Cyber insurance, security and data integrity insights

Transcription

1 Cyber insurance, security and data integrity insights 1

2 Executive summary: insights into cybersecurity and risk As cyber threats have become more pervasive, persistent and sophisticated, information security has become a business imperative for all industries. Unlike companies in other sectors, however, insurers must gain a deeper understanding of cyber threats as they develop cyber liability policies. These products are evolving to include not just technology companies, but all organizations that collect, store and process data from their customers. Businesses must take a proactive approach to cybersecurity rather than waiting for a breach to occur and then acting on it. When it comes to information security, insurers must stay ahead of the ever shifting cyber threats by maintaining the triad of confidentiality, integrity and availability of systems and data. No one escapes cyber risk. Every company is vulnerable to cyber threats. In the vibrant global cyber insurance market of the future, risk management of a data breach must be built into policy at the board level, and not just a concern of the IT departments. This will give the reinsurance industry and capital markets confidence, and confirm to regulators and rating agencies that enterprise risk management (ERM) has been included in cyber liability coverage. 2

3 Key actions for insurers to take To achieve Cybersecurity, insurers must: To mitigate cyber risks, insurers must: Develop and implement a long-term, enterprise-wide security program that addresses processes, controls, organization and governance, as well as reporting, metrics, privacy and data protection Invest in cybersecurity and do a better job of articulating and demonstrating the value proposition Establish a framework of continuous improvement in analytics and reporting, people, processes and technology Design and execute solutions to measure, monitor and report on the effectiveness of security programs Refine strategies based on changing threats, risks and business imperatives Integrate cyber risks into a broader enterprise risk management approach, including risk modeling and transfer Gain specific understanding of risks related to data breaches, supply chains, emerging digital technologies and rapid-growth markets Track and monitor cyber liability regulation and rating issues and developments Accept that all insured infrastructure is a target, with the highest value assets the most frequent targets Remain alert to changing trends and emerging threats within the market and ensure that policy terms and conditions do not increase exposure Embrace a cyber risk center of excellence approach that extends across customer, risk-centric and financial activities 3

4 Achieving cybersecurity Emerging cyber threats Financial institutions have developed applications for mobile payment and other transactions. While these applications represent innovation, the institutions never planned on supporting mobile banking. Consequently, digital exchanges via the mobile transaction network are at a higher risk of compromise and/or manipulation by exploiters with increasingly sophisticated tools and skills. Moreover, infrastructure and storage outsourcing efforts supporting these applications put organizations further at risk as cloud service providers have different security mechanisms. Other challenges (and reasons for concern) for insurers: There is a large gap between the nature of new threats and the capabilities available to detect attacks, monitor (and stop) unauthorized exfiltration and secure information. Few insurers have direct insights into the cyber liabilities surrounding intangible digital assets. Many do not have the tools to provide the direct real-time awareness necessary to calculate risks to insured digital assets stored by cloud service providers or enterprise networks. There is increased awareness that companies should be accountable for private records and the security of data collected from their customers. Research shows: Nearly 95% of all enterprise networks have been compromised by external attackers. Only 3% of organizations felt safe against insider threats. Hundreds of millions of consumers have had their identity information compromised. The financial and reputational losses to businesses and shareholders stretching into the tens of billions of dollars annually. Insurers should expect that insured infrastructure will be compromised at some point. The more important and valuable the data assets are (IP, customer and supplier base, etc.), the more likely a compromise will occur. As exposure has evolved, so have policies. Since exposure exists for any organization that handles private information, insurance companies have been tasked with creating a new type of policy. The rapid adoption of mobile and digital devices in emerging markets is fostering new product development, along with new security and privacy measures. 4

5 Achieving cybersecurity Pillars of information security Prevents the disclosure of information to unauthorized individuals or systems Confidentiality Security model Availability Integrity Makes sure that computing systems, security controls and communication channels are functioning correctly Maintains the accuracy and consistency of systems and data over the entire lifecycle the most critical pillar but a gaping hole today 5

6 Achieving cybersecurity Data Integrity What it is: Data integrity is the ability to independently prove what happened in a digital infrastructure, determine the impact of a security incident and distribute the liability for a data breach. This proof is currently hard to obtain from internal systems, and it becomes increasingly complicated with organizational reliance on outsourced cloud infrastructure and trusted administrators. New methods are needed to definitely identify the cause of compromise, the assets affected, when the compromise occurred and if insured assets were exposed outside the organization. Why it matters: It s a prerequisite for ensuring confidentiality. Without it, encryption is worse than useless, bringing a false sense of security that can lead to a breach. It brings auditability and transparency of evidence to governance frameworks (for both public and private sectors). Data integrity enables an independent audit of digital assets prior to a data breach and clearer visibility into impacts when breaches occur. 6

7 Achieving cybersecurity Getting to data integrity: keyless signature infrastructure Most breaches today go unnoticed until long after they occur and the damage has been done. Active integrity involves continuous verification of the integrity of data in storage using keyless signatures. A disruptive new technology standard, keyless signature infrastructures (KSI) can effectively address some cyber liability issues by enabling mutual auditability of information systems add clearer visibility into the cause of a breach incident. Further, KSI mitigates the risk of breach escalation in real time and provides indemnification against subrogation and other legal claims. A managed security service resulting from the implementation of KSI, marks a new era for insurers. How KSIs work: Unlike digital certificates, keyless signatures never expire. People are not required in the signing process. Use of keyless signatures strengthens legal non-repudiation for data at rest. There are no keys to be compromised and/or keys to revoke. During a breach, active integrity can be provided with cyber alarms and correlated to other network events by auditors, network operations centers and security operations centers delivering real-time, continuous monitoring and verification of data signed with keyless signatures. Keyless signatures change the security paradigm by ensuring visibility into the cause of breaches Keyless ignature = :39: :39: suporte6 pam_unix(cron:session): session closed for user root :09: :09: suporte6 pam_unix(cron:session): session opened for user root by (uid=0) :09: :09: suporte6 (root) CMD ([-x /usr/lib/php5/maxlifetime ] && [-d /var/lib/php5 ] && find /var/lib/php5/ -type :09: :09: suporte6 pam_unix(cron:session):session closed for user root Each record is :12: :12:03 12: suporte6 mauricio: TTY=pts/1 ; PWD=/etc/rsyslog.d ; USER=root ; COMMAND=/usr/bin/killall kmysqladmin signed by keyless :17: :17: suporte6 pam_unix(cron:session): session opened for user root by (uid=0) signature :17: :17: suporte6 (root) CMD ( cd/&& run-parts report /etc/cron.hourly) :17: :17: suporte6 pam_unix(cron:session): session closed for user root :39: :39: suporte6 pam_unix(cron:session): session opened for user root by (uid=0) :39: :39: suporte6 (root) CMD ([-x /usr/lib/php5/maxlifetime ] && [-d /var/lib/php5 ] && find /var/lib/php5/ -type Electronic ata Signed lectronic ata :09: :09: suporte6 (root) CMD ([-x /usr/lib/php5/maxlifetime ] && [-d /var/lib/php5 ] && find /var/lib/php5/ -type :09: :09: suporte6 pam_unix(cron:session):session closed for user root :09: :09: suporte6 mauricio: TTY=pts/1 ; PWD=/etc/rsyslog.d ; USER=root ; COMMAND=/usr/bin/killall kmysqladmin :17: :17: suporte6 pam_unix(cron:session): session opened for user root by (uid=0) :17: :17: suporte6 (root) CMD ( cd/&& run-parts report /etc/cron.hourly) :17: :17: suporte6 pam_unix(cron:session): session closed for user root :39: :39: suporte6 pam_unix(cron:session): session opened for user root by (uid=0) :39: :39: suporte6 (root) CMD ([-x /usr/lib/php5/maxlifetime ] && [-d /var/lib/php5 ] && find /var/lib/php5/ -type 7

8 Achieving cybersecurity KSI in action Estonia: NATO headquarters for Cybersecurity Estonia solved the data integrity issue following a disabling cyber attack in By integrating KSI into networks, every component, configuration and digital asset can be tagged, tracked and located with real-time verification no matter where that asset is transmitted or stored. With real-time awareness, incident response, data loss prevention, investigation and/or network resilience, it is now possible to detect and react to any misconfiguration, network, component or application failure in the country. It has irrefutable transparent evidence to independently verify and enable trust in transactions and interactions on their networks. No keys or encryption just mathematical proof of everything that happened. 8

9 Achieving cybersecurity Big data security challenges In the past, large financial risk models and risk-scenario simulations have taken days to run, slowing the delivery of urgently needed information to the C-suite. Running models in the cloud across multiple processors, where the modeling software can process successfully across multiple cores, means large models can now be run in a matter of minutes. But once the model data enters the cloud, can it be trusted? Machine-to-machine and autonomous sensor data being managed by machines assumes the security protocols and handling of machine-generated data are rock solid and invulnerable to compromise. That s a dangerous assumption. KSI and emerging data integrity standards will change the perception that data in the cloud is less secure than in corporate data centers. Real-time, continuous integrity monitoring and tamper detection capabilities like those enabled by KSI are necessary to protect the big data repositories that make up the cloud. Further, KSI allows companies to manage big data through four dimensions: Velocity Variety Volume Veracity 9

10 Achieving cybersecurity Innovation through analytics: the time is now Insurance master databases are one of the biggest sets of data in any sector and are growing exponentially thanks to telematics, social media, unstructured data and the like. Leading insurers are changing their vision to a managementby-data-analytics approach to customers, risk assessment and financial analysis. Big data will undoubtedly reshape the insurance industry. For years, the industry has had big data but did not know it or use it. The wake-up call is here, and it is time for re-evaluating and re-tooling analytical capabilities. More predictive modeling Better forecasting through deeper in-depth statistical analysis across the enterprise Moving beyond a simple one-on-one relationship of server to data storage Those are the capabilities innovation through analytics can enable and how data can become a single holistic global and enterprise resource. 10

11 Mitigating cyber risk Cyber risk in the context of ERM Insurers manage many risks aligned to their risk profiles and appetites. Visionaries and early adopters do so dynamically by use of mathematics (stochastically or actuarially) and simulations for the future based on the historical loss data in order to correlate all the risks of the enterprise into one holistic view. Factors to consider include: Cyber risk. Operational risk affects every organization on an equal basis and is often quantified as a percentage of gross written premiums. Cyber risks are no different from any other risk in terms of risk management and transfer Cyber risk must not be viewed as separate from other types of risks. Risk mitigation. Insurance and reinsurance are not alternatives to ERM. Risk transfer programs should be used to address structural residual risk, and risk management best practices can ease the process of finding the right cover at the right price with reinsurance optimization. Such an approach must be applied to cyber risk. Risk modeling. Dynamic risk modeling can enhance effective risk management best practices, modeling the likelihood of small claims from data breaches, as well as the impact of long-tail or black swan events. Early adopters are also experimenting with other risk transfer mechanisms include cyber captives, specialpurpose vehicles (SPVs) and sidecars. We are early in a long-term and necessary evolution where cyber risk can and must be managed within the broader context of ERM. Dynamic risk modeling tools are necessary to gain detailed visibility into value at risk. 11

12 Mitigating cyber risk Security issues affecting reinsurers As the stability mechanism for solvency in the insurance industry and the link to the capital markets and pension funds, the reinsurance industry must also be focused on cyber risks. Emerging technology threat: the industry must model cyber risks in correlation to other risks, including in the solvency, risk-based capital arena with long-tail exposure reduction. Reinsurers need to understand cyber risk independently of the insurer to create the right protection mechanisms, cyber models and rating bands. An incentive to invest: it is difficult for governments to determine if a cyber attack is an attack on a company or on a country. New mandatory data breach laws will force organizations to report data breaches within a specified period or face heavy fines (up to 10% of gross annual income). Ignorance that a data breach occurred is not an acceptable excuse. Cyber catastrophe models and databases: nearly 60 insurers write some form of cyber insurance coverage outside of errors and omissions insurance (E&O). The reinsurance industry needs to look at the effect of large aggregated cyber attacks that can affect the capital and stability of the risk industry. Cyber attacks and data breaches are black-swan events not unlike natural disasters that will: Help create cyber XL rates (excess of loss) for reinsurance to move away from quota share reinsurance Cause the cyber reinsurance industry to mature in the same way it did for natural catastrophe lines Include legal expenses, as these are particularly perilous to solvency and to the proper reserving of claims (the ability to pay) over a period 12

13 Mitigating cyber risk Supply chain risk Cyber liability regulation and rating Recent natural catastrophe events have shown what can happen to the global supply chain in terms of disruption. A severe cyber-attack would affect the global supply chain, especially around commercial and industrial internet usage. The insurance industry knows that the outsource service provider is the main cause of supply chain disruption, which often happens simultaneously when increasing weather disruption brings cyber and climate risks together in one event. When service providers outsource to each other, it sends a red alert to the industry. Data integrity needs to be embedded in the enterprise, as well as with IT vendors they outsource to and those outsourcers in turn engage. Technology, in conjunction with cyber attacks and service providers, makes up the majority of all supply chain disruptions. Rating agencies can have an economic effect on countries and corporations by making rating changes based on an event. The rating of insurers is also at risk if they do not provide mitigation advice to customers. They may struggle to get reinsurance capacity, expose themselves to more risk and lose access to A -rated capital. It is in everyone s interest in the regulatory and rating space to understand the standards and value that they bring to the table. Currently, rating agencies view cyber risk as a primary threat to solvency because of the significant, rapid and unexpected impact of an event and, in some cases, the ability to react to that event. For natural catastrophes, rating agencies look at the use of catastrophe event models that are created by third-party vendors and rely on vendor research and data accuracy. However, in the case of cyber risk, the catastrophe is the data itself. That requires a broader rating approach for example, with a data-scoring rating mechanism added to overall ERM ratings. The speed of regulatory change in data breach reporting will lead to increased cyber liability coverage and even mandatory insurance in some cases. 13

14 Mitigating cyber risk Best practices and the center of excellence Cyber risk leaders in insurance will likely embrace a center of excellence across customer, risk-centric and financial activities, thereby linking security analytics and big data with fraud investigations. This will further the trend toward intelligence-driven security plans in order to protect digital information assets. The Center of Excellence for Insurance Big Data Security, Technology Governance and Compliance can help you create a holistic, technology-enabled, business-driven strategy. Customer Need: trust Risk centric Need: knowledge Financial Need: transparency Distribution channel cross sell/up sell Underwriting Rating and regulation Customer lead identification Product design and innovation Asset liability matching Marketing campaign analysis Pricing and deductibles Reinsurance optimization Segmentation Reinsurance strategy Portfolio and asset optimization Know thy customer (KYC) Telematics M2M Risk-based capital pricing Lifetime value Catastrophe models Financial modelling Retention and lapse Reserving and claims Mac economics Fraud, SIU and forensics Embedded value subrogation/recovery 14

15 Mitigating cyber risk How EY assists with effective cyber risk management EY s information security services help our clients to assess their security strategies, processes and infrastructure to manage risk and enable compliance with applicable laws and regulations. This includes testing for security exposures and business risks created by vulnerabilities or inadequate systems, applications and network devices. Leading practices should include: A pragmatic, risk-based information security strategy that integrates solutions to address business needs, compliance requirements and ERM objectives Listening to what is going in the market, understanding security information trends and threats, and adjusting the risk assessment accordingly Continually reassessing new technologies and the threat landscape to confirm that focus is on the right priorities Executive and board support that leverages the expertise of partners and vendors and defines which security functions sit in-house instead of outsourced and in the cloud Assurance that information security is an integral part of the risk management function, not a stand-alone unit that fails to involve the business in the process 15

16 Learn more Key Contacts: Shaun Crawford Global Insurance Leader David Piesse International Insurance Society (IIS) Ambassador for Asia Pacific and Insurance Lead at Guardtime Mitigating cyber risk for insurers Part 2: Insights into cyber security and risk 2014 For insights into cybersecurity download Part 1: Cyber insurance, security and data integrity > For insights mitigating cyber risk download Part 2: Mitigating cyber risk for insurers > EY.com/insurance/cyber EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com EYGM Limited. All Rights Reserved. EYG no: EG NY ED none This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.