Larry Clinton President lclinton@isalliance.

org 703-907-7028

ISA Board of Directors

Ty Sagalow, Esq. Chair, Executive Vice President & Chief Innovation Officer, Zurich North America Tim McKnight, 1st Vice Chair, Vice President & Chief Information Security Officer, Northrop Grumman Jeff Brown, Secretary / Treasurer, Vice President, Infrastructure and Chief Information Security Officer, Raytheon Pradeep Khosla, Founding Director of Cylab, Carnegie Mellon University Marc Sachs, Vice President Government Affairs, Verizon Lt. Gen. Charlie Croom (Ret.), Vice President Cyber Security, Solutions Lockheed Martin Eric Guerrino, Managing Director Systems and Technology, Bank of New York Mellon Joe Buonomo, President, DCR Bruno Mahlmann, Vice President Cyber Security Division, Dell Kevin Meehan, Vice President Information Technology & Chief Information Security Officer, Boeing Rick Howard, iDefense Manager, VeriSign Justin Somaini, Chief Information Security Officer, Symantec Gary McAlum, Chief Security Officer, USAA Paul Davis, Chief Technology Officer, NJVC Andy Purdy, Chief Cybersecurity Strategist, CSC John Havermann, II, Vice President & Director, Cyber Programs , Intelligence & Information, SAIC

ISA Mission Statement

ISA mission is to integrate advanced technology with economics and public policy to create a sustainable system of cyber security.

The Internet Changes Everything

Concepts of Privacy Concepts of National Defense Concepts of Self Concepts of Economics We have been focused on the HOW cyber attacks we need to focus on the WHY ($) Cyber security is an economic/strategic issue as much operational/technical one

Cyber Security Economics are Skewed

Responsibility, costs, harms and incentives are misaligned Individual and Corporate Financial loss Core investment is undermined by edge insecurity Gov & Private Sector differ perspectives on Risk Enterprises are not structured to properly analyze cyber risk (ANSI-ISA study)

We are not cyber structured

In 95% of companies the CFO is not directly involved in information security 2/3 of companies dont have a risk plan 83% of companies dont have a cross organizational privacy/security team Less than have a formal risk management plan1/3 of the ones who do dont consider cyber in the plan

ANSI-ISA Program
Outlines an enterprise wide process to attack cyber security broadly and economically CFO strategies HR strategies Legal/compliance strategies Operations/technology strategies Communications strategies Risk Management/insurance strategies

What we do know is all bad

All the economic incentives favor the attackers, i.e. attacks are cheap, easy, profitable and chances of getting caught are small Defense inherently is a generation behind the attacker, the perimeter to defend is endless, ROI is hard to show Until we solve the cyber economics equation we will not have cyber security

Bad News and Good News

Bad: The situation is getting worse Good: We know how to stop/mitigate 80 to 90% of cyber attacks Bad: Although attacks are up, investment is down in 50-66% of American firms (PWC/CSIS/)

Regulation is not the answer

Compliance (not security) already eats up much of the security budget Specific regulations cant keep up with attacks Vague regulations show no effect Regulations increase costs uniquely for American companies Regulations can be counter productive ceilings (Campaign Finance)

Obamas Cyber Space Policy Review

If the risks and consequences can be assigned monetary value, organizations will have greater ability and incentive to address cybersecurity. In particular, the private sector often seeks a business case to justify the resource expenditures needed for integrating information and communications system security into corporate risk management and for engaging partnerships to mitigate collective risk. Government can assist by considering incentivebased legislative or regulatory tools to enhance the value proposition and fostering an environment that encourages partnership. --- Presidents Cyber Space Policy Review May 30, 2009 page 18

Current DC Activity
No bills had cyber insurance provisions in last Congress New Congress White House Senate House

New Attention to Cyber Insurance

WH Conference with ISA on cyber insurance last spring House Homeland Security Committee considering cyber SAFETY Act Senate Commerce Committee set of questions on cyber insurance for new bill---meetings to follow

WH Perspectives 6 Reasons Market Has not responded

1. Companies not being charged for all their inputs and not being paid for outputs 2. Insuffiecent motives for long term 3. Lack of information for comparative market choices 4. Markets must be seeded with products 5. Misalignment from Gov regs & litigation 6. Entry barriers cause lack of alternatives

Congress Questions
1. How does insurance factor material risl in underwriting trad. Commercial policies? 2. Do traditional policies cover damage/loss of IP or interuption from cyber events? 3. Is cyber typically excluded from D&O, prop/liability? How do Cts view these? 4. Are carriers clear @ policy limits? 5. What standards are used to assess cyber risk? How is compliance measured?

Congress Questions
6. What kind of insurance for D & O who must meet Payment Card security stand.? 7. What are the hurddles to developing cyber risk insurancehow overcome? 8. Are problems with expanding cyber insurance similar to crop/flood? 9. How can fed govt help create more acc data for the industry?

Congress Questions
10. What impact would come from SEC clarification on material cyber risk ? 11. What is impact of use of untrustworthy vendors on insurance?

ISA Social Contract Model

Model on Electric/Telephone Social Contract 1.0 (November 2008) Cyber Space Policy Review (May 2009) Social Contract 2.0 (January 2010)

Incentive based model for Cybersecurity

Rely on status quo methods to create cyber security standards and practices Test for effectiveness (e.g. FDA) Create tiered levels based on risk profile Apply market incentives to voluntary adoption Embraced by CSPR (tax/liability/procurement / insurance) & legislation

Larry Clinton President lclinton@isalliance.org 703-907-7028