The FAIR Institute’s 2024 Europe Summit gathered a highly engaged crowd of 100 business and cyber leaders in Paris on March 13 to learn about the latest techniques in quantitative cyber risk management, the tightening regulatory requirements for cyber in the EU, the threats and opportunities of GenAI and more top-of-mind issues.
Here are a few of the many highlights – but come back to the FAIR Institute website Resources page where we will soon post videos of the sessions.
Welcome Address: Managing Cyber Risk in a Time of New Incident Disclosure Rules - Nick Sanna, President, FAIR Institute
Nick laid out the urgent problem of cyber risk management: “Economics for the attackers got better and economics for the defenders got worse. The reason we are here is we’ve got to change that economics…
“This conference will address what it takes to address cyber risk as business risk…this community will help bridge the gap between the business and cyber in ways it has never been done before.”
Favorable signs for the FAIR community, Nick noted:
>>Boards are taking notice of cyber risk and senior management increasingly demands that the cyber risk team speaks in business terms and acts at the speed of business.>>New regulations from the US Securities & Exchange Commission (SEC) and in Europe NIS2 and DORA, compel more rigorous, quantitative assessments of cyber risk.
The FAIR Institute is responding with new initiatives on controls analytics, material risk assessment, artificial intelligence, third party risk and cyber insurance and more research targets in what Nick called “the most significant transformation” of the group since he founded it in 2016.
Panel: The Significance of the NIS2 Directive and of the Digital Operational Resilience Act (DORA)
DORA applies only to resilience in the EU financial services sector. NIS2 applies more broadly across all sectors of the economy that provide critical infrastructure. Each will challenge companies to reconcile business and technical imperatives (an opportunity for FAIR analysis). Discussion leader Anne Leslie of IBM, said that “we really do need cross functional teams and multidisciplinary skill sets because no single domain has all the answers on these topics.”
Panelists:
Anne Leslie, Cloud Risk & Controls Leader EMEA, Financial Services, IBM
Iva Tasheva, Co-founder & Cybersecurity Lead, CYEN; Working Group Member, ENISA
Cathie-Rosalie Joly, Partner, Bird & Bird Law Firm
Martina Dvar, Advisor, European Central Bank
Panel: GenAI Related Risk and Opportunities
The Summit heard from Jacqueline Lebo, author of the FAIR Institute’s playbook for risk analysis for AI scenarios, who explained the five steps from setting the purpose of a risk analysis to implementing a decision on addressing risks of AI as a productivity tool or a vector for threat actors.
Panelists:
Moderator: Pankaj Goyal, Director of Standards and Research, FAIR Institute
Gérôme Billois, Partner, Wavestone
Sabine Marcellin, IT Lawyer, Oxygen+
Jacqueline Lebo, Risk Advisory Manager in Security Services, Safe Security
Keynote: The Future of the Cyber Risk Management Profession - Jack Jones, Chairman, FAIR Institute
Jack gave a sweeping look at the state of the profession, arguing that it must move on from a reactive to a proactive posture and address the root causes of cyber risk. Jack warned that “the ability to apply AI broadly and effectively in cyber risk management is going to be limited by the profession’s immaturity” and he invited the audience to “commit to being part of the solution.”
Panel: Meeting Regulatory Compliance - How to Think About Materiality with FAIR™
US and EU regulators have stepped up demands for swift reporting of cyber incidents of material impact – but what’s material? This session introduced the new FAIR Materiality Assessment Model (FAIR-MAM) that enables organizations to compile accurate loss magnitude data in a framework that’s ready to disclose to regulators if needed.
Panelists:
Pankaj Goyal, Director of Standards and Research, FAIR Institute
Mouhamad el Houssaini, Risk Director, ADP
CxO Panel: Managing Cyber Risk in a Time of New Incident Disclosure Rules
Moderator: Thiébaut Meyer, Director, Office of CISO, Google Cloud
Benoit Fuzeau, CISO, CASDEN; President, CLUSIF
Aljona Reiser, Head of Cyber Business Risk, Commerzbank AG
Ariane Chapelle, Partner, BDO Chapelle
Panel: Optimizing Cyber Insurance with Risk Quantification
Christopher Khadan, CCO, Safe Security
Leopold Larios, Dir. of Cyber Insurance Offering, Descartes
Andreas Schmitt, Global Cyber Underwriting, Zurich
Thierry Zucchi, Head of Cyber Activity, Relyens
Patrick Montagner, Dep. Sec. Gen, ACPR
Panel: Re-thinking Third Party Risk Management
Meena Martin, VP Cyber Risk and Assurance, GSK
Panel: Case Study Panorama
Moderator: Tom Callaghan, Co-Founder, C-Risk
Pierre Olodo, Senior Lead Cyber Risk, Richemont
Anne Lupfer, Deputy CSO, Econocom
Panel: Case Study Panorama
Moderator: Greg Spicer, Co-Founder & CRO, Ostrich Cyber-Risk
Rob Moore, VP, Technology Risk, Mastercard
David Steng, Director, Cyber Risk & Economics, Group Cybersecurity Office, Fresenius Group
Panel: Effectively Assessing Controls with FAIR
Moderator: Tom Callaghan, Co-Founder, C-Risk
Frédéric Bouveresse, IS&T Cyber Risks Governance Specialist, Alstom
Francesco Chiarini, Global Head - Technology Resilience, Sandoz
Related:
Meet the Members: Co-Chairs of the FAIR Institute’s New Swiss Chapter
FAIR Institute Europe Summit Preview: Preparing for EU’s NIS2 and DORA