The workshop took place in Zurich, Switzerland, on 12-13 May 2017 and was hosted at the Swiss Re Centre for Global Dialogue Rüschlikon it was held over one and half days. The workshop consisted of three sessions and one roundtable debate. It involved approximately 30-40 international high-level expert participants and speakers with substantial knowledge and experience in this field. Below is a copy of the agenda and copies of presentations.
Participation in the digital economy allows businesses to increase productivity and expand their market. At the same time it raises new security and privacy challenges as a result of the fast pace of technological innovation and increasing interdependencies between networks and the operations of infrastructure and businesses.
The perceived risk related to cybercrime and digital security incidents moved into the top five global business risks in 2015 (in 2014, digital security risks ranked 8th and in 2013 just 15th), according to the fourth annual Allianz Risk Barometer Survey. In the World Economic Forum’s Global Risks 2015 report, digital security risk was perceived as a major risk in terms of likelihood and impact. It was recognised as one of the top commercial risks along with geopolitics, the environment, and the economy.
Digital security risk is a concern that the entire business community shares, but it may have especially serious consequences for smaller businesses. While large business and organisations may have the institutional and financial capacity to develop appropriate digital security risk management, studies in a number of OECD countries suggest that this is not the case for small and medium enterprises (SMEs), and particularly micro-enterprises, which face managerial, skill, knowledge and financial constraints. The dearth of reliable evidence on which to base digital security risk management decisions and public policy actions compound these challenges.
While the frequency and severity of digital security incidents has grown, our ability to measure, analyse, understand and manage them efficiently has not kept pace. A long standing problem has been the lack of consensus on definitions, typologies and taxonomy, as well as a paucity of historical data on “digital security incidents, threats and vulnerabilities”. In addition, the limited data sharing that has taken place has failed to spur the development of broadly accessible digital risk actuarial data needed to advance the digital security insurance market more comprehensively.
The development of a more reliable and comprehensive data set on digital security incidents and digital risk management practice would likely require:
There are today a number of different fora and initiatives by government, academia, insurance companies and other private sector stakeholders aimed at addressing how to meet these requirements. The value proposition of a data repository for information on digital security incidents, including possible data requirements and system attributes is also being discussed by insurance companies and government in a number of countries (United States, United Kingdom, France).
Session 1 - Managing Digital Security Risk: Defining the Challenges
Moderator - Anne Carblanc, Head Digital Economy Policy Division (OECD)
Matthew Shabat, Strategist and Performance Manager, Office of Cybersecurity and Communications (Presentation)
Robert W. Gordon, Executive Director, Canadian Cyber Threat Exchange (Presentation)
Measuring cyber risks - how the private and public sector need to address the challenges
Matthias Weber, Group Chief Underwriting Officer, Swiss Re (Switzerland)
Marc Henauer, Head of MELANI Program, Swiss Federal Intelligence (Switzerland)
Session 2 - Digital Risk Management- How can we overcome the data collection and risk measurement challenges?
Moderator - Maya Bundt, Head Cyber and Digital Strategy, Swiss-Re (Switzerland)
Cyber Risk and Cyber Risk Insurance: What do we know? What can we measure?
Martin Eling,Director of the Institute of Insurance Economics, University of St. Gallen (Presentation)
Panel I: Addressing Key Data Collection and Sharing Challenges
What frameworks and standardised approaches are likely to foster useful data collection and reporting for businesses, insurers and policymakers?
Benjamin Dean, OECD Consultant - Results of an OECD Study on Digital Risk Management Practices in Business (Presentation)
Leigh Wolfrom, Policy Analyst - Results of an OECD Study on Supporting an Effective Cyber Insurance Market (Presentation)
Nicholas Kitching, Head Risk Management EMEA for Reinsurance - Supporting digital risk management – CRO Forum work on digital incident categorisation (Presentation)
Eireann Leverett, Senior Risk Researcher, UK Cambridge Judge Business School - What language do CERTs need to speak to interact efficiently with insurers? (Presentation)
Public-Private Partnerships for Improved Data Collection and Sharing
Dr. Shaun Wang,Director, Insurance Risk and Finance Research Centre, Nanyang Technological University (Singapore)
Panel II: Challenges and Opportunities of incident disclosure obligations
What contribution can disclosure requirements make to increasing the availability of data on incidents and impacts? What incentives (and disincentives) do companies face when considering voluntary disclosure? How does the evolving liability environment impact the incentives for disclosure?
Moderator: Robert W. Gordon, Executive Director, Canadian Cyber Threat Exchange (Canada)
Kevvie Fowler,National Leader of Cyber Response Advisor at KPMG (Canada)
Hans Allnutt, Partner, DAC Beachcroft LLP (Presentation)
Mika Susi, Chief Policy Advisor, Confederation of Finnish Industries (Presentation)
Dan Tofan,Network and Information Security Expert, ENISA (Greece)
Aaron Martin, Oxford Martin Associate at the University of Oxford's Global Cyber Security Capacity Centre (Presentation)
Panel III: Value proposition for a digital security incident data repository
What are the opportunities and challenges in establishing a cyber-incident data repository or data-sharing platform? What data can and should be collected? What data needs are shared among business, insurers, governments? At what level might collection be most suitable (international, regional, national, local, industry-specific, etc.)?
Moderator: Matthew Shabat, Strategist and Performance Manager, Office of Cybersecurity and Communications (United States)
Yurie Ito, Executive Director, Cybergreen - Improving Cyber Ecosystem Health through Metrics, Measurement and Mitigation Support, (United States)
Joel Benge, Risk Evangelist, Emergent Network Defense - The CyberSecurity Information Sharing Act, (Presentation)
Jerome Notin, General Director, ACYMA (France)
Steve Bishop, Head of Insurance and Asset Management, ORX – Cyber Incident Data Capture & Sharing in Practice (Presentation)
Round-Table Discussion on Next Steps
What are the key lessons to be learnt from ongoing efforts? What are the most promising areas for future research and policy action? How can the OECD contribute to moving the policy agenda forward?
Moderator: Elettra Ronchi, Senior Policy Analyst, OECD
Maya Bundt, Head Cyber and Digital Strategy, Swiss-Re (Switzerland)
Matthew Shabat, Strategist and Performance Manager, Office of Cybersecurity and Communications (United States)
Robert W. Gordon, Executive Director, Canadian Cyber Threat Exchange (Canada)
Jerome Notin, General Director, ACYMA (France)
Laurent Bernat, Policy Analyst, OECD
Blair Stewart, Assistant Commissioner, Office of the Privacy Commissioner, (Presentation)
Philippe Cotelle, Head of Airbus Defence and Space Risk Management (France)