RISCS Community Meeting April 2019

At the last RISCS Community Meeting, we discussed ‘Economics and Incentives’ in cyber security. To follow on from that event we would like to explore two interlocking themes: ‘Cyber liability’ and ‘Cyber insurance’. Our aim is to combine the outputs of these two events to explore the research questions that remain unanswered. Cyber insurance is not new, and we have arguably not yet seen the kind of behaviour change that other types of insurance have initiated. Understanding why that is, how the insurance sector could optimally evolve and what it needs to do to become a change agent in cyber security, is at the heart of this meeting’s agenda. Chains of legal and financial liability are subject to increasing attention and discussion. Chains of risk ownership remain even less clear for cyber and are often hampered by a gulf of understanding between technical experts and business leaders. What is the current state of play and does cyber insurance offer an opportunity to align complex layers of nested liability with financial and legal chains of accountability?

DAY ONE

09:30 – 10:00 Registration (please join us for tea & coffee)
10:00 – 10:15 Welcome & announcements, Dr Madeline Carr, Director of RISCS
10:15 – 10:30 Recap on previous event’s theme of ‘Incentives in Cyber Security’, Helen L, Technical Director, Sociotechnical Security Group, NCSC
10:30 – 10:50 What is cyber liability? What forms does it take? Mark Bannon, Head of Cyber Liability EMEA, Zurich Insurance Plc
10:50 – 11:15 How does liability currently work in the software industry? Prof Awais Rashid, University of Bristol
11:15 – 11:30 COFFEE
11:30 – 12:15 The future of liability: how might cyber insurance respond to the proliferation of
interconnected technologies? Dr Leonie Tanczer and Dr Ine Steenmans, UCL STEaPP
12:15 – 13:00 Defining “units of pain”: finding simple and relatable indicators of business disruption
across a sector, Kathy Lanceley, Head of ICT Operations & Deputy CIO, Imperial College Healthcare NHS Trust
13:00 – 14:00 LUNCH
14:00 – 15:45 Scenario-based workshop on chains of liability (financial, legal and information risk)
Dr Ine Steenmans and Dr Feja Lesniewska, UCL STEaPP
15:45 – 16:00 Closing comments
16:00 – 18:00 Drinks reception

DAY TWO

09:30 – 10:00 Registration (please join us for tea & coffee)
10:00 – 10:45 What can we learn from US regulatory filings about pricing? Daniel Woods, University of Oxford
10:45 – 11:15 Cyber insurance for small and medium-sized enterprises, Hiscox Insurance
11:15 – 11:45 COFFEE
11:45 – 12:30 The challenges of attribution: bringing the right blend of expertise to bear on the problem, a member of GCHQ’s Cyber Threat Assessments Team
12:30 – 13:15 Behaviour change interventions around cyber insurance, Prof Pam Briggs, Dept of Psychology, Northumbria University
13:15 – 14:15 LUNCH
14:15 – 15:45 Interactive workshop: What are the big research questions?
15:45 – 16:00 Closing comments