Meeting Summary from the Kick-Off Meeting of the ISA-ANSI Workshop on Cyber Risk Phase II - Developing a Methodology for CFO/CEO Decision Making in Cyber Risk Mitigation

July 31, 20099:00 am – 4:15 pm

Hosted by:Zurich North America

1 Liberty Plaza New York, NY 10006 33rd Floor Conference Rooms A&B

Welcome / Call to Order

Fran Schrotter, Senior Vice President and Chief Operating Officer, American National Standards Institute (ANSI), called the meeting to order and welcomed the participants. She provided an overview of ANSI as well as insight into the Institute’s top priorities as related to standards panel activities, (e.g. homeland security, healthcare, nanotechnology, biofuels, and nuclear). Also, she noted that last year, the financial impact of cyber risk took center stage as ANSI joined forces with ISA to convene a cross-sector task force representing more than thirty private and public sector organizations. These ISA/ANSI workshop meetings resulted in an action plan targeted at CFOs to help businesses in every sector mitigate the risks associated with cyber attacks. Additionally, she reminded participants that as we build upon the excellent work that has already been done, today’s meeting will broaden our direction beyond just CFOs to include business leaders of all kinds. Ms. Schrotter concluded by acknowledging Larry Clinton, President, Internet Security Alliance (ISA), as the co-organizer of Phase II of this Cyber Risk initiative.

Larry Clinton, President, Internet Security Alliance (ISA), recognized ANSI for the opportunity to revisit the successful partnership from Phase I of Cyber Risk in addition to his board members, Ty R. Sagalow, Chief Innovation Officer, Zurich North America and Joe Buonomo, President, Direct Computer Resources, Inc. for assuming leadership roles in kicking-off Phase II of this initiative. Also, Mr. Clinton stressed the critical need for intertwining security with technology and business to create a coherent approach to overall cyber security.

Introductions (all)

Participants introduced themselves and the organizations that they represented. Forty seven participants representing thirty six organizations attended the first workshop of Phase II, five of whom participated via teleconference. The complete list of attendees can be found in Attachment 1.

Background on the ANSI-HSSP and Workshop Process

Karen Hughes, Director of Homeland Security Standards, ANSI, welcomed participants and thanked the Internet Security Alliance (ISA) and the workshop leaders as well as Zurich for providing meeting space and Robinson Lerer & Montgomery for their generous sponsorship. She delivered a presentation providing an overview of the ANSI Homeland Security Standards Panel (HSSP), and the traditional Workshop process that it has conducted over the past six years.

1

Ms. Hughes noted that ANSI formed the Homeland Security Standards Panel (HSSP) in 2003 as a neutral forum where representatives of industry, government, professional societies, trade associations, standards developers, and consortia groups could come together to share knowledge and identify standardization needs to meet U.S. homeland security priorities. Additionally, she highlighted the Homeland Security Standards Database (HSSD), a one-stop resource for first responders, code developers, and all relevant stakeholders, to identify homeland security related standards and/or projects under development. Further information can be obtained at www.hssd.us.

Background on ISA Cyber Security Activities & Cyber Phase I

Larry Clinton, President, Internet Security Alliance (ISA), provided remarks highlighting ISA’s mission and outlined its link to the goal of ISA and ANSI’s joint efforts to address cyber risk from an economic standpoint. Additionally, he shared examples of ISA’s commitment to examine cyber security not simply as an information technology issue but rather from an enterprise-wide perspective with an overview of the following five current projects on the horizon for ISA:

Framework to secure IT supply chain Joint program with the National Institute of Standards and Technology (NIST) examining

unified communications platforms (e.g. Voice over Internet Protocol (VOIP)). Improving the alignment of a legal framework with modern technology (e.g. digital media) Developing a social contract to identify a creative solution for government and industry to

partner to ensure mutual needs are met related to cyber as an enterprise-wide risk management issue.

Phase II of The Financial Impact of Cyber Risk – 50 Questions Every CFO Should Ask

Mr. Clinton concluded by re-emphasizing his sentiments shared in Phase I noting that ISA is a proponent of the private sector being better positioned to lead the effort for standards setting for cyber security as opposed to relying on the government to take that lead. In doing so he referenced the proposed April 2009 Rockefeller-Snowe legislation on Cyber Risk, stressing the need for a social contract between industry and government for cyber security.

Opening Remarks and Subject Matter Introduction

Ty R. Sagalow, Chief Innovation Officer, Zurich North America, Workshop Leader, provided opening remarks that framed the Workshop goals and objectives for Phase II of The Financial Impact of Cyber Risk – 50 Questions Every CFO Should Ask? In setting the stage for the Workshop proceedings, Mr. Sagalow stressed that cyber security is not just an issue pertaining to IT departments, but rather should be looked at as an enterprise-wide risk management endeavor. Specifically, six key organizational areas dealing with risk include: legal, compliance, business operations and technology teams, external communications, risk management, and human resources management. In summary, he stated that the scope of Phase II is intended to take the same discipline as Phase I to establish a methodology to provide guidance through tools and analysis on how to manage cyber risk from a financial point of view.

Joe Buonomo, President, Direct Computer Resources, Inc., Workshop Leader, provided opening remarks and recognized ANSI and ISA for their leadership as well as Zurich and Robinson Lerer & Montgomery for their generous sponsorship of this Workshop. He began by commending the successful efforts of Phase I and noting the importance to revisit this topic in a Phase II effort, especially in light of cyber breaches rising 47%. Such breaches not only impact our networks and firewalls, but also our critical infrastructure resulting in tremendous financial setbacks. He concluded

2

by stating that Phase II will provide the answer to Phase I questions, including the methodology and approach for best practices.

Session #1 – Current Landscape

The main objective of this session was to: Provide an overview of current usage of the ISA-ANSI Publication The Financial Impact of Cyber

Risk – 50 Questions Every CFO Should Ask Outline the current Administration’s priorities as related to Cyber Risk in looking at these issues

from an economic vs. technical context.

Larry Clinton, President, Internet Security Alliance (ISA), delivered a presentation addressing the current landscape of cyber security and the economy supported by excerpts from the Price Waterhouse Coopers (PWC) Global Cyber Security Survey. He noted a milestone of particular interest to this audience, that for the first time in the United States’ history, the President gave a speech from the White House addressing cyber security. Additionally, he cited the President’s Cyber Space Policy Review, May 30, 2009, a comprehensive sixty-day cyber review lead by Melissa Hathaway, former Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils, that underscored the need for linkage between the overall economic situation of our country and cyber security. Leaders on Capitol Hill are taking a fairly different approach to cyber security with the introduction of the new administration resulting in a shift from a low level of government interest in cyber security to a much higher level, especially in light of recent breaches within the government.

Mr. Clinton stated that we have moved toward a recognition that not only are government systems at risk, but the entire economy that has been generated by technology is at risk as well. An integrated approach as recognized by the administration is necessary; however, a defined approach for implementation is lacking. In addition, there is concern as the C-Suite community does not currently reflect and/or acknowledge the real threats and their potential consequences facing their organizations, a communication gap between CIOs and the remaining C-Suite members.

Mr. Clinton noted the aggressive approach to cyber security being adopted by Congress. He shared ISA’s position that it may not be possible to establish one set of standards that are robust enough to deal with this ever-evolving problem of cyber security. In conclusion, he stated that we are trying to come up with our piece of the puzzle that can be coordinated with and/or integrated into public policy.

After his presentation, Mr. Clinton opened up the discussion to all participants for their input. A summary of main points from the dialogue that ensued include:

Economic standpoint: Potential opportunity to draw attention to the economic gains that could be had by improving

cyber security and developing a blueprint for helping the economy move forward by viewing cyber security as something that could create business growth vs. being a drain on their resources.

Standardization considerations: Our opportunity with the new administration is to push the message that we need standards;

however, we do not need a single governmental determined and mandated standard, but rather such efforts should be driven by the private sector.

Such standards should be robust and be able to grow as risks change. It is up to the industry to determine when to standardize. Consideration needs to be given to how to develop a system that keeps up with the

3

technology and whether or not the tools are modernized. The industry standards process is slow. How current standards apply to an integrated system

has not been identified. Educational opportunities:

There is a significant gap in ignorance in the “beltway” mentality and there are individuals involved in cybersecurity who are unaware of what a standard is. Education on defining standards vs. best practices, guidelines, etc. needs to take place.

The position taken in Phase I and Phase II is that we need to help the private sector understand the economic consequences of cyber risk and provide guidance to take practical action.

Session #2 – Framework Fundamentals

The main objective of this session was to facilitate a discussion on identifying critical elements that are integral to such a framework document, and that would need to be further investigated for the final Workshop deliverable.

Ty Sagalow, Chief Innovation Officer, Zurich North America, briefed participants on the objectives, scope, and final deliverable of the ISA/ANSI Phase I Cyber Risk project, The Financial Impact of Cyber Risk – 50 Questions Every CFO Should Ask? setting the context for the discussion to follow related to the Phase II framework fundamentals.

Mr. Sagalow noted that the objective of the ISA/ANSI Phase II initiative will be to respond to the current Administration’s priorities as related to cyber risk in looking at these issues from an economic vs. technical view/context. Additionally, Phase II will be inclusive of the considerations necessary for the entire “C-Suite” expanding beyond just the CFO role. While Phase I focused on providing questions organizations/CFOs should be asking and providing guidance on the identification and quantification of the financial risk associated with cyber security, Phase II will focus on developing an implementation strategy/process for the Phase I questions. Additionally, this initiative will focus on filling out that framework to make better informed decisions related to cyber risk from an economic standpoint.

Additionally, consensus was reached that the final deliverable from this Workshop will be a publication mirroring the ISA/ANSI 2008 deliverable The Financial Impact of Cyber Risk – 50 Questions Every CFO Should Ask? aimed at providing methodologies for the “C-Suite” to make better informed decisions related to cyber risk. In doing so and in order for this product to provide an added-value, Phase II will seek to provide responses to the Phase I questions in the form of methodologies. Such responses must be scalable enough that they are applicable to different types of organizations. We can help achieve that goal by ensuring such methodologies and responses are implementable. In summary, the objective is two-fold; provide the analytical framework as well as suggest an appropriate course for implementation.

Following the summary of the Phase II objectives, a discussion ensued focusing on securing an outline for the final deliverable’s structure. It was agreed that this deliverable will open with an introduction and include six overall chapters corresponding to each critical organizational component identified in Phase I with the addition of human resources management. Each chapter will provide responses to the Phase I questions keeping it short, process-oriented, scalable, practical, and actionable, followed by relevant appendices.

A summary including the key elements as well as a summary of discussion points is as follows:

Introduction

4

It was agreed that an introduction will precede the six subject matter chapters providing an executive summary introducing the comprehensive unified approach outlined throughout the final deliverable. Additionally, it will state the objectives of the Phase II deliverable and serve the purpose of a “risk balance sheet”. As this initiative’s end goal is to encourage the C-suite community to integrate all of these various risks, the introduction will clearly identify this concept.

Chapter 1 - Chief Legal Counsel Chapter 2 - Compliance Officer Chapter 3 - Business Operations and Technology Teams Chapter 4 - External Communications and Crisis Management Teams Chapter 5 - Risk Manager for Corporate Insurance Chapter 6 - Human Resources Management Appendices

Mary Beth Allen, President, Allen Associates volunteered to lead the newly created task group. The group has been tasked with coordinating with all six task groups covering the aforementioned chapters to recommend appropriate appendices based on their individual content. Their focus will include identifying and providing actionable, value-added tools to round out the final deliverable.

Case Studies:In the process of establishing the Phase II final deliverable outline noted above, workshop participants examined the need for the inclusion of case studies in the appendices. While consensus was not reached at the time of this meeting as to whether case studies related to cyber breaches would add value and/or grab the attention of the deliverable’s intended audience, the C-suite community, it was agreed that the appendices task group would review the business case. In doing so, this task group will consider the following discussion points raised at this meeting:

One of the biggest issues related to breaches includes money invested in hiding the fact that they occur. How can we obtain sufficient data for appropriate analysis?

Anonymity to protect organizations reputations and address liability concerns Hypothetical case studies Use of case studies to spell out the economic opportunities related to cyber risk mitigation Substituting case studies with relevant statistics such as FBI data regularly quoted within the

administration Effectively communicating the intended message to our target audience quickly through the

use of numbers and facts that the C-suite can relate to Credibility is a huge problem in this arena. If the intended deliverable is credible and

actionable and the case studies presented within are hypothetical, this may compromise the integrity of the intended use of such a tool.

There is a lack of data in the public domain. Significant data exists related to cyber failures; however, there is a shortage of cases highlighting successes.

Session #3 – Path Forward

The main objectives of this final session were the following: Identify key tasks for creation of final deliverable (framework document) and confirm participation

in necessary follow-on Workshop task groups. Review and modify timeline for completing work Timetable for task groups to complete initial work and set a date for next Workshop meetings

(August 18th and September 29th) Identify additional stakeholders that should be invited to be part of this Workshop initiativeThis session opened with an introduction of Task Group leaders who were identified prior to the Phase II Workshop I. All categories listed below were included in Phase I with the exception of Human

5

Resources Management, a new addition identified as a need at the conclusion of Phase I. Task Group leaders are as follows:

Task Group #1 - Chief Legal Counsel – Lon Berk, Partner, Hunton and Williams Task Group #2 - Compliance Officer – Arnold Felberbaum, Executive Vice President, SCO,

Reed Elsevier Task Group #3 - Business Operations and Technology Teams – Michael Castanga –

CISO, U.S. Department of Commerce Task Group #4 - External Communications and Crisis Management Teams – Rick Kam,

President, ID Experts Task Group #5 - Risk Manager for Corporate Insurance – Harry Oellrich, Reinsurance

Agent, Guy Carpenter Task Group #6 - Human Resources Management – Rebecca Webster, Director of Human

Resources, Northrop Grumman Task Group #7 – Appendices – Mary Beth Allen, President, Allen Associates Red Team – Ed Stull, Direct Computer Resources, Inc.

Each Task Group leader delivered a brief presentation and/or remarks introducing the subject matter, providing a refresher on the ten questions published in the final deliverable of Phase I The Financial Impact of Cyber Risk – 50 Questions Every CFO Should Ask?, and presenting a preliminary action plan for progressing the objectives identified for Phase II. Task Group leaders were tasked with preparing an outline for the content of their respective chapters for presentation at Phase II Workshop II. The complete list of Task Group Participants can be found in Attachment 2. Additional Workshop participants are welcomed and encouraged to join any of the task groups.

This session concluded with a discussion setting expectations for Task Group Leader roles and responsibilities, meeting planning and work in between Workshop meetings, and reporting back to the ISA/ANSI leadership. Additionally, participants agreed to the following timeline for the path forward for Phase II:

July 2009 Convene kick-off Workshop meeting (July 31st) Reconvene/form appropriate task groups at meeting Determine additional participants/resources required Review schedule for remainder of project

August 2009 Task groups meet via teleconference Second Workshop meeting (August 18th)

September 2009 Continue work of task groups Produce first draft of final deliverable and circulate for review (review period September 1-20) Final Workshop meeting (September 29th) Review draft deliverable and comments received Identify outstanding issues that need resolution Circulate final draft deliverable

October 2009 Address final comments Submit final draft deliverable to ANSI Communications (October 15th)

November 2009 Publication ready for distribution (November 15th)

6

The Task Groups are assigned with reviewing the key questions provided in Phase I and developing appropriate responses aimed at providing methodologies for the C-suite to make better informed decisions related to cyber risk. Each chapter will include an introductory paragraph, followed by the key questions included in Phase I, followed by proposed responses from Phase II. Each task group is responsible for providing the definition of any key terms they use that are not commonly known. These will be included in an appendix to the report.

The group agreed to the date of August 18th for the next in-person meeting. Zurich agreed to host this meeting at the same location. At this meeting, task groups will present reports on their work for review and comment by the entire Workshop. It is envisioned that the final deliverable will be completed by November 15, 2009.

Adjournment

Larry Clinton, President, Internet Security Alliance (ISA) thanked Zurich again for providing meeting space and Robinson Lerer & Montgomery for their generous sponsorship by providing refreshments . Additionally, Mr. Clinton noting that he looked forward to Task Group progress reports at the next meeting of Phase II Workshop II.

Prior to adjourning the meeting, Mr. Sagalow thanked the participants for their active participation and commitment to the second phase of the ISA/ASI Cyber Risk initiative. He reminded participants that Phase II Workshop II will take place on Tuesday, August 18th also at Zurich in New York City.

Sponsorship

ANSI and ISA would like to thank RLM for sponsoring this workshop.

7

Attachment 1Organization First Name Last Name

Proofspace Regan Adams

Carnegie Mellon University Julia AllenAllen Associates Mary Beth AllenID Experts Christine ArevaloNIST - U.S. Department of Commerce

Dan Benigni

Hunton & Williams Lon BerkZurich Richard Billson

U.S. Cyber Consequences Unit

Scott Borg

Direct Computer Resources, Inc.

Joe Buonomo

U.S. Department of Justice Martin Burkhouse

University of California, Berkeley

Aaron Burstein

Chartis Nancy Callahan

American National Standards Institute (ANSI)

Jessica Carl

U.S. Department of Commerce Michael Castagna

Jones Day Gwendolynne Chen

Internet Security Alliance (ISA) Larry Clinton

Catalyst Partners LLC Rich CooperU.S. Chamber of Commerce Matthew Eggers

QUALCOMM Inc. Mark EpsteinReed Elsevier Arnold Felberbaum

Ferris & Associates, Inc. John FerrisUniversity of Maryland Momodu FofanaNew World Technology Partners

Robert Gardner

Robinson Lerer & Montgomery Anne Granfield

8

Robinson Lerer & Montgomery Michael Gross

American National Standards Institute (ANSI)

Karen Hughes

Phillips Nizer LLP Thomas JacksonAmerican National Standards Institute (ANSI)

Peggy Jensen

ID Experts Rick Kam

Northrop Grumman Mark Leary

American National Standards Institute (ANSI)

Brian Meincke

U.S. Securities and Exchange Commission

Ralph Mosios

Allied World Assurance Company

Michael Murphy

Guy Carpenter & Company, LLC

Harry Oellrich

Zurich Ty Sagalow

Salare Security LLC Paul Sand

American National Standards Institute (ANSI)

Fran Schrotter

Financial Services Technology Consortium

Dan Schutzer

Direct Computer Resources, Inc.

Ed Stull

  Russell Thomas

Direct Computer Resources, Inc.

Bill Vitiello

Society for Human Resource Management

Lee Webster

Northrop Grumman Rebecca Webster

Independent Consultant James WendorfCNA Insurance John Wurzler

9

Attachment 2

Task Group 1 - Chief Legal CounselFirst Name Last Name OrganizationRichard Billson ZurichAaron Burstein UC BerkeleyThomas Jackson Phillips Nizer LLPLon Berk* Hunton & WilliamsMary Beth Allen Allen AssociatesMartin Burkhouse U.S. Department of JusticeKaren Hughes ANSI

Task Group 2 - Compliance OfficerFirst Name Last Name OrganizationRalph Mosios SECArnold Felberbaum* Reed ElsevierMary Beth Allen Allen AssociatesMartin Burkhouse U.S. Department of JusticeDan Benigni NISTMark Leary Northrop GrummanKaren Hughes ANSI

Task Group 3 - Business Operations and TechnologyFirst Name Last Name Organization

John (Marty) Ferris Ferris & AssociatesPaul Sand Salare SecurityDan Schutzer FSTCMichael Castagna* US Department of CommerceJulia Allen Carnegie Mellon UniversityJohn Wurzler CAN InsuranceMary Beth Allen Allen AssociatesMartin Burkhouse U.S. Department of JusticeKaren Hughes ANSI

Task Group 4 - External CommunicationsFirst Name Last Name OrganizationNancy Callahan ChartisRick Kam* ID ExpertsChristine Arevalo ID ExpertsAnne Granfield RLMMichael Gross RLMRich Cooper Catalyst PartnersJohn Wurzler CNA InsuranceMary Beth Allen Allen AssociatesMartin Burkhouse U.S. Department of JusticeKaren Hughes ANSI

* Indicates task group leader

10

Task Group 5 - Risk Manager for Corporate InsuranceFirst Name Last Name OrganizationHarrison Oellrich* Guy CarpenterJohn Ercolani Herbert l. JamisonMichael Murphy Darwin National AssuranceNancy Callahan ChartisBrad Gow ZurichMary Beth Allen Allen AssociatesMartin Burkhouse U.S. Department of JusticeKaren Hughes ANSI

Task Group 6 - Human ResourcesFirst Name Last Name OrganizationLee Webster* Society for HR ManagementRebecca Webster* Northrop GrummanMary Beth Allen Allen AssociatesMartin Burkhouse U.S. Department of JusticeKaren Hughes ANSI

AppendicesFirst Name Last Name OrganizationMary Beth Allen* Allen AssociatesMartin Burkhouse U.S. Department of JusticeScott Borg U.S. Cyber Consequences UnitRussell ThomasKaren Hughes ANSI

11

* Indicates task group leader

12