On Wednesday 29 th of May, we hosted Cyber Resiliency and Risk Management. This event, Presented by Patron Member NCC Group and Sponsored by Squire Patton Boggs and Fusion Risk Management, saw an expert panel discuss the steps to be taken before, during and after an unplanned event to ensure an organization is resilient and can return to normal while minimizing disruption to the business.

The evening kicked off with an hour of networking, with drinks and appetizers in the setting of BABC Corporate Member J.P.Morgan’s San Francisco Financial District office, that allowed for a relaxed networking environment prior to an impressive conference setting for the panel discussion next door.

Penfolds joined us for a second panel discussion event and treated our guests to the exclusive experience of tasting world-renowned wine from the Penfolds brand.

Prior to the panel discussion Maggie O’Sullivan, Industry Executive of the Greater West and California of J.P.Morgan welcomed the audience and introduced them to J.P.Morgan prior to passing over to Charlotte Rawa, VIP Services Manager of Penfolds. After a brief introduction to Penfolds, Charlotte drew Ray Bonilla’s business card who took home a bottle of Bin 389! Without further ado it was time for the much-anticipated panel discussion.

Bryan Solari, Director of Enterprise Accounts at NCC Group, moderated a panel of Kevin Dunn, SVP of Technical Security Consultancy at NCC Group; Rich Cooper, Director of Global Accounts; Philip Zender, Partner at Squire Patton Boggs; and Doug Levy who took a PR stance and has had more than 15 years’ experience on prevention, response and remediation of data and privacy breaches.

The discussion covered the various sectors that should not only be aware of cyber resiliency and risk management, but also involved in. Bryan prefaced the audience that the topic shall be explored in terms of preparing for a cyber event, dealing with one that is happening, and what to do once it has happened. Each panelist thereby providing their insights based on their areas of expertise. The panel then engaged in a Q&A with the audience.

To kick the discussion off, Bryan asked the panel to introduce themselves and the organizations they work for, before asking each speaker to explain the topic of cyber resilience and risk management as it pertains to their area of expertise.

Interestingly, having representatives from the various sectors reinforced the woven understanding and message that all areas of an organization should be involved when it comes to cyber resiliency and risk management. This took much of the focus of the discussion with before and during a cyber breach making up the body of the discussion.

Bryan questioned the panel as to what some of the things are which a company should do to prepare for a future cyber-attack, and how this can be split between proactive and reactive preparedness. Doug noted that the companies who are clumsy are those who display an unawareness from a leadership level, reinforcing the importance of all areas being involved.

Rich Cooper identified the trends within the industry, recognizing that in a cyber event the approach taken was one of recovery, then continuity. However, that we have now moved into operational resilience, and that there is a greater focus on understanding vulnerabilities within an organization. Reinforced by Philip Zender that the topic of Cyber Resilience and Risk Management is a ‘team sport’.

Kevin Dunn added valuable insight from his area of expertise, which exposes companies from a safety point of view, and stated that there needs to be a proactive approach. Stating that companies need to know where their most important data is and that he would much rather have an incident where an impact is minimized. Reinforcing that “security is hard and security takes time and effort”.

Bryan highlighted that in a cyber breach or any other major event, there are many moving parts. He approached the panel asking what advice would be given on how a company can help to manage this. Naturally, all eyes were directed to Philip Zender and there was an overarching agreement that a lawyer was a first point of call.

Kevin Dunn noted that his company, NCC Group, are regularly approached in a cyber breach incident and their first question is whether they have sought legal advice prior to giving any of their own. Doug reinforced the message discussed prior that everyone needs to be in the same room at the same time to address a cyber breach and should be treated like a physical incident.

Rich highlighted that there is a lot of finger pointing during a cyber breach and recognized a lot of organizations who are outsourcing, but that just because you are outsourcing your business does not mean you should be outsourcing your risk. He concluded that reinforcing that a cyber breach is not a technology problem but a business problem. Doug stated that 15 percent of breaches are paper and alerted the audience that this should not be forgotten about.

Doug’s comment made a natural requisite into Bryan asking the panel what happens after a firm experiences a security event or a breach. Philip noted the logistical problem that comes with a data breach regarding the laws and regulations where the breach has taken place. He further explained the complexity regarding state and federal laws, reinforcing that there is no such “quick fix” when addressing a cyber breach.

Doug referred back to Marriott’s most recent cyber breach and noted that although it was a major breach, they have owned it. Rich reinforced from his field that if written plans are not engaged into the evolution of the larger company breaches will happen and that it is the orchestration with the various sectors where the focus should be.

The overarching theme and takeaway was exactly that, all areas of an organization should be part of the awareness, understanding and dealing with the timeline of any cyber event that may take place.

The audience then sought to take advantage of access to the experts on the panel, as Bryan asked for questions from the floor, with topics including the recent Baltimore ransomware attack, the future outlook for organizations balancing investment into technology vs phishing training and consequential machine learning capabilities for eliminating this training as well as data security and privacy from a consumer viewpoint.

With that the discussion was concluded, and Bryan thanked the panelists and audience for coming, and the evening concluded. Many of the audience members then took the opportunity to speak more directly to the panelists about their own questions.

Thanks as always go to our sponsors NCC Group, Squire Patton Boggs and Fusion Risk Management, to our excellent panel for their insight, to J.P.Morgan for hosting us and providing delicious food, Penfolds for giving our audience a tasting of their wine, and of course to our guests.

Click here to see the photos