Southern Italy.

Visit Dr Andrew Coburn’s profile

Abstract

We recently revisited our highly cited 2012 paper on “Counting the Cost of Cyber Crime” and found that in seven years the world has seen huge changes, with the smartphone replacing the PC and laptop as the consumer terminal of choice, with Android replacing Windows as the most popular operating system, and with many services moving to the cloud.

Nevertheless, the overall pattern of cyber crime is remarkably little changed with the big losses still being in tax benefit and welfare fraud and the amount we are spending to defend against all those exotic new “cyber” threats far exceeding the actual cost of the crimes. Naturally there are new cyber crimes to worry about including ransomware and Business Email Compromise (and old crimes that have almost disappeared), but perhaps the most interesting questions concern whether we view the deployment of cyber-weapons such as the NotPetya worm as crimes rather than collateral damage from undeclared wars? In this talk I gallop through what is currently going on and what is going to determine whether cyber crime becomes more or less important in the next few years.

Predictions are far too hard to do, especially of the future, but it’s reasonably easy to start to learn how to think rationally about threats, threat actors, how to avoid being a victim and what institutional changes we need to see to make us all safer.

View Richard’s presentation

Dr Richard Clayton

Director of Cambridge Cybercrime Centre, Cambridge Computer Laboratories, University of Cambridge

Dr Richard Clayton is a software developer by trade running a software house that created operating systems and word processors used by millions in the 1980s. In 2000 Richard returned to Cambridge to study for a PhD and he has stayed on as an academic because “it is more fun than working”. He is the Director of the Cambridge Cybercrime Centre, based in the Computer Laboratory, leading an interdisciplinary team that not only research cybercrime themselves but also create enormous datasets that allow other academics to do their own cybercrime research with real world data. 

Expecting Strategic Surprise: How the Threat Could Evolve, and Issues for Our National Response

Conrad Prince

RUSI Distinguished Fellow and Senior Adviser Pool Reinsurance; formerly Director General for Operations GCHQ, and UK Cyber Ambassador

Conrad Prince served from 2008-2015 as the Director General responsible for the intelligence and cyber operations conducted by Britain’s signals intelligence and cyber security agency, the Government Communications Headquarters (GCHQ). In March 2015 Conrad was appointed the first UK Cyber Ambassador, a post he held until February 2018, when he left Government service. As UK Cyber Ambassador he provided strategic advice to a range of partner governments on establishing national cyber security strategies and capability programmes. On leaving Government service Conrad took up a range of advisory roles relating to cyber and security, including as a senior adviser to Pool Reinsurance. He is a Distinguished Fellow at the UK think tank the Royal United Services Institute, and their senior cyber adviser.

Cyber Risk Landscape

What are the key emerging topics in cyber risk? How can organisations best prepare for long-term cyber resilience? This session explores the current and future cyber risk landscape.

Chair

Tom Harvey

Head of Cyber Product Management, Risk Management Solutions

Tom Harvey leads product management for the RMS cyber model having joined the company six years ago. In 2016 he worked alongside the University of Cambridge’s Centre for Risk Studies and a team of industry partners to define and release the industry’s first cyber exposure data standard. He has since partnered with many of the leading cyber insurers to improve their quantification of cyber risk and managed the development the industry’s first probabilistic cyber catastrophe model.

Prior to joining RMS, Tom was at Hewlett Packard Software (HPS) in the European consulting team, working closely with several FTSE 100 companies within the energy and finance sectors to support the adoption of HP’s IT management and security products. Tom holds a BSc (Hons) from the University of Leeds in Biochemistry and Bio-informatics.

Presentations

Abstract

A brief overview of three emerging topics in cyber risk, all in need of quantification, and with the potential for disrupting the current norms.

View Erin’s presentation

Erin Burns

Concinnity Risks

How can technology bring people together offline and improve lives? That is what Erin tries to answer through her ideas, projects, and explorations of technology. Community drives her passion for technology. To that end, she developed Extraqueericular.com, on online platform connecting the LGBTQ+ community to LGBT-friendly services and events. Her interests lie in web application development and security. You can follow her on Twitter.

Abstact

You can’t know that something will work in a certain scenario until you test it. But how can you test your cyber resilience plans to give you assurance? Drawing on Aon’s experience of multiple facets of war gaming, conducting simulations and exercising scenarios we will explore ways to approach the problem – from looking at scenarios from the financial perspective, to exercising plans at the management or board level, to limited or full scale simulations and tests.

We will draw on our experience from numerous cyber risk engagements and matters with clients, and discuss war stories of how the unexpected and unforeseen will often be teased out via the process of scenario-based simulation.

View Justin’s presentation

Justin Clarke-Salt

Managing Director, Cyber Security, Aon Cyber Solutions

Justin Clarke-Salt is a Managing Director in Aon’s Cyber Solutions. He is in charge of Aon’s proactive business development and partnership efforts for the Security Advisory and Security Testing practices for EMEA (formerly parts of Stroz Friedberg and Gotham Digital Science). Justin also oversees the Red Team services and capability development within the firm, as well as directly overseeing individual client engagements globally in his role as a CREST Certified Simulated Attack Manager (CCSAM) for regulatory Red Team testing such as CBEST, iCAST, and TIBER.

Justin has more than 21 years of experience providing organisations with security and risk management services. He is an internationally recognised expert in the field of information security. He has assisted Fortune 500 and FTSE 250 corporations with information security assessment and advisory services, including the management and running of compliance focused security testing programmes for some of the largest financial services organisations in the world.

Justin is a published author in the areas of application and network security, including as the lead author/technical editor of SQL Injection Attacks and Defenses (Syngress 2009, 2nd Edition 2012), co-author of Network Security Tools (O’Reilly 2005), and a contributing author to Network Security Assessment, 2nd Edition (O’Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. Justin is also an active member of OWASP, having recently stepped down from chairing the OWASP London chapter for over seven years.

Abstact

The cyber risk landscape changes daily, making projections about the tomorrow difficult, let alone the next 10 years. The variable nature of cyber risk means that the potential futures concerning it can fall anywhere from a ‘cybergeddon’ to a ‘cybertopia’. This presentation aims to give insight to attendees on the variables that are key to determining which futures are developing.

View Jennifer’s presentation

Dr Jennifer Daffron

Cyber Research Lead, Cambridge Centre for Risk Studies

Dr Jennifer Daffron is the Cyber Research Lead at the Cambridge Centre for Risk Studies. Her research interests include defining and exposing cyber threat vulnerabilities on organisational and human behavioural platforms. Jennifer holds a PhD in Experimental Psychology from the University of Cambridge.

Cyber Threat Actors

What are the risks of responding to cyber extortion? How might game theory be applied to cyber security? This session explores the nature of cyber threat actors.

Chair

Maria Bada

Research Associate, Cambridge Cybercrime Centre, Cambridge Computer Laboratories, Cambridge University

Maria Bada is a Research Associate at the Cambridge Cybercrime Centre, at the Computer Laboratory of Cambridge University. Within this role her research focuses on the human factor in cyber crime, studying the profiles, pathways and psychologies of cyber criminals. Additionally, she is looking at the social and psychological impact of cyber-attacks and the effectiveness of cyber security awareness campaigns trying to identify factors which potentially lead to failure of these in changing the information security behaviour of consumers and employees. She is a member of the National Risk Assessment (NRA) Behavioural Science Expert Group in the UK, working on the social and psychological impact of cyber-attacks on members of the public. Moreover, she is a member of the Steering group of the London Digital Security Centre, launched by the Mayor of London as a joint venture with the Metropolitan Police and City of London Police, and a member of Europol EC3. She is a member of the British Psychological Society and the British Counselling Society.

Presentations

Abstract

Kivu has over four years’ experience negotiating with attackers in over 700 cyber extortion engagements. While traditional extortion risks are typically focused on negotiating size of the demand (once the criminals have provided “proof of life” or confirmed their ability to cause damage), negotiating with cyber extortionists, and assessing the merits of paying ransoms, involve unique variables including: (i) ability of hackers themselves to assist in recovery of the victim’s data or network; (ii) global variety of cyber attackers’ motivation, languages, cultural differences, and own risk appetite (iii) collateral and unintended damage caused by cyber attackers which may negate the value of paying ransoms; (iv) the diverse cyber criminal ecosystem whereby amateur “grey hats” rub shoulders with organised criminal gangs; and (v) the possibility of hackers triggering further damage or that extortion may mask a secondary, more damaging cyber-attack. This presentation will review current attack models and attacker profiles, and negotiation pitfalls; how hackers and their methodologies have changed over the last four years, leading to changes in assessing the risks in responding to cyber extortion; past, current and prior motivations for hackers involved in cyber extortion; how the cyber extortion ecosystem may evolve in the face of geopolitical changes, law enforcement priorities, pressure from the private sector/insurance markets, and developments in investigatory tools and cryptocurrency.

View Winston’s presentation

Winston Krone

Managing Director of Kivu Consulting, Kivu Europe

Winston Krone is the Global Managing Director of Kivu Consulting, an international technology firm specialising in the forensic response to data breaches and proactive IT security compliance and risk reduction. Winston has handled hundreds of incidents globally in healthcare, professional services, education and financial institutions. He has frequently testified as a cyber expert in post-breach litigation – including as expert for Uber in their 2015 data breach, and as an expert for Apple in multiple class actions alleging privacy violations – and has presented his findings to regulators in the US and UK. Winston is both an English solicitor and California attorney, receiving his law degree from Oxford University. Since 2017, Winston has been based in Amsterdam, supervising Kivu’s EU operations, and working with the London insurance market on innovative risk reduction solutions.

About Kivu: With offices in the US, Canada, London and Amsterdam, Kivu is a pre-approved cyber forensics vendor for all leading North American and European insurance carriers, with a particular expertise in ransomware and cyber extortion.

Abstract

From amateur juveniles to elite state-sponsored groups, hacking is an adversarial contest over cyber security. The challenge for any cyber threat actor is the same: to pursue a strategy to maximise their objectives, subject to the defensive strategies of their targets. As these strategies change, so the threat shifts accordingly. This adversarial contest defines a game, and a general conceptual framework is provided by game theory. Applications of game theory to cyber security are reviewed, and the future implications for collective cyber security discussed.

View Gordon’s presentation

Dr Gordon Woo

Catastrophist, Risk Management Solutions

Dr Gordon Woo is an internationally recognised expert on risk management, with a particular focus on man-made catastrophe risks. In 2004, Newsweek magazine described Dr Gordon Woo as one of the world’s leading catastrophists. He has 30 years of experience in catastrophe risk consultancy, advising financial institutions, governments and major corporations.

His involvement in cyber risk extends back a decade to April 2009, when he was invited to address the Singapore Island Forum, organised on behalf of the Singapore government, focusing on cyber risk. Since then, he has researched extreme cyber risk using the framework of counterfactual risk analysis, which he pioneered for terrorism.

A top mathematics graduate at the University of Cambridge, he completed his PhD at MIT as a Kennedy Scholar, and was a member of the elite Harvard Society of Fellows. He also has a postgraduate Cambridge degree in computer science.

He is an adjunct professor at Nanyang Technological University, Singapore, and a visiting professor at University College London. He is the author of two books published by Imperial College Press: The Mathematics of Natural Catastrophes and Calculating Catastrophe. He is also a co-author of Solving Cyber Risk, published by Wiley.

What lead me into a life of paranoia, fear and interaction with law enforcement. The journey from the dark into a life of giving back and helping prevent others from making the wrong cyber choices.

View Mike’s presentation

Mike Jones

Security Researcher

Mike Jones (sting3r) has a background in cryptology. He has performed numerous penetration tests for various industries such as the Department of Defense, major financial institutions, casinos, telecoms, and various others. Mike has developed exploit techniques both network and app-based as well as physical. The experience Mike has had has been on both sides of security, being a long term member of various hacking groups and APT nation-state groups. His experience was refocused to helping industries protect themselves. The key to a good defence is to know who you’re defending against.

Future Technology & Tools

What are the implications of an increase in Internet of Things devices for cyber security? How might companies defend critical business assets from cyber attack? This session explores future technology and tools.

Chair

Vincent Gilcreest

Director of Data Services, Tenable.io

Vincent has worked in Tenable for the past two years. He is responsible for how Tenable processes, stores and ultimately uses data. This has involved developing a petabyte scale data science platform to facilitate the generation of insights and application of machine learning to tackle some of the biggest challenges facing our industry. His current focus is on how to develop models that capture a customer’s cyber exposure. Prior to Tenable, he worked in the Gaming industry for eight years applying machine learning to develop customer behavioural models. His educational background is in Chemistry (BSc), Physical Chemistry (PhD) and Statistics (MSc).

Presentations

In 2019 very few companies can operate without Internet but there are still companies and institutions that operate without a team that defends the (critical) business assets. The Internet is full of mentions of different coloured teams from white to black. It is generally known that red depicts the tactical” enemy and in context of cyber defence the defending team is referred to as Blue Team. The presentation will cover red teaming on production cases from companies who have been brave enough to test out the real security of their systems, personnel and entire business assets from both sides.

View Sille’s presentation

Sille Laks

Cyber Security Expert, Clarified Security

Sille works for an Estonian company Clarified Security that is focused on delivering practical security services like red teaming on production and cyber range exercises, manual penetration testing and hands-on security courses. She is among other things responsible for “making magic happen” but mainly organizing and coordination of red team exercises and project management. She is also a trainer for the operational side of incident response.

Before joining the team, she was responsible for incident response and reporting on national and international level (including both large scale cyber attacks in 2017) and organizing both technical cyber security seminars and end user awareness raising campaigns at CERT-EE. Before operational incident response she worked on escalations and fraud prevention in a large international corporation.

She has participated in the largest live-fire cyber exercise Locked Shields as both Blue Team and Red Team member and as a Blue Team member at a large number of national and international cyber range and tabletop exercises.

Sille holds a MSc degree in Cyber Security from Tallinn Technical University and a BA degree in Business and Public Management from Tallinn University and is currently obtaining a MA in Communication Management.

Abstract

Cyber risk ratings have steadily evolved over the last six years, shifting from scoring approaches using off-the-shelf vulnerability scanners to frameworks built with machine learning. Jasson Casey shares the evolution of developing scores, including initial ideas, setbacks and breakthroughs.

This session will discuss the composition of a cyber security risk rating, how an enterprise IT team’s behaviour manifests itself to the outside world and ways in which behaviour translates to cyber security risk for the business.

View Jasson’s presentation

Jasson Casey

Chief Technology Officer at SecurityScorecard

Jasson Casey serves as Chief Technology Officer at SecurityScorecard and is responsible for product management, engineering, research, and platform operations. Jasson has 20 years of experience delivering security and networking products to all markets and customer types, including global enterprises and carriers. He also serves as a Fellow in Cyber Security with the Center for Strategic and International Studies (CSIS), and as Advisor to IronNet Cybersecurity, a security startup founded by Gen. (Ret) Keith Alexander.

Prior to joining SecurityScorecard, Jasson was VP of Engineering at IronNet Cybersecurity and oversaw development of the vendor’s revolutionary collective intelligence platform and pioneered new approaches to total network observability, including limitless wirerate packet capture with truly elastic retention abilities, and a complementary stack of trusted streaming and batch data analytics. He also brings a long history of innovation advocacy for Software-defined Networks (SDN) through his work founding and leading Flowgrammable, and serving as a member of the Software Leadership Council at the Open Networking Foundation. Previously he held roles in product management, business development and engineering with CenturyTel (CenturyLink), Level3 (CenturyLink) and Alcatel (Nokia).

Jasson has a BSEE from the University of Texas at Austin and is a PhD candidate in electrical engineering at Texas A&M University.

Abstract

Acknowledged or not, we’re all on a daily journey deep into cyber space. We think we know the path and perils ahead. But, if we’re honest with ourselves, we don’t have a clue.

The latest cyber security threats are impressive – supply chain attacks, ransomware, cryptojacking, form jacking and tax fraud. Responding to a data beach involves legal, compliance and notification obligations, all within an environment analogous to an emergency room visit.

As threat vectors widely vary – from nation-state sponsors to bad actors in basements – we think we know what a cyber-attack looks and feels like. However, attacks in the future will be a lot more personal.

Consider your home or office and how the number of devices has increased that touch everything imaginable. The proliferation of IoT devices is unlimited – all with their own IP addresses acting as a gateway for fraudsters.

What’s next? Simply everything. From toys to umbrellas, and the biggest endpoint of all – cars. All will have a chip that connects to the internet with extremely high bandwidth, especially with the roll out of 5G.

Admittedly, we are asked to make intricate technology choices every single day. Those choices are becoming more difficult – even for those who are technically savvy. But even sophisticated individuals have human tendencies and behave, well, like humans. That means mistakes are made and people become the critical linchpin of a successful hack.

Making daily cyber security decisions is the new normal. Everyone should comply with cause and clarity. Sadly, most don’t. These who rely on denial, hope or prayer far too often become the latest victims to be tracked, jacked or extorted.

To our passengers on this journey into cyber space, welcome to cyber crime. It’s going to be one hell of a ride.

View Timothy’s presentation

Timothy Olson

Vice President of Cyber Risk and Breach Response, Symantec

Timothy Olson is Vice President of Cyber Risk and Breach Response for Symantec, a world leader in cyber security (www.symantec.com). Symantec helps organisations, governments and people protect their digital lives at home and across their devices.

Tim is responsible for Symantec’s global cyber risk and breach response practice leveraging its suite of Norton and LifeLock products. Operating one of the largest civilian cyber intelligence networks, a global community with over 50 million people, allows Symantec to see and protect against the most advance threats.

Tim is considered one of the foremost experts in breach response in the US and starting in 2004 he has personally supported thousands of organisations’ data breach events – many of the largest and most publicised in US history including Boeing, Bank of America, Target and The Walt Disney Company.

He has also assisted with many of US government related breach events such as the Federal Trade Commission, Internal Revenue Service, Veterans Affairs, State Department and the National Archives – to name a few.

Prior to Symantec, Mr Olson was Vice President of Experian (www.experian.com) where he launched Experian’s breach response practice growing it to become the dominate provider in the US and UK with over $150 million of annual revenue.

Tim also served as General Manager within Experian’s consumer business unit responsible for its strategic accounts including Google and Facebook. In this role, he developed new business channels that exceeding $500 million in annual revenue. Additionally, Tim spearheaded work for Experian in the emerging markets of Brazil and India.

Tim is a graduate of Brigham Young University, Provo, Utah where he attended the Marriott School of Management. He is fluent in German and is a FAA certified licensed private pilot. Tim has received numerous professional awards including finalist of the Ernst & Young Entrepreneur of the Year. He was also a member of the Board of Directors for the Maricopa integrated Health System.

Tim with his wife Kristen reside in Arizona and have six children and 16 grandchildren.

Advances in Security

What are the challenges and opportunities of digital transformation? How might organisations benefit from interdisciplinary approaches to cyber security? This session explores advances in security.

Chair

Dr Raveem Ismail

Director, (Re)insurance, QOMPLX: Insurance

Raveem built and led the insurance team at QOMPLEX, and now heads up QOMPLX’s MGA. This is an analytically enabled venture, writing cover for SMEs against disruption from anthropogenic perils such as cyber and terrorism. He was previously Specialty Treaty Underwriter (terror and cyber) at Ariel Re (Bermuda), chair of the Reinsurance Special Interest Group of the EU COST Action IS1304 on Structured Expert Judgement, Terrorism & War Underwriting Analyst at Validus, and terrorism model lead at Aon Benfield’s Impact Forecasting. Raveem is a triple graduate of Oxford University, and constantly strives to raise the bar for scientific and analytical decision making in (re)insurance.

Presentations

Abstract

Digital transformation is disrupting the way the world does business. A convergence of connected technologies is allowing global business to be done at unprecedented speed – in fact, investment in digital transformation is consuming up to 40 per cent of all IT spend. However, as the world becomes more connected, data becomes more vulnerable. Spending on cyber security is not keeping pace with spending on new technologies, putting organisations at risk of more frequent and far-reaching breaches. As organisations look at their digital transformation initiatives, security needs to be a core component of the strategy, instead of an afterthought. Join this session to hear from Stephen Boyer, CTO and Co-Founder of BitSight, as he talks through the challenges and risks of digital transformation, and provides unique insights around mobile security, the latest BlueKeep vulnerability and the future of cyberinsurance.

View Stephen’s presentation

Stephen Boyer

CTO and Founder, BitSight

Stephen co-founded BitSight in 2011 and serves as the Chief Technology Officer. Prior to founding BitSight, Stephen was President and Co-Founder of Saperix, a company that was acquired by FireMon in 2011.

While at the MIT Lincoln Laboratory, Stephen was a member of the Cyber Systems and Technology Group where he led R&D programs solving large-scale national cybersecurity problems. Before MIT,  he worked at Caldera Systems, an early Linux startup.

Stephen holds a bachelors degree in Computer Science from Brigham Young University and Master of Science in Engineering and Management from the Massachusetts Institute of Technology.

Abstract

Risk dependency induced by complex vendor relationships among businesses is one of the unique features and challenges in quantifying cyber risks. This talk will take a look at two aspects of this challenge, the first on ways of modeling dependent risks, and the second on what impact it has on underwriting cyber-insurance policies. Specifically, using a base rate insurance policy framework, we show that there is an opportunity for an underwriter to better control the risk dependency and the risk spill-over, ultimately resulting in lower overall cyber risks across its portfolio.

View Mingyan’s presentation

Professor Mingyan Liu

Chair of Electrical and Computer Engineering, University of Michigan

Mingyan Liu is the Chair of Electrical and Computer Engineering at the University of Michigan, Ann Arbor, where she has been a professor of Electrical Engineering and Computer Science since 2000. She received her MSc degree in systems engineering and PhD degree in electrical engineering from the University of Maryland, College Park, in 1997 and 2000, respectively. Her research interests are in optimal resource allocation, sequential decision theory, incentive design, and performance modelling and analysis, within the context of large-scale networked systems. Her most recent research activities involve online learning, modelling and mining of large scale Internet measurement data and the design of incentive mechanisms for cyber security. She is the recipient of the 2002 NSF CAREER Award, the University of Michigan Elizabeth C. Crosby Research Award in 2003 and 2014, the 2010 EECS Department Outstanding Achievement Award, the 2015 College of Engineering Excellence in Education Award, the 2017 College of Engineering Excellence in Service Award, and the 2018 Distinguished University Innovator Award. She is a Fellow of the IEEE and a member of the ACM.

Abstract

Cyberspace has had a tremendous impact on society. It has influenced everything from governments and market economies, to global trade, travel, and communications. As organisations have sought to take advantage of the internet and its large-scale connectivity, they have also inadvertently opened themselves to a range of risks, particularly the pervasive nature of cyber risk. In this talk, I discuss the notion of cyber risk and the significant challenges it can pose to organisations. The talk then makes the argument for more interdisciplinary approaches to cyber security, and the value that they can contribute in protecting businesses. To evidence this point, I focus on three examples of interdisciplinary efforts that have led to enhanced security postures. The first considers the persistent issue of corporate insider threat, and seeks to demonstrate how psychology (include aspects of personality and behaviour) can be integrated into detection mechanisms. In the second, I look at why cyber security awareness campaigns fail to reach individuals and change behaviour, and the importance of incorporating cultural and organisational factors. Finally, I explore the new topic of cyber-harm and discuss its value in supporting cyber risk planning within enterprises, and its use for cyber-insurers in better modelling the impacts of cyber-attacks.

View Jason’s presentation

Jason Nurse

Assistant Professor in Cyber Security, University of Kent

Dr Jason R.C. Nurse is an Assistant Professor in Cyber Security at the University of Kent. He is also a Visiting Academic at the University of Oxford, a Visiting Fellow in Defence and Security at Cranfield University, and a professional member of various associations relating to cyber security research and practice. His research concentrates on investigating interdisciplinary approaches to enhance and maintain cyber security for organisations, individuals and governments. This considers the full spectrum of technologies in use today and encompasses topics such as human aspects of security, dimensions of cyber crime, identity security in cyberspace, privacy and security in the internet-of-things, and fake news and rumours on social media. Prior to joining Kent in 2018, Dr Nurse was a Research Fellow at the University of Oxford for seven years. For his research into the interdisciplinary aspects of cyber, Dr Nurse was nominated as a Rising Star within the UK’s EPSRC RISE Awards Campaign.

Changes in Risk Management

What is the likely future path for the regulation of cyber security? This session explores the changing risk management landscape.

Chair

Dave Ruedger

CISO, RMS

Dave is the Chief Information Security Office for Risk Management Solutions based out of Newark, CA.  Dave holds CISSP and CRISC certifications and has over 25 years of experience developing and managing security programmes for organisations as diverse as pre-IPO startups to large Fortune 500 enterprises. In addition, Dave spent over a decade providing a secure platform for consumer data collection and analytics that drove the distribution of targeted marketing content online.

Presentations

There has been a significant recent increase in the maturity and complexity of privacy laws around the world – beginning most significantly with the introduction GDPR in Europe, and now continuing in its spreading to countries as diverse as the United States, Brazil and India. Data security – and related obligations to notify and respond to breaches of data security, including those caused by cyber-attacks – are a core feature of many of these laws, as well as the more sector specific regulations which are emerging alongside the general privacy laws. This talk will plot the likely future path for the legal regulation of cyber security. In that context, it will examine the different forms of  liability – such as regulatory enforcement, claims from affected individuals and contract counterparties, as well as the indirect costs of a legal security breach – which the laws create, and how each of these may change in terms of significance as the laws bed in.  

View James’ presentation

James Clark

Senior Associate, DLA Piper

James is a member of the Data Protection, Privacy and Security team and undertakes a wide range of information law work including data protection, e-commerce, cyber security, direct marketing and freedom of information.

James is the co-editor of the popular DLA Piper Data Protection Laws of the World Handbook and a regular speaker at external conferences and events. He has an international client base, and particular interest and expertise in the Insurance and Life Sciences sectors.

In a cyber security context, James provides advice on to clients on data breach management, including advising on cross-border notification mandates and managing privileged engagement with third party security consultants.

Changing Workplace Behaviour: Improving the Human Firewalls of Organisations

View Stephen’s presentation

Stephen Burke

CEO & Founder, Cyber Risk Aware

Stephen is a former Chief Information Security Officer (CISO) in the financial services and insurance/reinsurance sectors with over 20 years experience in IT and security roles. He founded Cyber Risk Aware in 2016, having consistently found that cyber criminals were targeting people not systems. Stephen firmly believes that staff are the greatest security asset in a company and are not the weakest link like so many others would make you believe. An effective information security programme must include a human-centric approach, otherwise it will fail.

Abstract

How can the cyber risk management function be fit for the business threats that lie ahead? Digital strategies are transforming the way corporations are doing business and disrupting traditional revenue models. Technology is king, so investments and talent are firmly on the strategic spending plans. In this session we will present voices from the market on creating a risk function that can stay abreast of the technological transformation, to deliver resilient and secure customer experience and business operations. We will provide examples of where this has succeeded and what this means about the future of the cyber risk management function.

View Domenico’s presentation

Domenico del Re

Director, PwC UK

Dom is a Director at PwC’s UK Firm. He leads the work in EMEA supporting clients on the topic of Cyber Risk Management and Quantification. His clients include corporations managing their operational resilience and financial exposure to cyber events, as well as insurance companies seeking better understanding of the cyber risks in their portfolio liabilities.

Dom has a deep technical background in risk management and the development of modelling approaches for complex risks. With a team of cyber experts, actuaries and risk modellers, he supports companies around their exposure and management of cyber risk. Dom has helped companies to quantify their cyber operational risk capital requirements, their cyber insurance purchasing needs, and shown the benefit of quantification frameworks to support board risk reporting and cyber security investment decisions. Dom has an engineering and modelling background, and was previously employed for a risk modelling vendor firm.

Cyber Insurance

How might cyber insurance change in the next decade? In what ways can organisations manage their cyber risk in a changing threat environment? This session explores the future of cyber insurance.

Chair

Kelly Malynn

Senior Risk Manager, Beazley

Kelly is a Senior Risk Manager at Beazley and for the last five years has had a specialist focus on cyber risk and innovation across all classes of business, most recently developing Beazley affirmative physical damage marine hull product.

She is responsible for providing cyber risk assurance to the board on the systemic aggregation potential, emerging risks, exposure management and capital provisions. She is also responsible for the implementation of the Beazley strategic initiative on client experience and chair of the environmental working group under the responsible business committee.

She has been at Beazley since 2009, has 20 years of London Market experience and is a member of the LMA’s Cyber Strategy Group which operates under the LMA Board.

Presentations

Cyber Insurance in 2025

View Sarah’s presentation

Sarah Stephens

FINPRO Cyber, Media & Technology Practice Leader

As part of Marsh JLT Specialty’s London-based FINPRO, Sarah and her team, based in London and throughout Europe, work directly with our clients and network colleagues to make sense of cyber, technology, and media E&O (PI) risks, and create leading edge bespoke insurance solutions in the London and European market.

Prior to joining pre-acquisition JLT in 2015, Sarah spent 12 years with Aon in a variety of roles. Most recently, Sarah was Aon’s Head of Cyber & Commercial E&O for the Europe, Middle East, and Africa (EMEA) Region, working with colleagues across business groups and clients in the region to identify, analyse, and drive awareness of cyber risks, exposures, and both insurance and non-insurance solutions. Previously, Sarah spent seven years with Aon’s US cyber and errors & omissions practice group thinking nonstop about cyber insurance way before it was cool. Her first four years at Aon were spent in the account management group working with large clients and developing a keen eye for excellent client service.

Sarah received a Bachelor of Arts with Distinction from Duke University in Durham, North Carolina in 2002, and earned an Associate in Risk Management (ARM) Certification in 2005. She is a member of the Professional Liability Underwriting Society, and formerly part of the Northern California Chapter Steering Committee and chair of the Europe Chapter Steering Committee. She currently serves on the Cyber Insurance Curriculum Advisory Board.

Abstract

There is both a clear need for corporates of all sizes and an obvious interest by the insurance industry to develop a sustainable cyber market. Such a development goes hand in hand with managing the cyber risk and developing a profitable book of cyber insurance products and services.

In this context, the question of the “insurability of cyber” immediately emerges, which can only be answered by decomposing the issue into solvable parts. To understand the magnitude and complexity of the problem it helps to first define four pillars consisting of IT-Security breaches, IT-System failures, (IT)-Human errors and Algorithmic Risk, all of them accompanied by an inherent Human Factor. Then, workable challenges are specified. The presentation goes through these main challenges, from a proper definition of what is really “cyber” to the difficulties of the development of coherent accumulation models and tools, passing by the often cited lack of data and the almost unsolvable issue of the lack of fortuitousness.

Looking into the future, the presentation discusses developments needed to harness some of the coming changes in the cyber insurance environment, considering the varied needs and possibilities of players of very different sizes and exposures and suggesting a proper sharing of responsibilities.

View Eric’s presentation

Eric Durand

Swiss Re

Eric Durand joined Swiss Re in 1990 as a research scientist in the Natural Perils team, developing new analysis and simulation models for European storms and their effect to insured portfolios. He then worked for Swiss Re Australia as a cat specialist and underwriter for a period of two years before returning to Zurich to take over the leadership of a group of Property/Casualty treaty underwriters.

In 2002 he was appointed to SR-Iberica in Madrid as Chief Underwriting Officer for the Iberian Peninsula, before returning three years later to Zurich as Underwriting Manager Treaty Property. In 2014 Eric transitioned to Swiss Re’s Group Underwriting to lead the newly created Cyber Center of Competence and to coordinate the company’s efforts with regards to Cyber activities. He also leads SwissRe’s project on Solar Storms and their effect to the bulk power grid.

Eric Durand grew up in Neuchatel (Switzerland) and after spending a senior high school year in Michigan (USA) graduated in Electrical Engineering at the ETH in Zürich. He holds a PhD from the same institution in Biomedical Engineering.

Abstract

Cyber risk is changing all the time. Recent years have seen shifts in the business models and techniques of cyber criminals – putting more of their efforts into ransomware attacks than stealing personal data – as well as changes in the security technology available, a growing political dimension to cyber attacks by one country on another, and legal and regulatory framework changes that make it more expensive for organisations to deal with their cyber events.

To help organisations manage their risk in this changing landscape, RMS updates its cyber risk model each year, with reparameterisations to incorporate new trends.

Business executives however need to plan for multiyear investments, returns on capital, and longer-term assessments of risks to their business strategies. Assessing how cyber risk will change over the next five to ten years is a challenge, but one that can be planned for and that should underpin enterprise risk management. A strategy that plans for a continuation of the current trends is likely to experience strategic surprise – a sudden change in the risk landscape for which the business will be unprepared.

Strategic surprise in cyber risk could occur with a sudden increase in the number of threat actors, or a rapid advance in their capabilities. It could occur with major technology advances such as artificial intelligence or quantum computing, rendering encryption obsolete. New methods of monetising information could be discovered by hackers, just as new businesses are trying to do in the legitimate economy. State-sponsored cyber teams could change their rules of engagement to focus on commercial targets. A range of different possibilities needs to be considered to enable organisations to manage their cyber risk in a changing threat environment over the next decade.

View Christos’ presentation

Dr Christos Mitas

Vice President of Model Development, Risk Management Solutions

Based in London, Christos leads RMS’ Climate Hazards-Dry and Cyber Risk modelling teams researching and developing modelling frameworks and solutions for the reinsurance industry.

He has worked at RMS since 2006 developing mathematical models of catastrophic risk from natural and man-made perils, including the Cyber Accumulation Management System (2016, 2017), Cyber Solutions (2018), typhoon models for South Korea and Taiwan (2016), probabilistic flood maps for Taiwan (2015) and South Korea (2014), the European wind storm model (2011), and the North America winter storm model (2008). He has also researched and developed efficient and scalable computational modelling frameworks.

Before joining RMS, Christos worked as a post-doctoral Associate and an Assistant Scientist at the University of Miami’s Rosenstiel School of Marine and Atmospheric Science (RSMAS) from 2003 to 2006. He holds a PhD in Atmospheric Sciences from the Department of Atmospheric Sciences of the University of Illinois at Urbana-Champaign. He earned an MSc degree from the Department of Atmospheric Sciences of the University of Wyoming. Christos’ bachelors degree in Mathematics is from the Aristotle University of Thessaloniki, Greece.

Photos from the conference

View the photo album on Flickr

Top