Cybersecurity Risk Management For Finance and Risk Executives 

November 27 – 29, 2018 – Toronto

Cybersecurity Risk Management for Finance and Risk Executives will provide tools to effectively identify the full scope of your risk exposure, methods to make practical assessments of these exposures and how to implement best practices to prevent attacks and respond to them when they occur.

     Cybersecurity Risk Management for Finance and Risk Executives will provide tools to effectively identify the full scope of your risk exposure, methods to make practical assessments of these exposures and how to implement best practices to prevent attacks and respond to them when they occur.

Almost every organization has far more questions than actionable answers.  Take advantage of this opportunity to obtain the most up-to-date information available from leading authorities.  As well, come with your key questions in hand to present to the experts to advance your own agenda and gain valuable insights.

Cybersecurity Risk Management for Finance and Risk Executives leads you through the essential elements required to manage and mitigate the operational impact of these looming, and seemingly inevitable, risks including:

  • IT/Cybersecurity Risks In The Enterprise Risk Management Plan
  • Identifying Sources of IT Risk and Tactics to Manage/Reduce Risk
  • IT/Cybersecurity Risks in the Enterprise Risk Management Plan
  • Cybersecurity and Risk Mitigation – Threat Landscape and Best Practices
  • Quantifying Cyber Risk in Economic Terms
  • Cybersecurity/Information Risk Appetite – Defining Security Objectives
  • Third Party Risk Management – IT and Cybersecurity
  • Conducting a Risk Assessment Using the FAIR Methodology
  • High Definition Threat Detection Including Analytics and AI
  • Case Study: Examining a Breach and Recovery – What a Recovery Plan Looks Like
  • Personal Data Management and Protection
  • Cybersecurity Insurance 101 – Ins and Outs of Risk Mitigation
  • Current Cybersecurity Legal Risks and Requirements

In addition to the comprehensive two-day conference, this event also offers a full-day optional workshop that focuses on presenting the fundamentals of the technology issues and how to build a risk framework specific to cybersecurity risks. This in-depth workshop will be a valuable tool in tackling your cybersecurity challenges including all the key issues you must address and anticipate.

Registration Fees

October 9,
October 23, 
October 23, 2018
Conference only  $2,099.00 + HST $2,199.00 +HST $2,299.00 +
Both Conference & Workshop $3,099.00 + HST $3,199 + HST $3,299.00 +
Workshop only      $ 999.00 + HST $1,049.00 + HST $1,099.00 + HST

Our HST Number: R862562543

Group Discount: Fourth Delegate FREE!

If three individuals from one organization register at the same time, a fourth person may also be registered to attend free of charge. The free registration must be of equal or lesser value than the paid registrations. Please contact us to arrange for attendance of larger groups.

Your Registration Includes

Registration fees include all conference materials, continental breakfast, lunch and refreshments. Parking and accommodation are not included.


As a registered delegate, you will receive a complete set of conference materials. These materials will serve as an invaluable guide, both during and after the event. The workbook will be distributed on the morning of the first day beginning at 8:00 a.m.

Cancellation Policy

Substitutions may be made at any time. If you are unable to attend, please make cancellations in writing and fax to (416) 504-6978 prior to 5:00 p.m. on November 13, 2018. A credit voucher will be issued to you for the full amount, redeemable against any other Acumen conference. If you prefer, you may request for a refund of fees paid less $250 administration fee. Registrants who cancel after above date will not be eligible to receive any credits or refunds and are liable for the entire registration fees.

Confirmed delegates who do not cancel before November 13, 2018, and fail to attend will be liable for the entire registration fees.

Acumen Information Services reserves the right to change the date, location and content for the event(s) offered herein without further notice and assumes no liability for such changes.

Early Bird Registration Discount

Register prior to to October 23, 2018 and you will obtain the following additional savings:

Second delegate: $100  Discount
Third delegate: $150  Discount
Fourth delegate: FREE

Please indicate that you are eligible for this offer on the registration page or your registration form if you are mailing in your registration.

Location – Accommodation

The conference will be held at:

Hyatt Regency Hotel
370 King Street West
Toronto, Ontario
M5V 1J9

Tel: 416-343-1234

Delegates can register at the Acumen service desk beginning at 8:00 a.m. on the morning of the first day of the conference. Registration fees do not include hotel accommodation.

Program - November 27

9:00 a.m. –  9:05 a.m.
Opening Remarks from the Chair

Elizabeth Alves, Vice President Internal Audit and Risk Management, Cogeco Inc.

9:05 a.m. – 10:00 a.m.
IT/Cybersecurity Risks In The Enterprise Risk Management Plan

Mario Mosse, President, MMosse Consulting LLC

  • An overview of new & emerging cybersecurity risks
  • Understanding IT risks in your organization – sources, business impact
    • identifying external threats
    • internal sources of risk - personnel, contractors, third party vendors
  • Implications of IT/cybersecurity risks - financial, reputational, regulatory
  • Breaking down silos – integrating IT/IT risk management with broader organization
  • How Boards are reacting to security breaches and IT risks – concerns and expectations
  • IT risk management’s missing link – connecting IT frameworks (COBIT, ISASCA) to the broader enterprise risk management framework to achieve corporate goals
  • Quantifying IT risk management expenses and the cost of losses from hacks/theft – tackling the security budgeting challenge
  • Creating your IT risk dashboard including key risk indicators (KRIs) and key performance indicators (KPIs)
  • Practical examples and insights from working experiences

10:00 a.m. – 11:00 a.m.
Cybersecurity and Risk Mitigation – Threat Landscape and Best Practices

Marcus Troiano, Principal Consultant, Strategic Cybersecurity Services, Mandiant – A FireEye Company

  • Overview of today’s cybersecurity threat landscape
    • who are the attackers?
    • what are their objectives?
    • understanding their targets and why they were chosen
    • effects of attacks on business organizations
    • insights on attacks the media do not cover
  • Examples of attacks and what was learned from them
  • What role have “insiders” played in cybersecurity attacks?
  • Attacks resulting in physical damage to IT infrastructure/loss of assets
  • Establishing defences and mitigation tools to counter an unseen, dynamic threat
  • Examination of best practices and leading mitigation tools and techniques

11:00 a.m. – 11:15 a.m. – Morning Networking Break

11:15 a.m. – 12:15 p.m.
Quantifying Cyber Risk in Economic Terms

Jack Jones, Co-Founder and E.V.P. Research and Development, Risk Lens

  • Why common risk measurement methods fail, and why it matters
  • Common misperceptions regarding cyber risk quantification, and why they’re wrong
  • The hard part of risk quantification (and it isn’t data)
  • Laying a foundation for solid cyber risk measurement in your organization

12:15 p.m. – 1:15 p.m.  –  Luncheon

1:15 p.m. – 2:15 p.m.
Cybersecurity/Information Risk Appetite – Defining Your Security Objectives

Katherine MacPherson, National Leader, Operational Risk, Ernst & Young  LLP
Thomas Davies, Associate Partner, Cybersecurity, Ernst & Young  LLP

  • Why information security policies are not enough
  • How is a cyber risk appetite statement different from other risk appetite formulations?
  • Direct linkage to overall organization risk appetite
  • Articulation of risk thresholds
  • Difference between risk appetite and risk toleranceMethods for expressing risk appetite
  • Frequently used methods in practice
  • Level of clarity and specificity required to measure and compare risks
  • Ensuring common understanding of objectives and risks across silos
  • Defining what is to be secured, to what extent and how assets are to be secured
  • What should an effective risk appetite statement look like?
  • Examples of risk appetite statement language
  • Items to keep in mind for audits and future developments

2:15 p.m. – 3:15 p.m.
Third Party Risk Management – IT and Cybersecurity

Kent Schramm, Director, Cyber Risk Services, Deloitte LLP

  • Identifying third parties creating risk exposures
    • contractors
    • vendors
    • outsourced IT management
    • IT and communications service providers
    • cloud computing services
  • Tackling the challenge of third parties providing services to your third parties – how to control the supply chain
  • Steps to take prior to entering into outsourcing agreements
  • How to monitor risks associated with third parties
  • How cyber attacks use third parties to gain access to primary targets
  • What to do beyond contract requirements
  • Can using analytics assist in managing third party risks?
  • Regulatory requirements for third party risk management
  • Frameworks and processes available to utilize

3:15 p.m. – 3:30 p.m. – Afternoon Networking Break

3:30 p.m. – 4:45 p.m.
Conducting a Risk Assessment Using the FAIR Methodology

Jack Jones, Co-Founder and E.V.P. Research and Development, Risk Lens

  • Identifying the decision that benefits from risk measurement
  • Scoping the analysis
  • Data gathering
  • Analysis
  • Challenges and opportunities in reporting risk to decision-makers

End of Day 1

Program - November 28

9:00 a.m. – 9:05 a.m.
Opening Remarks from the Chair

Elizabeth Alves, Vice President Internal Audit and Risk Management, Cogeco Inc.

9:05 a.m. – 9:50 a.m.
Rethinking Vulnerability Management 

John Heaton, Partner, KPMG LLP
Arani Adhikari, Manager, KPMG LLP

  •  Limitations of traditional approaches to vulnerability management
    • ineffective outcomes
    • siloed methods of remediation
  • Creating a backlog of difficult issues through ineffective remediation
  • Utilizing a focused, risk-based vulnerability remediation plan
  • Identifying current challenges in vulnerability management processes
  • Key trends
  • Lessons learned from working with clients
  • Leading practices implemented

9:50 a.m. – 10:45 a.m.
Case Study: Examining a Breach and Recovery – What a Recovery Plan Looks Like

Seyed Hejazi, Manager, Ernst & Young LLP

  • Dissecting a cyber attack – planning a response
  • Identifying the essential matters to address and considering priority
  • Key communications issues
  • Do regulators need to be notified? External stakeholders?
  • Examples of incidents and how the fallout was handled – what has been learned?
  • What should be built into a recovery plan and allocating responsibilities
  • Getting the recovery plan off paper – how to ensure timely, effective response
  • Post-recovery considerations and modifying a pre-attack recovery plan

10:45 a.m. – 11:00 a.m. – Morning Networking Break

11:00 a.m. – 12:00 p.m.
Personal Data Management and Protection

Jordan Prokopy, Director and Privacy Practice Leader, PricewaterhouseCoopers LLP

  • Personal data protection landscape and trends in Canada and globally
  • Regulatory requirements for personal data management and protection
    • 10 privacy principles
    • key areas to highlight: mandatory breach notification, consent, personal data inventorying and mapping
  • International scope of EU General Data Protection Regulation (GDPR)
    • how it affects Canadian companies
  • Lessons learned helping Canadian companies address GDPR
  • What next for privacy in Canada?

12:00 p.m. – 1:00 p.m. – Luncheon

1:00 p.m. – 2:00 p.m.
Cyber Insurance 101 – Ins and Outs of Risk Mitigation

Sandra Black, Assistant Vice President, Marsh Canada Limited

  • How to think about and quantify cyber risk
  • Traditional insurance coverages and cyber risk
  • What do cyber policies cover and what’s not covered?
  • Key coverage considerations
  • Underwriting process and the information required
  • Sample loss scenarios and claims concerns
  • Market trends

2:00 p.m. – 3:00 p.m.
Current Cybersecurity Legal Risks and Requirements

Daanish Samadmoten, Fasken Martineau DuMoulin LLP

  • PIPEDA (Personal Information and Protection and Electronic Documents Act) and Digital Privacy Act
    • when to notify individuals and report to the Commissioner
    • requirement to notify related third party organizations to mitigate risk
    • mandatory record-keeping for breaches
    • enforcement and penalties
    • provincial regulations mirroring PIPEDA
  • Canadian Security Administrators – CSA Staff Notice 11-332
  • OSFI and cybersecurity
  • Litigation and class action risks arising from cybersecurity breaches
    • summary and update of the latest cases and trends
    • potential liability for privacy breaches
    • lessons learned from how plaintiffs frame their claims
    • the importance of effective incident response
    • effective legal risk management

Program – November 29

9:00 a.m. –  4:30 p.m.

Ramirez 3-43Course Leader

Mario Mosse has 40 years of experience in operational risk management, internal audit and regulatory compliance at financial services companies. President of MMosse Consulting, LLC,  he provides risk management advice and training to the financial services industry. Previously, he was the head of Operational Risk Management at Prudential Financial, Inc.  Prior to joining Prudential, Mr. Mosse was with The Chase Manhattan Bank, where he held several senior positions in Internal Audit and Risk Management, including South America Regional Audit Executive and Head of Risk Management for the Corporate Finance Sector.

The objective of this workshop is to provide finance and risk professionals with an understanding of the fundamentals of risk management for cybersecurity and technology risk issues.  Many organizations view these risks as a technology issue rather than an organizational risk issue.  Combined with the complexity and terminology challenges, many organizations do not adequately take a holistic approach to tackling these critical risks.  This workshop will provide you with the essential elements of a successful risk management plan, including:

  • Overview of recent incidents – the underlying risk/threat profile in play
  • Essential cyber/tech security functions typically in place
  • Key terms and industry buzzwords
  • Common industry standards and frameworks – an overview
  • Assessing organizational readiness to prevent, detect and respond to risks/threats
  • Understanding cybersecurity business targets by key areas and related exposures to threats
  • Considerations for identifying and tackling the scope of the challenge
  • Specific internal controls to implement/consider
  • Bridging communications issues with technology and security professionals
  • Training issues to ensure organizational compliance with risk management policies
  • Insider threats
  • Incident response
    • events, alerts and incidents
    • data leaks vs. data breaches
    • difference between incident response and cyber crisis response
    • anatomy of a cyber attack
    • defining a chain of custody

(There will be a 15 minute break mid-morning and one hour luncheon)


This event has been developed with the professional responsibilities of our audience as our focus.  As well, auditors, financial advisors, analysts, lawyers and other advisory professionals would benefit from staying current on the information provided at this timely event.  In particular, our experience indicates that individuals in the following positions would mostly likely be in attendance:

  • Chief Financial Officers
  • Chief Risk Officers
  • Chief Accountants
  • Chief Compliance Officers
  • VPs, Directors and Managers
    • Risk Management/Reporting
    • Finance
    • Technology and Data Security
    • Compliance
    • Accounting
    • Financial Reporting
    • Regulatory Accounting
  • Controllers
  • Internal Auditors
  • Audit Committee Members
  • Corporate Counsel
  • Audit and Assurance Professionals
  • Industry Regulators and Standard Setters
  • Financial Analysts

To obtain a copy of the brochure, please send a request to the email below or click on the image of the brochure on this page.

e-mail at

Comments From Participants  Attending Acumen Conferences –Information You Can Work With

“Top class expertise on the issues from a good variety of backgrounds. They are excelent speakers and made a difficult subject understandable. Very well organized and the topic was well covered”

Assistant Treasurer

“Best conference I’ve ever attended.”

Senior Manager, Enterprise Hedge Accounting and Derivative Reporting
Royal Bank of Canada

“Suffice it to say that the conference delivered on my expectations…A lot has been taken away from this conference…$ well spent…”

V.P. Risk Management Advisory
New Brunswick Credit Union Stabilization Board

“This seminar was fantastic - very informative and has some extremely interesting and knowledgeable speakers”

Manager, Corporate Accounting
Brascan Power

“The (2) days were eye opening. It definitely gives me a better idea of the areas to focus more of my time”

Supervisor Finance & IS
Highland Valley Copper

“Excellent presentation of new standards and how the various concepts relate/come together”

Manager, External Reporting
Potash Corporation of Saskatchewan Inc.

“Speakers were very knowledgeable, materials were current…examples and materials were relevant and well presented.”

Derivatives Accountant
Agrium Inc.

“Well rounded. Good flow.”

Manager, Capital Risk

To submit questions to be answered at the conference, please send us an email at this address at

Limited sponsorship and exhibition options are available for this event, including

• Cocktail reception
• Luncheon sponsorship
• Breakfast sponsorship
• Booth/exhibit space

For more information, or to check availability,
please contact us by phone at (416) 504-6952
or by e-mail at