MMC CYBER HANDBOO206 K1 - Marsh
GLOBAL RISK CENTERMMC CYBERHANDBOOK2016Increasing resilience in the digital economy
FOREWORDCyber risk exposures are embedded in the operations of organizations across all sectorsand countries. No company is fully secure, no matter how sophisticated its cyberdefense mechanisms. With cyber risk, you face active adversaries who are constantlychanging their attack strategy. Technology advances also create new forms of cyberrisk. For example, as more innovative Internet of Things (IoT) devices are deployed tomonitor the safety of buildings or the performance of equipment, new cyber exposuresare created and need to be managed. Other changes in the technology landscape – fromthe migration of data and software to the Cloud to the use of artificial intelligence incommercial applications – are also shifting the nature of cyber risk.An effective cyber risk management strategy includes a deep understanding of the rangeof persistent cyber threats, a robust assessment of their potential impact, plans for bothcyber risk prevention and response, and a management approach that reflects the role ofall employees – from the boardroom to the backroom – in implementing cyber defenses.Cyber is a “risk” issue, not an “IT” issue and managing it effectively requires broadcross‑functional engagement. Yet research shows that few companies have made thismindset shift; fewer still have made the concerted organizational effort to identify therange of cyber scenarios that could affect them, assess the cyber risk of their suppliersand customers, and build fully operational cyber risk prevention and response plans.Marsh & McLennan Companies’ Cyber Risk Handbook 2016 includes articles, reportextracts, and perspectives from our cyber leaders and leading third-party expertswith whom we collaborate. The articles cover a wide range of topics, from changes inthe external landscape, to developments in cyber risk quantification techniques, tocybersecurity-related HR strategies.We hope this publication provides you with some new insight that can help strengthenyour cyber risk management approach and enable your organization to succeed in theemerging digital environment.John DrzikPresident, Global Risk & Specialties, MarshChairman, Cyber Risk Working Group,Marsh & McLennan Companies
CONTENTSSTRATEGYTHE EVOLVING CYBER RISK LANDSCAPEAlex Wittenbergp. 5CYBER: EVERYONE IS AT RISKp. 7CYBER THREAT IS A SHARED ISSUEMark Weilp. 9CYBER TERRORISTS AND RANSOMWAREInterview with Shawn Henryp.11GO TO CYBER EXTREMESWhat to do when digitalizationgoes wrongClaus Herbolzheimerp. 13HOW EUROPE CAN FIGHT CYBERATTACKS (AND WIN)Peter Besharp. 15NEW DATA PROTECTION LAWIN EUROPECorrado Zanap. 17CYBER RISKS BY INDUSTRYp. 23
RISKSPEOPLEQUANTIFYING CYBER RISKThe core of effective riskmanagement strategySTAFFING FOR CYBER RISKMITIGATIONThe business challengeArvind ParthasarathiKatherine Jones and Karen Shellenbackp 26p. 50MEASURING CYBERAGGREGATION RISKDON’T IGNORE THE INSIDERCYBER THREATAshwin Kashyap and Julia ChuBasie von Solmsp. 32p. 54EVOLVING CHALLENGES IN CYBERRISK MANAGEMENTProtecting assets andoptimizing expendituresA STRATEGIC APPROACH TOCYBERSECURITY OPERATIONSJim Holtzclaw and Tom Fuhrmanp. 56Richard Smith-BinghamLeslie Chacko, Evan Sekeris and Claus HerbolzheimerCHIEF HUMAN RESOURCESOFFICERWhy your employees are yourstrongest – and weakest – link inyour cyber defensesp. 38Elizabeth Casep. 34CAN YOU PUT A DOLLAR AMOUNTON YOUR COMPANY’S CYBER RISK?p. 60WHY MODELING IS THE HOLY GRAILOF CYBER INSURANCERobert Parisip. 40CYBER LOSS EXPOSUREIdentification and development ofunderwriting informationChris Behp. 42THE INSURANCE OF THINGSAND INDUSTRY 4.0A matrix viewMorley Speedp. 46
MMC CYBER HANDBOOK 2016STRATEGYTHE EVOLVING CYBERRISK LANDSCAPEAlex WittenbergSix years ago, the 2010 edition of the annualGlobal Risks report prepared by the WorldEconomic Forum with Marsh & McLennanCompanies found in the annual survey of global expertsthat: “Most experts perceive the risk of a potentialbreakdown of “Critical Information Infrastructure”(CII), as well as of data fraud/loss, as comparativelylow – both in terms of likelihood and severity. Moreover,these two risks were assessed as being among the leastinterconnected risks.” 1TIMES CHANGE FASTThe 2016 Global Risk Report tags the “Rise of cyberdependency” as one of the long-term patterns thatcould contribute to amplifying global risks. Cyberattacks were ranked in the top 10 global risks – placingseventh over the next 18 months and eighth over thenext 10 years. (See Exhibit 1.) The scope, scale, andimpact of cyber attacks are growing rapidly alongwith increasing digitization of the public and privatesectors. It is estimated that the cost of data breacheswill reach 2.1 trillion globally by 2019, which is almostfour times the estimated cost of breaches in 2015.2 Theimpacts of cyber attacks are moving from the virtual tothe physical world. In 2015, a hack on three Ukrainianpower distribution companies caused outages to80,000 energy customers.Cyber risks are permanent and persistent. However,the awareness of the extent of the risk and the focuson the risk varies around the world. North Americanand European risks leaders are particularly concernedabout the preparedness for cyber risks and criticalsystems failure. Several Asian economies, includingJapan, Singapore, and Malaysia also identify cyberattacks as a primary risk.Exhibit 1: RISKS OF HIGHEST CONCERN BY TIME HORIZONRankNext 18 months12345678910Involuntary migrationState collapseInterstate conflictHigh unemploymentNational governance failuresFiscal crisesCyber attacksSocial instabilityExtreme weatherAsset bubblesRank10-year horizon12345678910Water crisesWeak climate change responseExtreme weatherFood crisesSocial instabilityBiodiversity lossHigh unemploymentCyber attacksNatural catastrophesNational governance echnologicalSource: World Economic Forum, Global Risks Report 2016Note: Global Risk Perceptions Survey 2016Copyright 2016 Marsh & McLennan Companies5
MMC CYBER HANDBOOK 2016STRATEGYGROWING AWARENESSThe awareness on cyber risk has a relationship tohigh-profile attacks on the public or private sectors.Data breach notification has driven a high awarenessof cyber risk in the USA. In Europe, the General DataProtection Regulation (GDPR), which comes intoeffect in 2018 and will require data breach reporting,is stimulating a greater focus on public privatecooperation on cyber risk management, crossindustry data sharing, and focus on robust cyberrisk management and response. In this changingcontext, organizations must adopt a robust cyber riskmanagement approach based on an enterprisewidefocus on early detection, response, and recovery tomitigate and better manage the consequences, andensure business continuity.Along with proactive cyber risk management areincreases in the purchase of cyber insurance. Totalannual cyber premiums have reached an estimated 2 billion and may reach 20 billion by 2025. TheUS remains the largest cyber insurance market, wherenearly 20 percent of all organizations have cyberinsurance and there are yearly increases in thenumber of companies purchasing cyber insuranceand increases in the limits.3 (See Exhibit 2.)However, interest in cyber insurance is growing inother markets. For example, a recent Marsh survey ofEuropean Risk Managers found that nearly 25 percentplanned to explore cyber insurance options over thenext 24 months , and a survey of UK risk managersshows that 20.6 percent of companies are buyinginsurance.4 However, the same UK survey showsfew companies are quantifying their risk exposures.Without a complete understanding of their company’sexposure to cyber risk (75 percent) and/or acalculation of the financial impact should an eventoccur (64.6 percent), these organizations are in a poorposition to approach the insurance market and placea value on transferring the risk.CONCLUSIONAs public and private sector organizations restructureand reorganize to become digital organizations,cyber risk management must be embedded instrategies and operations. Organizations that fail todo so will leave themselves exposed in a rapidlyshifting risk landscape. Alex Wittenberg, based in San Francisco, is the ExecutiveDirector of Marsh & McLennan Companies’ Global Risk Center.Exhibit 2: 2015 CYBER INSURANCE GROWTH RATES BY INDUSTRY (MARSH CLIENTS)All industries27%Communication, media, and technology41%Education37%Financial institutions28%Healthcare 6%Hospitality and Gaming15%Manufacturing63%Power and Utilities28%Retail/wholesaleServices30%13%Source: Marsh Global AnalyticsCopyright 2016 Marsh & McLennan Companies1 The word “cyber”appeared once inthe annual reports2006-2009 before itwas flagged as a keyemerging vulnerabilityin the 2010 report.2 The Future ofCybercrime & Security:Financial & CorporateThreats & Mitigation2015-2020, JuniperResearch, 2015.3 Sources: The BetterleyReport, Cyber/PrivacyInsurance Market Survey(2016); Cyber InsuranceMarket to Triple by 2020(Sept. 2015); MarshBenchmarking Trends:Operational Risks.Drive Cyber InsurancePurchases (March 2016)4 European 2016 CyberRisk Survey Report,Marsh.6
MMC CYBER HANDBOOK 2016STRATEGYEVERYONE IS AT RISK.AS TECHNOLOGY AND DIGITALCONNECTIVITY EVOLVE,COMPANIES GLOBALLY FACEMENACING NEW THREATSEVERY DAY – EVEN ASCYBERSECURITY IMPROVES.It’s a vicious cycle.As technology advances, our risk for new, sophisticated attacks increases.Can your company withstand a significant cyberattack and continue operations?Copyright 2016 Marsh & McLennan Companies7
MMC CYBER HANDBOOK 2016STRATEGY 445 BILLIONTHE ESTIMATED ANNUAL COST OF CYBERCRIMETO THE GLOBAL ECONOMYWELCOME TO THE FOURTH INDUSTRIAL REVOLUTIONBuilt around cyber-physical systems, the Internet of Things,and the Internet of Services100 billionconnected devicesDigital industrialcontrol igital service avatars(iconcierge)CYBER-PHYSICAL SYSTEMSTHE PATH TO CYBER RESILIENCE135IDENTIFY YOURMOSTCRITICAL ASSETSWhat do you have that is mostvaluable to others?UNDERSTANDYOURDIGITAL PROFILEWhat does your online activitysignal to others?PLAN FORA BREACHWhat can you do now toprepare for a crisis?2GATHERINTELLIGENCE ONCYBER THREATSWho’s threatening you?4BUILD ARESILIENT SYSTEMWhat are the most criticalelements of defense?Source: Cyber Resiliency in the Fourth Industrial Revolution, Hewlett Packard Enterprise, FireEye, and Marsh & McLennan Companies, 2016Copyright 2016 Marsh & McLennan Companies8
MMC CYBER HANDBOOK 2016STRATEGYCYBER THREAT IS ASHARED ISSUEMark WeilCopyright 2016 Marsh & McLennan Companies9
MMC CYBER HANDBOOK 2016Cyber criminals are smart, highlyinnovative, and persistentlawbreakers. The rewards forthese offenders are huge. Not only arethey after our personal information, theyare after our money, and can and will stealit whenever they are able to. Traditionaldefenses no longer provide adequateprotection. Not only will cyber criminalsget into our systems – in many instances,they are already there, assessing which datais of value to them and waiting to act. In2015, 90 percent of large UK organizationsreported breaches, highlighting theurgency of addressing cyber risks.DON’T GO IT ALONEActions by government to increase nationalcybersecurity need to be matched by theprivate sector. Although individual firmshave taken certain measures to ensuretheir security and ability to recover frombreaches, more needs to be done. Cyberthreat is a shared issue, and there is littleadvantage in going it alone.For example, cyber and terrorismare increasingly risks that overlap oneanother. Yet the bulk of information aboutcybersecurity is maintained within theprivate sector, while terrorism is handledby the public sector. Clearly, there mustbe greater partnership between the twoto prepare critical infrastructure for theseintertwined risks.Furthermore, countries are nowconfronting a stark new reality of threatsagainst physical assets – including electricgrids, dams, telecommunications networks,transportation systems, and civilian nuclearfacilities. Ubiquitous connections to theinternet have increased vulnerability inthe industrial systems that control thesephysical assets. As the vast majority ofcritical infrastructure in many countries isowned and operated by the private sector,it is vital that government and industry lockarms in confronting this risk.Governments have recognized theeconomic threat presented by cyber riskand are taking a number of measures toCopyright 2016 Marsh & McLennan CompaniesSTRATEGYbuild technological and human resilienceacross the economy. More than 30countries – including Germany, Italy,France, the UK, the US, Japan, and Canada –have unveiled cybersecurity strategies. InFebruary 2014, Chinese President Xi Jinpingannounced a new national cybersecuritybody to coordinate security efforts; andin April 2015, Singapore launched aCybersecurity Agency to oversee policiesand conduct cybersecurity outreach.Governments are supporting thedevelopment of cyber defenses throughsupport of research and innovation,knowledge and skill building, and bydeveloping awareness of cyber risks. Forexample, the UK’s Centre for the Protectionof National Infrastructure providesgood practice, technical guidance, andfacilitates information exchange betweensectors, including the energy sector andmanufacturers of security equipmentfor national infrastructure. France’scybersecurity strategies, coordinated bythe National Agency for the Security ofInformation Systems, are similarly based onpromoting cooperation between the publicand the private sector.Governments are fostering collaborativesharing of information between the publicand private sector. Understanding thefull cyber risk landscape is difficult formany firms, and government or industryassociation efforts to support threat andresponse information are important. TheUK’s Cyber Security Information SharingPartnership was launched to support thewider objectives of the UK National CyberSecurity Strategy. Such mechanismsenable companies to confidently andsafely share information on cyber threatswithout revealing corporate vulnerabilities,corporate secrets, customers’ personallyidentifiable information (PII), or leaving acompany exposed to lawsuits. They alsoallow companies within the same industryto share information without concerns ofapparent collusion.Police and law enforcement play acritical role in the fight against cyberthreats, underlining the need for aCOUNTRIES ARENOW CONFRONTINGA STARK NEW REALITYOF THREATS AGAINSTPHYSICAL ASSETS –INCLUDING ELECTRICGRIDS, EMS, AND CIVILIANNUCLEAR FACILITIESjoint approach between industry andgovernment bodies. Currently, cyberincidents are underreported; organizationsmust report crime to the police or officialsand share information regularly. Throughgreater cooperation with national bodiessuch as UK’s National Cyber Crime Unit(NCCU) and international agencies such asthe European Union Agency for Networkand Information Security (ENISA), lawenforcement will be able to bring morecyber criminals to justice.CONCLUSIONTo combat cyber threats, the governmentand private sector need to adopt amindset that we are all in this together inan urgent fight against a common enemy.Cyber criminals are the hidden enemy,operating behind the scenes and insideour organizations and our devices, andincredibly difficult to detect, take down, andpunish. Losing is potentially catastrophicand ultimately, avoidable. Winning willenable us to preserve our society and ourway of life. Mark Weil is the Chief Executive Officer ofMarsh’s UK and Ireland region.10
MMC CYBER HANDBOOK 2016STRATEGYCYBER TERRORISTSAND RANSOMWAREINTERVIEW WITH SHAWN HENRYCopyright 2016 Marsh & McLennan Companies11
MMC CYBER HANDBOOK 2016When the Democratic National Committeebased in Washington, DC discovered inJune that its entire computer networkhad been hacked, it called on Shawn Henry, presidentof CrowdStrike and former head of the FBI’s cyberdivision, to review the damage and identify theperpetrators, which were deemed to be agents of theRussian government.In this Brink interview, Henry shares his views ondealing with the various adversarial groups lurking inthe shadows of the internet.BRINK: What’s the biggest cybersecurity mistakeyou continually run into when you are consulting withcompanies and why does it keep happening?Shawn Henry: Companies continue to bereactive, rather than proactive. In other words, they’reresponding to incidents after the fact, rather thanproactively going out and deploying technologies thatallow them to get better visibility into the environmentand see what’s coming. The proactive piece, wherecompanies take security into their own hands or startactively hunting for adversaries in their environment, isthe single biggest step that organizations can take.BRINK: How pervasive is the threat fromstate‑sponsored cyber crime? Does it happen acrossall public and private sectors and does it go beyondstate‑sponsored actors?Henry: A wide range of groups are involved and arepretty prolific. Nation states are targeting organizationsfor intellectual property and research and developmentinformation and corporate strategies. Also, terroristgroups are targeting critical infrastructure. Weknow that they’re developing these capabilities.The organized crime groups are targeting primarilythe financial-services and retail sectors. They areincreasingly using ransomware, targeting many othertypes of organizations where they feel that they canget some return on their investment, and it’s turningout to be a sizable return for what little investment theymake. Healthcare, financial services, manufacturing,government, educational institutions, energy, andtransportation – no sector goes untouched.BRINK: What do you say to a CEO who says, “I’mjust a shoe manufacturer. We don’t have anything thathackers would want to steal.”Henry: Every business – regardless of what thatis – has something that’s valuable. First, every companythat’s in business has something that’s of value,otherwise they wouldn’t be in business. They havesome type of commodity, they have business practices,Copyright 2016 Marsh & McLennan CompaniesSTRATEGYthey have proprietary information that differentiatesthem from others in their industry.Second, adversaries are not necessarily lookingjust to steal data. We’ve seen adversary groups thathave destroyed networks simply because they’re nothappy with the company or the way a company is doingbusiness. These adversaries are using the networks asan opportunity to make a statement. It’s not just beingprepared to protect your data, it’s also being awareof the critical risk you face if somebody accesses yournetwork and decides they want to wreak havoc forwhatever reason.BRINK: What’s your position on whether companiesshould pay up when they become victims of aransomware attack?Henry: I think that companies shouldn’t payand that instead they should invest their money indeveloping a continuity of operations plan, such ashaving a backup strategy so that they can reconstitutetheir network.BRINK: The debate over whether companies shouldbe able to “hack back” is getting some more play thesedays. What’s your opinion on that?Henry: Companies cannot legally leave theirnetwork to target somebody else. They can’t try totrack them down and steal their data back. They can’tsend malware out to another party. There is probablygoing to be more debate on this subject as thesituation continues to worsen, and there will be calls forcompanies to be able to take some type of action. Butfor right now, the law is very clear: They can’t do it.BRINK: Would you support a change in the law thatlets companies do that?Henry: In doing that, you face the risk of companiesgetting engaged in foreign countries, in foreign laws,and even in dealing with nation states. However, thereis a lot that
MMC CYBER HANDBOO206 K1 Incr easing resilience in the digital economy. Cyber risk exposures are embedded in the operations of organizations across all sectors and countries. No company is fully secure, no matter how sophisticated its cyber . MMC CYBER HANDbOOK 2016 STRATEGY.
This report outlines major accomplishments of the MMC in 2020 and quantifies many of the progr m's benefits. The MMC moved into a newly-renovated space in January 2020. In March, the MMC transitioned to work-from-home due to the the COVID-19 pandemic. The COVID-19 pandemic created opportunities for the MMC to adapt and serve the City in new ways.
310 Median 48Gy 5FU vs 5FU/MMC Better DFS 51%vs 73% p 0.003 RTOG 9811 CRT vs CRT 682 30.6 14.4 more if residual disease MMC 5FU Vs CP 5FU MMC 5FU better ACT2 CRT vs CRT /-maintenance chemo 940 50.4 MMC 5FU Vs CP 5FU maintenance MMC 5FU Cisp 5FU Maintenance no better
Cyber Vigilance Cyber Security Cyber Strategy Foreword Next Three fundamental drivers that drive growth and create cyber risks: Managing cyber risk to grow and protect business value The Deloitte CSF is a business-driven, threat-based approach to conducting cyber assessments based on an organization's specific business, threats, and capabilities.
Skull Gap MARSH: There are no Marsh hexes, only Marsh hexsides. Units must stop after crossing a Marsh hexside. Skull Gap GAP: Mountain hexsides are impassable except where a Gap (pass) is named. Skull Gap RIVER: All river hexsides are impassable except where a marsh, bridge or ford exists, or a temporary Pontoon Bridge (5.41) is built.
Summary report. About MMC The Mixed Migration Centre (MMC) is a global network . The position of the MMC does not necessarily . These weaknesses in the screening and reception process can also mean that would-be asylum seekers are not able to make their claim. Persons arriving b
Dec 31, 2019 · The directors present their Strategic Report for MMC International Treasury Centre Limited (‘the Company’) for the year ended 31 December 2019. The Company’s registration number is 05897457. PRINCIPAL ACTIVITIES MMC International Treasury Centre Limited provides certain treasury functions on behalf of Marsh & McLennan Companies, Inc.
risks for cyber incidents and cyber attacks.” Substantial: “a level which aims to minimise known cyber risks, cyber incidents and cyber attacks carried out by actors with limited skills and resources.” High: “level which aims to minimise the risk of state-of-the-art cyber attacks carried out by actors with significant skills and .
ARCHAEOLOGICAL ILLUSTRATION 13 HOME PAGE WHY DRAW? EQUIPMENT START HERE: TECHNIQUES HOW TO DRAW MORE ACTIVITIES LINKS Drawing pottery The general aim when drawing pottery is not only to produce an accurate, measured drawing but also to show the type of pot. Sh ape (or form) and decoration are therefore important. Many illustrators now include extra information to show how a pot was .
