|7:00 am - 5:00 pm
|8:30 am - 9:30 am
|9:30 am - 9:45 am
| 9:45 am - 10:45 am
Next Tech: The Future of Technology, Security and Threats
Robots, artificial intelligence, cyberwar, 3D printing, bio-enhancements and a new geopolitical competition; the 21st century is being shaped by a range of exciting, and scary, new trends and technologies. A best-selling author described by the Wall Street Journal as "one of Washington's pre-eminent futurists," and a consultant for groups that range from the CIA and the Chairman of the Joint Chiefs to Hollywood and the Call of Duty video game series, Singer uses an exciting speaking style to explore for an audience the key trends emerging today that will shape the world of technology and security tomorrow.
- Peter Singer, Writer and Futurist, P.W. Singer
|11:00 am - 12:15 pm
Implementing the NIST Cybersecurity Framework
The NIST Cybersecurity Framework was first introduced in 2014 as a voluntary standard for critical infrastructure organizations. Increasingly, organizations across all sectors are recognizing cybersecurity as an existential risk and are implementing the Framework.
This session will provide a short overview of the Framework and address the value proposition and key considerations in structuring an effective implementation. More specifically, risk managers will learn key “how to” information on implementing the assessment gained from first-hand experience at Microsoft. Finally, the session will cover different visualization methods as well as alternatives for benchmarking and external review.
- Tom Easthope, Director - ERM, Microsoft
- Jeff Pratt, General Manager - ERM, Microsoft
|| Insider Threats: Combating Risk with Formal Insider Threat Programs|
This session will bring to life a multidisciplinary insider threat program that includes formal policies, key technical and behavioral indicators, and language analysis can help organizations proactively defuse at-risk insiders and set the stage for a predictable and healthy workplace.
- Rocco Grillo, Executive Managing Director - Cyber Resilience Leader, Stroz Friedberg
- Kostas Georgakopoulos, CISO, Procter & Gamble
|| Marrying Cyber Security and Enterprise Operational Risk in Healthcare|
This session explores the benefits of a robust operational risk organization to help drive high-quality care, reduce cost, and ensure that organizations consider all aspects of care delivery when mitigating cybersecurity risk. This session will also include a case study on how an operational risk model can be married with cybersecurity standards in healthcare organizations. Attendees will learn the unique challenges that a clinical care environment presents when identifying and quantifying risk.
- Enitan Adesanya, VP - Risk Management and Compliance, Kaiser Permanente
- Shawn DeWitt, Director - Risk Management, Kaiser Permanente
|12:15 pm - 1:30 pm
|1:30 pm - 2:45 pm
Leveraging Your Captive in the Cyber Market: How the UC System Uses Its Captive to Cover Data Breach and Other Cyber Losses
Cyber is still a very difficult risk for the commercial market to write—the coverage is far from standardized and is still rapidly evolving. Join this session to learn the advantages of "going captive." Also, gain insight from the real world example of about the University of California's creative use of its captive to cover cyber risk.
- Dana Sheridan, Esq., GC and Chief Compliance Officer, Active Captive Management
- Courtney Claflin, Executive Director—Captive Programs, University of California
Third-Party Security Risk: Where's My Data and Who Has Access to It?
Most companies are part of an interconnected digital ecosystem of customers, third party providers and other business partners. It’s imperative to understand these relationships and know where your data is and who has access to it. Developing and implementing a formal third-party security oversight and assessment process is a key component of an overall enterprise risk management program and should be a focus of any information security and cyber risk activity. This session will provide an overview of third-party security risk, common misconceptions, relevant regulatory drivers and key components of successful programs.
- Art Boyle, VP - ERM, Radian Group
- Shawn Malone, Founder and CEO, Security Diligence LLC
- Tom Reagan, Cyber Risk Practice Leader, Marsh
Cybersecurity: A Team Sport Played Beyond IT
This panel will share data breach findings that will provide the appropriate context for cyber risk discussions within most organizations. Panel members will share how, together, they created a cyber ecosystem and operationalized the TIE framework. TIE incorporates Technology and Insurance solutions in parallel with integrating cyber risk management into an organization’s Enterprise-wide risk governance. This framework allows for iterative and recursive management and monitoring of cyber risks.
- Augustine Doe, CEO, Outsource Risk Management LLC
- Joseph Abrenio, Founder, CyberSquire, LLC
- Will Durkee, CISSP, ITPM, Director of Security Solutions, TSC Advantage
- Yvette Connor, Chief Risk Officer, Focal Point Data Risk
|2:45 pm - 3:00 pm
| 3:00 pm - 4:00 pm
|| Cyber and Enterprise Risk: Connecting Risk Managers to CIOs and CISOs|
The best cybersecurity rests on a foundation of collaboration. This panel will discuss the collaboration headwinds of isolated responsibilities, legacy mindsets and conflicting budgets. Attendees will leave the session with ideas for how to bridge the divides as well as a vision for the future.
- Brent Rieth, SVP and Team Leader, Aon Risk Solutions
- Christine Merkle, Senior Vice President, Moody’s Corporation
- Carol Santos, Manager, Business Risk & Insurance, Google
- Derek Vadala, Managing Director and CISO, Moody's Corporation
| 4:00 pm - 6:00 pm
|| Networking Reception|
Friday, September 8, 2017
|8:00 am - 12:00 pm
|8:00 am - 9:30 am
| 9:30 am - 10:30 am
Hardening Humans: A 365-Day Plan for Raising Total Organizational Awareness
This presentation aims to demystify cyber awareness efforts by presenting a clear, industry-agnostic, measurable and sustainable roadmap for achieving company-wide improvement in 365 days or less. This talk is designed to support risk managers and information security experts who are tasked with rolling out an awareness program or who are having difficulty gaining program buy-in. Even the most skeptical leadership and board members will be impressed with the metrics, anecdotes and results of this program implemented as designed.
- Erinmichelle Perri, CISO, Multiplan, Inc.
Communication Matters: Exploring Ways of Discussing Cybersecurity with Internal and External Stakeholders
Cybersecurity risk management has become an important area of focus for most organizations—Gartner estimates that 80% of security risk management leaders are being asked to present to executives on the state of their security and risk program. Some organizations find it challenging to know what areas to focus on when discussing information security internally with senior leadership and the Board of Directors, or externally with auditors and critical vendors, organizations. This session will help you get an accurate representation of your company’s cybersecurity performance, and will cover best practices for communicating this information in a business context.
- Jake Olcott, VP of Strategic Partnerships, BitSight Technologies
- Harrison Lewis, CIO, Northgate Markets
Smart Infrastructure, Smart Cities: A Bright and Risky Future
This presentation will review the risk involved with the growth of tomorrow’s Smart Cities. Using the City of San Diego as a case study, attendees will learn how to use cybersecurity and risk frameworks to lay a foundation for the path ahead.
- Gary Hayslip, Vice President and CISO, Webroot Software, Inc.
- Ed Cabrera, Chief Cybersecurity Officer, Trend Micro
|10:30 am - 10:45 am
| 10:45 am - 12:00 pm
Clear Line of Sight: Communicating Cyber Risk to the Board
Cyber has evolved from an IT issue to a governance matter. Boards of Directors are increasingly being held accountable by stakeholders for not only understanding the network security and privacy risks facing their businesses, but also are expected to take an active role in managing their organization’s strategy for mitigating and responding to attacks and data breaches. With myriad issues and risks facing an enterprise, just getting on the agenda of a board meeting can be a daunting task for any risk manager. This session will cover the keys to effectively presenting Cyber Risk Management to the Board of Directors.
Understanding the New Landscape of Cyber, Terror and Cyber-Terror Risks
- Julie Bowen, SVP, General Counsel, and Corporate Secretary, The MITRE Corporation
- Michal Gnatek, Enterprise Risk Manager, The MITRE Corporation
Although cyber-related breaches, as we have come to know them, will continue, they will be joined in increasing numbers by more aggressive and dangerous events, recognized as cyber-terrorism. These events can be against soft targets as well as substantial hard targets such as major venues and events. This session will provide an overview of various legislative actions at the state and federal levels to address measures that must be taken to protect privacy and protected information and how to respond in the event of a breach. The speakers will also address significant legislation directed at the government’s participation with the private sector in risk mitigation, loss sharing and information sharing between the public and private sectors (the SAFETY Act and the Cybersecurity Act of 2015).
Managing Risks by Unburdening the Overburdened CISO
- Mark Weatherford, Senior Vice President & Chief Cybersecurity Analyst, vARMOUR
- David Olive, Esq, Principal, Catalyst Partners
- Dena Cusick, National Practice Leader - Professional Risk Practice, Wells Fargo & Company
- Ernest F. Koschineg, Esq, Cipriani & Werner, P.C.
Many CISOs are expected to be technically and operationally ‘cyber savvy’ in addition to being seasoned risk management professionals. As the Internet of Things continues to evolve and public scrutiny and regulatory oversight increase, traditional approaches to managing cyber risks must also evolve. Repositioning and refocusing the organizational responsibilities and alignment for cyber risk management establishes the dedicated efforts required, and leverages the skills needed, for effective risk management.
- Jana Utter, VP - ERM, Centene Corporation
- Lou DeSorbo, SVP and Chief Security Risk Officer, Centene Corporation
|12:00 pm - 1:15 pm
| 1:15 pm - 2:15 pm
||Getting (and Keeping) the Right Cyber Coverage
A crash course on the rapidly changing world of cyber insurance. What risks should you cover? What's actually being covered? What can you cover with your captive? And once you have the coverage you want, you want to be sure to keep it. Our panelists will cover these pressing concerns and more.
- Judy Selby, Senior Advisor, Hanover Stone Partners
- Laura Langone, Senior Director - Risk & Insurance, Paypal
By the Numbers: How to Quantify Your Cyber Risk and Take Strategic Actions
Cyber risk, especially business interruption due to a cyber event, is difficult to estimate given its specificity to each organization’s business model and IT infrastructure. Rough estimates using simplistic approaches do not adequately account for specifics and cannot be relied upon for strategic risk management decision making. During this session learn about the assumptions made about cyber value-at-risk and cyber business interruption risk quantification, the practical steps that can be taken to place a real dollar value on potentially crippling risks to the organization, and how this data can be used for strategic cyber risk transfer and risk mitigation decision making across the enterprise.
- Tom Fuhrman, Managing Director, Cybersecurity Consulting and Advisory Practice, Marsh Risk Consulting
- Tracy D. Martin, President, PivotPoint Risk Analytics
Legislating Risk Management: The NY Department of Financial Services Cybersecurity Requirements
The New York Department of Financial Services’ updated “Cybersecurity Requirements for Financial Services Companies” became effective on March 1, 2017, and is an important step in the ongoing national dialogue about reasonable and necessary cybersecurity standards for all businesses (not just regulated entities). The regulations include components of various existing federal and state law requirements, as well as controls that are recognized as “best practices” for data security. While the regulations apply to financial services companies, the breadth and scope of the regulations serve as a valuable guideline for mitigating data security risks—whether you work for a covered entity or not.
- John T. Wolak, Director, Gibbons P.C.
- David W. Opderbeck, PhD, Seton Hall University School of Law
|2:15 pm - 2:30 pm
|2:30 pm - 3:30 pm
||Breaking Down Barriers between Cyber Risk Management and Cyber Security|
Too often organizations consider cyber security budgets and cyber risk management budgets separately. Today’s business environment demands a holistic risk management approach that looks at what risks we should avoid and what risks we should mitigate, accept or transfer. In this session, we will explore how that ideal structure can be developed when an organization’s information technology department is talking to the risk management department. Learn how organizational functions can work together and proactively own cyber risk including information security, general counsel, finance and business leaders from all parts of a business.
- Darren Shou, Senior Director of Research and Development, Symantec
|3:30pm - 3:45 pm