Foreword by Ron Hale xxiii

About the Editor xxxi

List of Contributors xxxiii

Acknowledgments xxxv

CHAPTER 1 Introduction 1
Domenic Antonucci, Editor and Chief Risk Officer, Australia

The CEO under Pressure 1

Toward an Effectively Cyber Risk–Managed Organization 3

Handbook Structured for the Enterprise 4

Handbook Structure, Rationale, and Benefits 7

Which Chapters Are Written for Me? 8

CHAPTER 2 Board Cyber Risk Oversight 11
Tim J. Leech, Risk Oversight Solutions Inc., Canada Lauren C. Hanlon, Risk Oversight Solutions Inc., Canada

What Are Boards Expected to Do Now? 11

What Barriers to Action Will Well-Intending Boards Face? 13

What Practical Steps Should Boards Take Now to Respond? 16

Cybersecurity—The Way Forward 20

About Risk Oversight Solutions Inc. 21

About Tim J. Leech, FCPA, CIA, CRMA, CFE 21

About Lauren C. Hanlon, CPA, CIA, CRMA, CFE 21

CHAPTER 3 Principles Behind Cyber Risk Management 23
RIMS, the risk management society™ Carol Fox, Vice President, Strategic Initiatives at RIMS, USA

Cyber Risk Management Principles Guide Actions 23

Meeting Stakeholder Needs 25

Covering the Enterprise End to End 26

Applying a Single, Integrated Framework 27

Enabling a Holistic Approach 28

Separating Governance from Management 31

Conclusion 31

About RIMS 32

About Carol Fox 32

CHAPTER 4 Cybersecurity Policies and Procedures 35
The Institute for Risk Management (IRM) Elliot Bryan, IRM and Willis Towers Watson, UK 
Alexander Larsen, IRM, and President of Baldwin Global Risk Services Ltd., UK

Social Media Risk Policy 35

Ransomware Risk Policies and Procedures 41

Cloud Computing and Third-Party Vendors 45

Big Data Analytics 50

The Internet of Things 53

Mobile or Bring Your Own Devices (BYOD) 55

Conclusion 60

About IRM 64

About Elliot Bryan, BA (Hons), ACII 65

About Alexander Larsen, FIRM, President of Baldwin Global Risk Services 65

CHAPTER 5 Cyber Strategic Performance Management 67
McKinsey & Company
James M. Kaplan, Partner, McKinsey & Company, New York, USA Jim Boehm, Consultant, McKinsey & Company, Washington, USA

Pitfalls in Measuring Cybersecurity Performance 68

Cybersecurity Strategy Required to Measure Cybersecurity Performance 69

Creating an Effective Cybersecurity Performance Management System 72

Conclusion 77

About McKinsey Company 78

About James Kaplan 78

About Jim Boehm 79

CHAPTER 6 Standards and Frameworks for Cybersecurity 81
Stefan A. Deutscher, Principal, Boston Consulting Group (BCG), Berlin Germany
William Yin, Senior Partner and Managing Director, Boston Consulting Group (BCG), Hong Kong

Putting Cybersecurity Standards and Frameworks in Context 81

Commonly Used Frameworks and Standards (a Selection) 84

Constraints on Standards and Frameworks 93

Good Practice Consistently Applied 93

Conclusion 94

About Boston Consulting Group (BCG) 95

About William Yin 96

About Dr. Stefan A. Deutscher 96

CHAPTER 7 Identifying, Analyzing, and Evaluating Cyber Risks 97
Information Security Forum (ISF)
Steve Durbin, Managing Director, Information Security Forum Ltd.

The Landscape of Risk 97

The People Factor 98

A Structured Approach to Assessing and Managing Risk 100

Security Culture 101

Regulatory Compliance 102

Maturing Security 103

Prioritizing Protection 104

Conclusion 104

About the Information Security Forum (ISF) 106

About Steve Durbin 106

CHAPTER 8 Treating Cyber Risks 109
John Hermans, Cyber Lead Partner Europe, Middle East, and Africa at KPMG, The Netherlands
Ton Diemont, Senior Manager at KPMG, The Netherlands

Introduction 109

Treating Cybersecurity Risk with the Proper Nuance in Line with an Organization’s Risk Profile 110

Determining the Cyber Risk Profile 111

Treating Cyber Risk 112

Alignment of Cyber Risk Treatment 114

Practicing Cyber Risk Treatment 115

Conclusion 119

About KPMG 120

About John Hermans 121

About Ton Diemont 121

CHAPTER 9 Treating Cyber Risks Using Process Capabilities 123
ISACA
Todd Fitzgerald, CISO and ISACA, USA

Cybersecurity Processes Are the Glue That Binds 123

No Intrinsic Motivation to Document 124

Leveraging ISACA COBIT 5 Processes 125

COBIT 5 Domains Support Complete Cybersecurity Life Cycle 137

Conclusion 139

About ISACA 140

About Todd Fitzgerald 141

CHAPTER 10 Treating Cyber Risks—Using Insurance and Finance 143
Aon Global Cyber Solutions
Kevin Kalinich, Esq., Aon Risk Solutions Global Cyber Insurance Practice Leader, USA

Tailoring a Quantifi ed Cost-Benefi t Model 143

Planning for Cyber Risk Insurance 149

The Risk Manager’s Perspective on Planning for Cyber Insurance 150

Cyber Insurance Market Constraints 152

Conclusion 154

About Aon 157

About Kevin Kalinich, Esq. 158

CHAPTER 11 Monitoring and Review Using Key Risk Indicators (KRIs) 159
Ann Rodriguez, Managing Partner, Wability, Inc., USA

Definitions 160

KRI Design for Cyber Risk Management 160

Conclusion 169

About Wability 169

About Ann Rodriguez 170

CHAPTER 12 Cybersecurity Incident and Crisis Management 171
CLUSIF Club de la Sécurité de l’Information Français Gérôme Billois, CLUSIF Administrator and Board Member Cybersecurity at Wavestone Consultancy, France

Cybersecurity Incident Management 171

Cybersecurity Crisis Management 174

Conclusion 182

About CLUSIF 183

About Gérôme Billois, CISA, CISSP and ISO27001 Certifi ed 183

About Wavestone 183

CHAPTER 13 Business Continuity Management and Cybersecurity 185
Marsh
Sek Seong Lim, Marsh Risk Consulting Business Continuity Leader for Asia, Singapore

Good International Practices for Cyber Risk Management and Business Continuity 186

Embedding Cybersecurity Requirements in BCMS 188

Developing and Implementing BCM Responses for Cyber Incidents 189

Conclusion 190

Appendix: Glossary of Key Terms 191

About Marsh 191

About Marsh Risk Consulting 192

About Sek Seong Lim, CBCP, PMC 192

CHAPTER 14 External Context and Supply Chain 193
Supply Chain Risk Leadership Council (SCRLC) 
Nick Wildgoose, Board Member and ex-Chairperson of SCRLC, and Zurich Insurance Group, UK

External Context 194

Building Cybersecurity Management Capabilities from an External Perspective 200

Measuring Cybersecurity Management Capabilities from an External Perspective 204

Conclusion 204

About the SCRLC 205

About Nick Wildgoose, BA (Hons), FCA, FCIPS 205

CHAPTER 15 Internal Organization Context 207
Domenic Antonucci, Editor and Chief Risk Offi cer, Australia
Bassam Alwarith, Head of the National Digitization Program, Ministry of Economy and Planning, Saudi Arabia

The Internal Organization Context for Cybersecurity 207

Tailoring Cybersecurity to Enterprise Exposures 209

Conclusion 240

About Domenic Antonucci 241

About Bassam Alwarith 241

CHAPTER 16 Culture and Human Factors 243
Avinash Totade, ISACA Past President UAE Chapter and Management Consultant, UAE
Sandeep Godbole, ISACA Past President Pune Chapter, India

Organizations as Social Systems 243

Human Factors and Cybersecurity 246

Training 248

Frameworks and Standards 249

Technology Trends and Human Factors 250

Conclusion 252

About ISACA 253

About Avinash Totade 253

About Sandeep Godbole 254

CHAPTER 17 Legal and Compliance 255
American Bar Association Cybersecurity Legal Task Force
Harvey Rishikof, Chair, Advisory Committee to the Standing Committee on Law and National Security, USA
Conor Sullivan, Law Clerk for the Standing Committee on National Security, USA

European Union and International Regulatory Schemes 255

U.S. Regulations 258

Counsel’s Advice and “Boom” Planning 261

Conclusion 266

About the Cybersecurity Legal Task Force 269

About Harvey Rishikof 269

About Conor Sullivan 270

CHAPTER 18 Assurance and Cyber Risk Management 271
Stig J. Sunde, Senior Internal Auditor (ICT), Emirates Nuclear Energy Corporation (ENEC), UAE

Cyber Risk Is Ever Present 271

What the Internal Auditor Expects from an Organization Managing Its Cyber Risks Effectively 272

How to Deal with Two Differing Assurance Maturity Scenarios 277

Combined Assurance Reporting by ERM Head 278

Conclusion 278

About Stig Sunde, CISA, CIA, CGAP, CRISC, IRM Cert. 280

CHAPTER 19 Information Asset Management for Cyber 281
Booz Allen Hamilton
Christopher Ling, Executive Vice President, Booz Allen Hamilton, USA

The Invisible Attacker 281

A Troubling Trend 282

Thinking Like a General 283

The Immediate Need—Best Practices 283

Cybersecurity for the Future 284

Time to Act 286

Conclusion 286

About Booz Allen Hamilton 287

About Christopher Ling 287

CHAPTER 20 Physical Security 289
Radar Risk Group
Inge Vandijck, CEO, Radar Risk Group, Belgium
Paul Van Lerberghe, CTO, Radar Risk Group, Belgium

Tom Commits to a Plan 290

Get a Clear View on the Physical Security Risk Landscape and the Impact on Cybersecurity 291

Manage or Review the Cybersecurity Organization 294

Design or Review Integrated Security Measures 295

Reworking the Data Center Scenario 299

Calculate or Review Exposure to Adversary Attacks 302

Optimize Return on Security Investment 305

Conclusion 306

About Radar Risk Group 307

About Inge Vandijck 307

About Paul Van Lerberghe 307

CHAPTER 21 Cybersecurity for Operations and Communications 309
EY
Chad Holmes, Principal, Cybersecurity, Ernst & Young LLP (EY US)
James Phillippe, Principal, Cybersecurity, Ernst & Young LLP (EY US)

Do You Know What You Do Not Know? 309

Threat Landscape—What Do You Know About Your Organization Risk and Who Is Targeting You? 310

Data and Its Integrity—Does Your Risk Analysis Produce Insight? 310

Digital Revolution—What Threats Will Emerge as Organizations Continue to Digitize? 311

Changes—How Will Your Organization or Operational Changes Affect Risk? 312

People—How Do You Know Whether an Insider or Outsider Presents a Risk? 312

What’s Hindering Your Cybersecurity Operations? 312

Challenges from Within 313

What to Do Now 313

Conclusion 318

About EY 319

About Chad Holmes 319

About James Phillippe 319

CHAPTER 22 Access Control 321
PwC Sidriaan de Villiers, Partner—Africa Cybersecurity Practice, PwC South Africa

Taking a Fresh Look at Access Control 321

Organization Requirements for Access Control 322

User Access Management 323

User Responsibility 327

System and Application Access Control 327

Mobile Devices 329

Teleworking 331

Other Considerations 332

Conclusion 333

About PwC 334

About Sidriaan de Villiers, PwC Partner South Africa 334

CHAPTER 23 Cybersecurity Systems: Acquisition, Development, and Maintenance 335
Deloitte
Michael Wyatt, Managing Director, Cyber Risk Services, Deloitte Advisory, USA

Build, Buy, or Update: Incorporating Cybersecurity Requirements and Establishing Sound Practices 336

Specific Considerations 342

Conclusion 344

About Deloitte Advisory Cyber Risk Services 346

About Michael Wyatt 346

CHAPTER 24 People Risk Management in the Digital Age 347
Airmic
Julia Graham, Deputy CEO and Technical Director at Airmic, UK

Rise of the Machines 347

Enterprise-Wide Risk Management 348

Tomorrow’s Talent 350

Crisis Management 354

Risk Culture 355

Conclusion 356

About Airmic 358

About Julia Graham 358

CHAPTER 25 Cyber Competencies and the Cybersecurity Offi cer 359
Ron Hale, PhD, CISM, ISACA, USA

The Evolving Information Security Professional 359

The Duality of the CISO 360

Job Responsibilities and Tasks 363

Conclusion 366

About ISACA 368

About Ron Hale 368

CHAPTER 26 Human Resources Security 369
Domenic Antonucci, Editor and Chief Risk Offi cer, Australia

Needs of Lower-Maturity HR Functions 369

Needs of Mid-Maturity HR Functions 370

Needs of Higher-Maturity HR Functions 372

Conclusion 373

About Domenic Antonucci 374

Epilogue 375
Becoming CyberSmart ^TM: a Risk Maturity Road Map for Measuring Capability Gap-Improvement
Domenic Antonucci, Editor and Chief Risk Offi cer (CRO), Australia
Didier Verstichel, Chief Information Security Offi cer (CISO) and Chief Risk Offi cer (CRO), Belgium

Background 375

Becoming CyberSmart^TM 376

About Domenic Antonucci 392

About Didier Verstichel 392

Glossary 393

Index 399

Praise for The Cyber Risk Handbook

"Domenic Antonucci and his outstanding collection of contributors have produced a most timely and comprehensive reference and teaching guide on one of the most potentially impactful and evolving risks facing organizations (and governments) today. This book should be an extremely valuable resource for directors, executives, chief information officers, risk managers, auditors, and all concerned with this critical topic. I particularly like how the risks and controls are presented in the context of overall governance and enterprise risk management."
—John R. S. Fraser, FCPA, FCA, Retired Chief Risk Officer and Adjunct Professor, York University

"Domenic makes a most practical and valuable contribution…he curates a wide-ranging body of knowledge on this most vexing topic from a globally diverse group of subject matter experts. Unlike books written by IT experts for IT practitioners, Mr. Antonucci provides an invaluable resource for management to enable them to ask the right questions of their IT experts … so as to assure themselves that the matters that should be keeping them awake at night are being addressed and that reporting systems are providing them with the management information they need to know rather than what they want to hear. Mr. Antonucci and his contributors are to be commended for their work."
—Kevin W. Knight, AM, Immediate Past Chairman, ISO/TC 262 – Risk Management and Adjunct Professor, University of Queensland Business School

"This timely cyber security reference guide, structured on a maturity model to aid comprehension of current capabilities, addresses what has become, for many organizations, their priority risk management activity. Cyber security is evolving in nature and becoming more prevalent, sophisticated, and invasive. The book rightly identifies cyber security as a C-Suite responsibility with enterprise-wide implications – not for delegation to the IT department. The way an organization addresses cyber-crime (as seen in the financial sector) has a direct bearing on its reputation, customer base, profitability, and indeed its very longevity."
—Dr. Robert Chapman, Managing Director, Dr. Chapman & Associates

"The Cyber Risk Handbook provides comprehensive and practical guidance. One of the key pluses of this book is its holistic focus on the importance of people, behavior, and processes, rather than just technological solutions. Domenic Antonucci has assembled a team of experts, all of whom are uniquely qualified to contribute to the ongoing discussion regarding this capricious and exponentially significant risk. I found The Cyber Risk Handbook an easy read, and I particularly liked the comprehensive overview of the key developments in cyber risk management. This book will appeal to a wide audience enabling them to learn solutions to critical issues and formulate a good practice methodology that ensures they stay ahead of the latest threats."
—Nicola Crawford, Chair, The Institute of Risk Management (IRM) and Managing Director, i-Risk Europe Ltd

"Very thorough and comprehensive. A wide variety of experts describing all facets of cyber risks … a necessary focus on top management involvement. Information and systems as the new risk frontier."
—Franck Baron, Chairman and VP, Pan Asia Risk & Insurance Management Association (PARIMA)

There isn't an organization of any size in any sector immune from finding itself in the news headlines due to a cyber-attack. From government agencies to bedrock financial institutions, managing cyber risk across an enterprise is now a primary business concern. The Cyber Risk Handbook brings together the top thought leaders from all over the globe to share their talent for customizing cyber risk management systems for every type of organization.

This is the authoritative, go-to resource every leader must have on hand to fully understand and effectively contribute to taking their organization up the risk maturity curve. Cyber risk is much more than an IT issue—shareholders want full accountability at the top for dynamic environments impacting value, including social media, mobile devices, massive data storage, artificially intelligent products, the Internet of Things (IoT), privacy requirements, and the ability to carry out business as usual. In this first-of-its-kind guidebook for the busy practitioner, the ins and outs of developing state-of-the-art cyber defense integrated with the modern enterprise risk management (ERM) system, is explained in non-technical language more familiar to non-IT managers. It starts by quickly bringing you up to speed on risk maturity and its benefits so you can seamlessly grasp the seven sets of capabilities present in rock-solid cyber risk management systems, explain them to your leadership team, and execute them to your organization's objectives. Everything you need to streamline the process and sleep at night is inside, including:

• Step-by-step guidance for building, measuring, and optimizing cybersecurity capabilities
• Expert guidance from contributors with backgrounds in IT, cybersecurity, risk management, insurance, finance, accounting, supply chain, and internal auditing
• A diverse collection of planning and implementation approaches, models, and methods so you can custom fit without reinventing the wheel

Close the gaps in your cyber capabilities today with The Cyber Risk Handbook.