Cyber risk continues to grow as technology innovation increases and societal dependence oninformation technology expands. A new and important turning point has been reached in thestruggle to manage this complex risk. In the war between cyber attackers and cyber defenders,we have reached what Winston Churchill might call “the end of the beginning.” Three characteristics mark this phase shift. First, global cybercrime has reached such a high level of sophistication that it represents a mature global business sector – illicit to be sure, but one which is continually innovating and getting more efcient. In 2017 we haveexperienced the widespread use of nation state-caliber attack methods by criminal actors.Powerful self-propagating malware designed to destroy data, hardware and physical systemshave caused major business disruption to companies worldwide with an enormous fnancialprice. The number of ransomware attacks has also spiked signifcantly. More attack incidents haveimpact extending beyond the initial victims with broad systemic ripple efects.Second, business and economic sectors have high and growing levels of dependency on ITsystems, applications and enabling software. Growth in connectivity between digital and physicalworlds, and the acceleration in commercial deployment of innovative technologies likeInternet of Things (IOT) and Artifcial Intelligence (AI) will expand potential avenues forcyberattack and increase risk aggregation efects. These changes will make the next phase ofcyber defense even more challenging.The third shift is the rising importance of coordination among institutions – governments,regulatory authorities, law enforcement agencies, the legal and audit professions, thenon-government policy community, the insurance industry, and others – as a critical counterto the global cyber threat. Cyber risk defense can only be efective if these groups share acommon understanding of the changing nature of the threat, their importance and increasedinterconnected nature. Working individually and in concert, these groups can increase ourcollective cyber resilience. We are beginning to see expectations converge in areas such asincreased transparency, higher penalties for failure to maintain a standard of due care in cyberdefense, improved incident response, and an emphasis on risk management practices overcompliance checklists. It will be vital for this trend to continue in the next phase. Against this backdrop, the 2018 edition of theMMC Cyber handbookprovides perspectiveon the shifting cyber threat environment, emerging global regulatory concepts, and bestpractices in the journey to cyber resiliency. It features articles from business leaders acrossMarsh&McLennan Companies as well as experts from Microsoft, Symantec, FireEye and Cyence.We hope the handbook provides insight which will help you understand what it takes to achievecyber resiliency in the face of this signifcant and persistent threat.John Drzik President, Global Risk and DigitalMarsh & McLennan Companies FOREWORDC O N T E N T S Threat Trends on Major Attacks in 2017 p. 5 Industries Impacted By Cyberattacks p. 6 Evolution of Cyber Risks: QuantifyingSystemic Exposures George Ng and Philip Rosace p. 7 The Dramatically Changing Cyber ThreatLandscape in Europe FireEye | Marsh & McLennan Companies p. 10 Asia Pacifc – A Prime Target for Cybercrime Wolfram Hedrich, Gerald Wong, and Jaclyn Yeo p. 15 The Equifax Breach And its Impact onIdentity Verifcation Paul Mee and Chris DeBrusk p. 21 Lessons from WannaCrypt and NotPetya Tom Burt p. 24 The Mirai DDoS Attack Impacts the Insurance Industry Pascal Millaire p. 27 Time For Transportation and Logistics To Up Its CybersecurityClaus Herbolzheimer and Max-Alexander Borreck p. 30 Are Manufacturing Facilities as Secureas Nuclear Power Plants Claus Herbolzheimer and Richard Hell p. 33 WAKE UP TO THE SHIFTINGCYBER THREAT LANDSCAPE Percentage of Respondents at Each Level ofGDPR Compliance p. 35 The Growing Waves of Cyber Regulation Paul Mee and James Morgan p. 36 Regulating Cybersecurity in the New YorkFinancial Services Sector Aaron Kleiner p. 40 The Regulatory Environment in Europe is Aboutto Change, and Profoundly FireEye | Marsh & McLennan Companies p. 43 Cybersecurity and the EU General DataProtection Regulation Peter Beshar p. 46 Cyberattacks and Legislation:A Tightrope Walk Jaclyn Yeo p. 49 Cyber Preparedness Across Industries and Regions p. 53 Deploying a Cyber Strategy – Five Moves Beyond Regulatory Compliance Paul Mee and James Morgan p. 54 Quantifying Cyber Business Interruption Risk Peter Beshar p. 60 Cybersecurity: The HR Imperative Katherine Jones and Karen Shellenback p. 61 Limiting Cyberattacks with a System Wide Safe Mode Claus Herbolzheimer p. 63 Recognizing the Role of Insurance Wolfram Hedrich, Gerald Wong, and Jaclyn Yeo p. 65 PREPARE FOR EMERGINGREGULATIONS CYBER RESILIENCYBEST PRACTICES 。。。。。。