Page 66: of Maritime Reporter Magazine (March 2015)

MARITIME SECURITY

Be the Hammer, not the Nail when it comes to

Maritime Cyber Security

By Luke Ritter & John Baskam aritime security profes- threat responses are tailored by speci? c is made to assess vulnerabilities, ? rms sis on cyber security intelligence, and sionals understand the intelligence relevant to a particular busi- can begin to immediately work with assessment data, are best positioned to value of a layered ap- ness, maritime security executives can their insurer to take action focused on collaboratively mitigate risk. Firms that

Mproach to risk manage- optimize the impact of their security risk mitigation. Like in other maritime subscribe to this Intelligent Cyber Insur- ment. Cyber security posture continues operations and cyber risk management insurance specialties, the cyber liability ance approach have the greatest poten- to develop as a critical component of a programs. insurance carrier will demand that both tial for success. maritime security strategy, and cyber se- parties work together in this way. Estab- Corporate Boards and Chief Execu- curity insurance has become a valuable ASSESS There are multiple assess- lishing a regular and open dialogue, al- tives should be asking the hard ques- layer of protection that risk managers ment tools and methodologies being lows for ideas to be shared, and actively tions: If a cyber security breach does must consider. offered in the marketplace which can builds on mutual trust. occur, is the ? rm prepared to rapidly

While the insurance industry has de- come bundled with a virtually endless remediate and re-constitute business op- cades or more of actuarial data on vari- combination of deliverables and assess- Manage Risk Before it Manages You erations? Who will be the lead agent in ous kinds of risk (typhoons, tornados, ment output. This has caused some con- The goal should not be to completely charge of the various aspects of the re- earthquakes, etc.), no such substantive fusion with regard to what constitutes an eliminate cyber security risk, because sponse and remediation? Which execu- data exists yet for cyber risk. appropriate cyber security assessment. that isn’t possible. A realistic objective tive has been assigned to provide timely

In June 2014, the Center for Strategic Unfortunately, the current approach to is to manage risk rather than to eliminate and accurate information to employees, and International Studies [CSIS] cited risk assessment often gets reduced to a it. This means that cyber risk manage- customers, and to the press? Is the ? rm statistics that should get any risk man- “check-the-box” exercise. Firms are bet- ment initiatives start with leadership. prepared for the various legal and regu- ager’s attention in the maritime industry: ter served to assess actual versus general Many ? rms lack the time and resources latory compliance tasks that may result at least 3,000 U.S. companies were the risk. Reviews of internal policies, gover- to study the pro? les, capabilities and from a breach? And when was the last victims of some kind of cyber crime last nance, and operations, as well as a gap motivations of all potential adversaries. time that the IT, security, legal, and hu- year, and the global cost of this problem analysis focused on accepted industry But resources are available in the secu- man resources teams met to plan for con- is estimated to exceed $400 billion. The standards and best practices should be rity market to help corporate leaders of tingencies? Cyber security should not be bad news is that in reality, these numbers included in any assessment. Addition- any sized organization prepare for dis- treated as just another Information Tech- are likely higher, since some of these ally, it is important that ? rms evaluate all ruptive events. By working with experts nology [IT] challenge in the maritime costs are dif? cult to measure. The good network endpoints to look for exposures. to understand risk appetite (tolerance for industry. That approach over-simpli? es news, if there is any, is that C-Suite ex- It is important to include a ? rm’s tech- risk), and the corresponding level of pre- and under-estimates the threat…and ecutives and corporate boards are begin- nology team as a risk assessment part- paredness, maritime industry leaders can has a high probability of failure. Mari- ning to focus on cyber risk management ner. Including key stakeholders directly make informed risk management deci- time ? rms are better served to cultivate in a meaningful way. Since the maritime into the assessment process enhances the sions about cyber security. a culture of security and resiliency and industry is truly a data-driven environ- results. The CISO / CTO, or equivalent, In the maritime industry, intellectual to counter cyber threats by investing in ment, cyber security has to be part of the are often armed with the best possible re- property and proprietary data about a layered approach to risk management. risk management equation. al-time data and informed business cases shippers, carries, commodity types and that are directly relevant to C-Suite ex- consignees can truly be a ? rm’s crown Dress for Success

The Three Things ecutives and other key corporate leaders. jewels – their prized possession that en- A “well-dressed” risk manager should

The basic approach to incorporat- Once the entire network is evaluated, sures a competitive advantage and an- be looking to include as many of the fol- ing cyber security insurance into any expert assessors can determine whether chors their ability to survive disruptive lowing cyber security insurance policy maritime risk management portfolio has companies are prepared to deal with the events. So what does it mean in terms features and bene? ts into their risk man- three primary components. These essen- speci? c threats and risks that are likely of corporate viability when those crown agement approach as possible: tial elements are: to impact the ? rm. jewels are at risk? There are numerous, General protections: Do you have recent examples where a single cyber coverage for loss in pro? ts as a result

INFORM When the right questions ACT By using assessment output as security-related incident proved to be of negative press? Is the jurisdiction of are asked, and intelligence resources a risk management work list, ? rms can catastrophic. your policy worldwide, with a provision are tailored to a ? rm’s discreet busi- work with their insurers to directly man- Insurers need to understand the risk that claims can be brought outside of the ness pro? le, those resources can expose age their speci? c risk pro? le and, sub- pro? le of a particular candidate insured U.S.? Does your policy include coverage and illuminate weaknesses and vulner- sequently, lower their premiums. Risk in order to inform their underwriting for accidental damage or destruction, abilities. Signi? cant capabilities are managers should suggest this kind of decisions. But how do they predict the and administrative mistakes? If your re- currently available to risk managers to collaborative effort to their insurers. Be- unpredictable? Cyber threats are de- porting period doesn’t extend to 3 years, manage security intelligence through cause a world-class assessment process veloping and being identi? ed at a very you should think about re-negotiating world-class ? eld operators. The best will typically identify actual vulnerabili- rapid pace. And inherently unpredictable your coverage. front-end information management so- ties, exposures, and potential network behavior presents a dilemma for most in- Regulatory and Compliance Coverage: lutions will provide ? rms with the input problems, this information can also be surance companies as they try to evalu- Are you covered for expenses related to required to identify and respond to ac- used to inform an insurance underwrit- ate cyber risk in the maritime industry. voluntary customer noti? cations? Can tual global threat activity. When cyber ing decision. When a collaborative effort Insurers and insureds who place empha- you claim losses related to exposure of 66 Maritime Reporter & Engineering News • MARCH 2015

MR #3 (66-72).indd 66 MR #3 (66-72).indd 66 3/5/2015 11:26:52 AM3/5/2015 11:26:52 AM