Cyber Security Risk Governance Workshop

29 - 30 Oct 2015

Organised by IRGC International Risk Governance Council, hosted by Swiss Re Centre for Global Dialogue
Location: Rüschlikon/Zurich, Switzerland

About the event

Companies are increasingly concerned by threats to data confidentiality, integrity and availability. Breaches seem to be more frequent and more severe. When data is compromised and critical infrastructure and services are impacted, the cost to companies and damage to trust and reputation can be huge. Most companies use pragmatic solutions to address the modus operandi of cyber-attacks. But much uncertainty remains about whether such solutions are able to address threats before they cause too much damage, whether the quantitative estimate of the potential impact (i.e. the risk) is accurate, and whether investments in the protection of important assets are appropriate.

Chief Risk Officers and Chief Information Security Officers from industry met to discuss with peers, as well as with experts, from academia in information security, computer network design, and risk analysis.

Participation by invitation only.



Thursday 29 October



  • Marie-Valentine Florin, Managing Director, International Risk Governance Council

  • Claus Herbolzheimer, Partner, Oliver Wyman

  • Eric Schuh, Managing Director, Head Casualty Centre Reinsurance, Swiss Re

  • Elisabeth Paté-Cornell, Professor, Stanford University
    Adversarial risk analysis: from counter-terrorism to cyber security risk assessment


Session 1: The evolving threat landscape and detection

  • The cyber threat landscape is changing: new types of attacks and systemic vulnerabilities could become more problematic and better strategic anticipation is needed. Early detection is key to preventing the spread of damage.

  • Speakers:
    -Arvind Parthasarathi, CEO, Cyence
    Understanding the new risk landscape and its associated detection / assessment
    -Thomas Haeberlen, Senior Advisor, German Federal Office for Information Security (BSI)
    -Andreas Suberg, Group Operations and Technology Risk Management, Zurich Insurance
    The evolving threat landscape; accelerating threat detection
    -Eirean Leverett, Senior Risk Researcher, University of Cambridge
    We profit off your failure

  • Discussion topics:
    -How is the landscape going to develop? What does that mean for the different cyber risks that we know today? What new risks might be generated?
    -What are the current and possible practices and strategies for anticipating and identifying cyber-attacks more swiftly?




Friday 30 October


Session 2: Counteracting threats

  • Current cyber security approaches and solutions are likely to fall short. Industry is turning to pragmatic approaches, while academics are developing methods that could be implemented in the medium term to strengthen security in IT systems. But these new approaches might involve a complete transformation of such systems. Discussion topics

  • Speakers:
    -Daniele Tonella, CEO, AXA Technology Services
    Securing business in an interconnected world
    -Adrian Perrig, Professor, Director Network Security Group, ETH Zurich
    Dealing with the adversarial nature of cyber risk and preventing cyber attacks
    -James Larus, Professor and Dean, School of Computer and Communication Sciences, EPFL

  • Discussion topics:
    -How might approaches to accelerate the response to breaches, including with automatic techniques, be taken forward? How can we better arbitrate trade-offs between information security and business performance?
    -How could this link to better and evidence-based collaboration between industry, security companies and academics?


Session 3: Dealing with the remaining risk

  • Chief Risk Officers can build on Chief Information Security Officers' work by using risk-based approaches to assess the potential impact and damage, thereby optimizing investment. This includes evaluating the overall cyber-risk landscape for their company, from external and internal attacks, and from inherent systemic risk, as well as the need to identify which critical assets have to be protected. 

  • Speakers:
    Marshall Kuypers, PhD candidate, Decision and Risk Analysis, Stanford University
    Quantifying risks in cyber systems
    Raj Bector, Partner, Oliver Wyman
    Eric Durand, Director Swiss Re Group Underwriting, lead Cyber Center of Competence
    Cyber accumulation risk, a quantitative approach

  • Discussion topics:
    -How can we more accurately quantify potential impacts and evaluate overall threat to companies?
    -How can this be used for preparing decisions about risk prioritization and security investments?
    -How can we better address the trade-offs and challenges of allocating resources and making investments in cyber security and in resilience, including evaluating what is value for money?




Session 4: Governing cyber security risks

  • Speeding up response to cyber-attacks and better evaluating potential impacts should result in loss reduction and thereby enhance stakeholder confidence. This must be accompanied with adequate corporate governance.

  • Speakers:
    -Jeremy Ward, Global Security Consulting Offering Manager, HP Enterprise Security Services
    Improving internal communicating about cyber risk
    -Laura Georg, Head of Norwegian Information Security Laboratory, Høgskolen i Gjøvik
    Legal challenges to supervisory boards: overcoming conflicts of interests in cyber security governance
    -Richard Knowlton, CEO, Internet Security Alliance for Europe
    Private and public models for regulating the cyber environment

  • Discussion topics:
    -What changes are needed with regard to corporate governance?
    -What is the role of standards and certification? Pros and cons.
    -What is or can be the role of compulsory incident reporting schemes?


Closing remarks






11 Nov





Get together



12 Nov





Moderator of the day

Eric Durand


Intro & welcome

Short speech



Part 1:

Hazard in the US: Scientific findings of solar / geomagnetic storms

30 - 40 Minutes presentation followed by discussion







Part 2:

Vulnerability of EPPs:

Technology and resistance of EPPs

30 Minutes presentation followed by Q&A

Dr. Turhan Hilmi Demiray tbc,  ETH Zürich, Forschungsstelle Energienetze






Part 3:

US Exposure assessment

30 Minutes presentation à input for scenario workshop

Aurel Schwerzmann, Swiss Re


Workshop: Scenario analyses & impact on insured risks

Two – three groups discussion potential scenarios from two-three different perspectives

Moderators: Experts


Feedback session

10 minutes each group

Moderator Eric Durand






Part 4:

Legal: Terms & conditions of insurance coverage

30 minutes presentation followed by Q&A

Peter Bütikofer, Swiss Re

Beat Kramer, Swiss Re





General information


Cyber Security Risk Governance Workshop


29 - 30 October 2015


Swiss Re Centre for Global Dialogue
Gheistrasse 37
8803 Rüschlikon
Telephone +41 43 285 8100

Conference language



Participation by invitation.

Conference organisation

International Risk Governance Council (IRGC)
Case Postale 99
1015 Lausanne - Switzerland
Phone +41 21 693 8290
Fax +41 21 693 8295