Cyber Insurance Sessions at S4x20

As smart and experienced the typical S4 attendee is in ICS security, most have little experience with finance and cyber insurance. And these play a major role in ICS cyber related risk management. We have two sessions that will help get you up the learning curve.

First, Russell Thomas of RMS will discuss how an asset owner getting hit with an ICS cyber incident would go about calculating damages in a manner that would likely be accepted by the insurance company. This will include loss categories and calculations. He will also discuss what losses cyber insurance today are likely to be covered, not covered and unknown. Norsk Hydro will be used as a loose example (loose because the details behind the big numbers are very limited).

Second, Derek Vadala will describe how Cyber Assessments, a joint venture between Moody’s Corporation, a global credit rating agency, and Team8, are developing a Cyber Risk Rating. Moody’s is famous for their well respected and widely used Investor Services ratings of bonds from corporations and governments. Derek will describe how the Cyber Risk rating will be determined, and equally importantly how they envision it being used. It is a difficult challenge to develop a ratings methodology that is not overly onerous, can be universally applied, and has value to those measuring risk (such as insurers).

A related keynote will come from Lisa Sotto, who chairs Hunton Andrews Kurth’s top-ranked Global Privacy and Cybersecurity practice and is the managing partner of the firm’s New York office. Cybersecurity is now well understood to be a high-level governance issue. Boards of Directors have oversight responsibility for cybersecurity risks faced by the companies they supervise. In addition, the U.S. Securities and Exchange Commission (SEC) has taken an active role in recent years regulating businesses in connection with cyber risks and incidents, bringing significant and costly enforcement actions where companies suffer cybersecurity-related issues. Lisa will explain today’s legal environment and consider future trends. Understanding these issues will assist S4 attendees in addressing cybersecurity risks with their c-suites.