Cyber insurance, security and data integrity insights

Similar documents
Implementing behavioral analytics to drive customer value: Insurers cannot afford to wait.

2014 EY US life insuranceannuity

Better-working insurance: moving blockchain from concept to reality

ORSA reports: gaps and opportunities

Managing operational tax risk through technology

The Internet of Everything: Building Cyber Resilience in a Connected World

A FRAMEWORK FOR MANAGING CYBER RISK APRIL 2015

Is the future of shipping in ships and ports, or chips and blocks?

Claims transformation. EY claims capability

The Proactive Quality Guide to. Embracing Risk

Cyber Risk Enlightenment through information risk management

Next-Gen Contract Management

Cyber Insurance I don t think it means what you think it means

Sharing insights on key industry issues*

Competition, compliance & cost continue to challenge the c-suite of Australian insurers

Rethinking the success of bancassurance. EY survey identifies trends and challenges of this unique business model as it applies in Brazil

How to review an ORSA

Cyber-risk and cyber-controls:

The agent of the future

ANTI-FRAUD CODE CONTENTS INTRODUCTION GOAL CORPORATE REFERENCE FRAMEWORK CONCEPTUAL FRAMEWORK ACTION FRAMEWORK GOVERNANCE STRUCTURE

7 STEPS TO BUILD A GRC FRAMEWORK FOR BUSINESS RISK MANAGEMENT BUSINESS-DRIVEN SECURITY SOLUTIONS

Optimizing and balancing corporate agility for insurers

Ball State University

GUIDELINE ON ENTERPRISE RISK MANAGEMENT

Cybersecurity Insurance: New Risks and New Challenges

Cybersecurity Insurance: The Catalyst We've Been Waiting For

undiscovered opportunities insurance analytics Advanced analytics for insurance

Get Smarter. Data Analytics in the Canadian Life Insurance Industry. Introduction. Highlights. Financial Services & Insurance White Paper

T A B L E of C O N T E N T S

Making Predictive Modeling Work for Small Commercial Insurance Risk Assessment

Four key capabilities for the future of underwriting. Findings from the EY-CPCU Society underwriting survey

Meeting the challenges of the changing actuarial role. Actuarial Transformation in property-casualty insurers

2014 EY Canadian life insurance outlook

Improve business results by first improving your vendor selection

Record to report. Are you audit ready?

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

Fraud Investigation & Dispute Services Corporate misconduct individual consequences

FROM 12 TO 21: OUR WAY FORWARD

The Components of a Sound Emerging Risk Management Framework

Small business, big risk: Lack of cyber insurance is a serious threat

Robots join the team. Automation, transformation and the future of actuarial work for insurers

Aligning Risk Management with CU Business Strategy

The OCEG Open Risk Classification using XBRL

Advisory Standards I. GOVERNMENT REGULATIONS & GOVERNING DOCUMENTS

Tailored and experiential training for the insurance industry

Alternative Investments Advisory Services. kpmg.com

Guidewire ClaimCenter. Adapt and succeed

Digital insurance: How to compete in the new digital economy

Keynote Address by Mr John Leung, CEO, Insurance Authority 12th Asian Insurance CFO Summit th May 2018, Hong Kong

OECD PROJECT ON CYBER RISK INSURANCE

Key Themes. Organizational Dynamics and Effective Risk Management. Organizational Alignment. Risk Management Effectiveness

Technology, governance and risk: can new thinking on three issues bring retirement security for millions?

Data Analytics and Unstructured Data Actuaries 2.0

Investor Presentation. March 2017

Credit Card Handling Security Standards

ERM and ORSA are they the same? Focus on Active Risk Management

Optimizing the actuarial modeling environment

EU-US Insurance Dialogue Project: New Initiatives for Focus Areas for 2018

Operational Risk Management

Reporting climate change risk

Building the Vision: A Look into the Future of an Efficient Insurance Data & Analytics Market

The Art of Conversation. kpmg.com/uk/insurance

Why Risk Management is Treasury s Biggest Priority

INSURTECH OUTLOOK. Executive Summary september 2016

Fraud risk management. Oil and gas sector

IT Risk in Credit Unions - Thematic Review Findings

Stochastic Analysis Of Long Term Multiple-Decrement Contracts

Risk-based capital and governance in Asia-Pacific: emerging regulations

Cyber ERM Proposal Form

Rapid returns for the insurance industry with Atos Fraud & Claims Management

blockchain bitcoin cryptography currency Blockchain: The Next Big Digital Disruptor for CFOs cryptocurrency exchange transaction financial market

ERM and the new world of insurance regulation. Where insurers should focus now to find business value

Accelerating expansion in Japan Risk management frameworks at a glance

Insuring your online world, even when you re offline. Masterpiece Cyber Protection

Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data

Session 73 PD, Predictive Modeling for the Marketing Actuary. Moderator: Maria Patricia Marcelo Arellano, FSA, CERA, MAAA

Why CISOs Should Embrace Their Cyber Insurer

Better-working insurance: moving blockchain from concept to reality

MANAGE RISK WORLDWIDE

Blockchain. How this technology could impact the CFO

Crossing the Breach. It won t happen to us

Prudential Standard GOI 3 Risk Management and Internal Controls for Insurers

THE BLOCKCHAIN DISRUPTION. INSIGHT REPORT on Blockchain prepared by The Burnie Group

H 7789 S T A T E O F R H O D E I S L A N D

PAI Secure Program Guide

The money in motion opportunity. Capturing the opportunities for increasing assets and enhancing relationships as investors move into retirement

Cyber COPE. Transforming Cyber Underwriting by Russ Cohen

The Digital Insurer. The Art of the Possible. 10/02/17 Avril Castagnetta, Senior Manager

Society of Actuaries - ERM Forum, 10 May 2016 A regulatory perspective on consumer risk

Embrace the Solvency II internal model

How Will the Distributed Ledger Change the Customer Experience?

Big Data - Transforming Risk and Insurance. Driving Change

You ve been hacked. Riekie Gordon & Roger Truebody & Alexandra Schudel. Actuarial Society 2017 Convention October 2017

The UK s new corporate criminal offense. How adopting a robust risk-based approach could open the pathway for future global compliance

Reimagining customer relationships. Asia-Pacific

Transforming claims through predictive modelling

Achieving convergence of finance, risk and actuarial functions: beyond transformation

STEPPING INTO THE A GUIDE TO CYBER AND DATA INSURANCE BREACH

Company Overview. August 6, 2018

The working roundtable was conducted through two interdisciplinary panel sessions:

Transcription:

Cyber insurance, security and data integrity insights 1

Executive summary: insights into cybersecurity and risk As cyber threats have become more pervasive, persistent and sophisticated, information security has become a business imperative for all industries. Unlike companies in other sectors, however, insurers must gain a deeper understanding of cyber threats as they develop cyber liability policies. These products are evolving to include not just technology companies, but all organizations that collect, store and process data from their customers. Businesses must take a proactive approach to cybersecurity rather than waiting for a breach to occur and then acting on it. When it comes to information security, insurers must stay ahead of the ever shifting cyber threats by maintaining the triad of confidentiality, integrity and availability of systems and data. No one escapes cyber risk. Every company is vulnerable to cyber threats. In the vibrant global cyber insurance market of the future, risk management of a data breach must be built into policy at the board level, and not just a concern of the IT departments. This will give the reinsurance industry and capital markets confidence, and confirm to regulators and rating agencies that enterprise risk management (ERM) has been included in cyber liability coverage. 2

Key actions for insurers to take To achieve Cybersecurity, insurers must: To mitigate cyber risks, insurers must: Develop and implement a long-term, enterprise-wide security program that addresses processes, controls, organization and governance, as well as reporting, metrics, privacy and data protection Invest in cybersecurity and do a better job of articulating and demonstrating the value proposition Establish a framework of continuous improvement in analytics and reporting, people, processes and technology Design and execute solutions to measure, monitor and report on the effectiveness of security programs Refine strategies based on changing threats, risks and business imperatives Integrate cyber risks into a broader enterprise risk management approach, including risk modeling and transfer Gain specific understanding of risks related to data breaches, supply chains, emerging digital technologies and rapid-growth markets Track and monitor cyber liability regulation and rating issues and developments Accept that all insured infrastructure is a target, with the highest value assets the most frequent targets Remain alert to changing trends and emerging threats within the market and ensure that policy terms and conditions do not increase exposure Embrace a cyber risk center of excellence approach that extends across customer, risk-centric and financial activities 3

Achieving cybersecurity Emerging cyber threats Financial institutions have developed applications for mobile payment and other transactions. While these applications represent innovation, the institutions never planned on supporting mobile banking. Consequently, digital exchanges via the mobile transaction network are at a higher risk of compromise and/or manipulation by exploiters with increasingly sophisticated tools and skills. Moreover, infrastructure and storage outsourcing efforts supporting these applications put organizations further at risk as cloud service providers have different security mechanisms. Other challenges (and reasons for concern) for insurers: There is a large gap between the nature of new threats and the capabilities available to detect attacks, monitor (and stop) unauthorized exfiltration and secure information. Few insurers have direct insights into the cyber liabilities surrounding intangible digital assets. Many do not have the tools to provide the direct real-time awareness necessary to calculate risks to insured digital assets stored by cloud service providers or enterprise networks. There is increased awareness that companies should be accountable for private records and the security of data collected from their customers. Research shows: Nearly 95% of all enterprise networks have been compromised by external attackers. Only 3% of organizations felt safe against insider threats. Hundreds of millions of consumers have had their identity information compromised. The financial and reputational losses to businesses and shareholders stretching into the tens of billions of dollars annually. Insurers should expect that insured infrastructure will be compromised at some point. The more important and valuable the data assets are (IP, customer and supplier base, etc.), the more likely a compromise will occur. As exposure has evolved, so have policies. Since exposure exists for any organization that handles private information, insurance companies have been tasked with creating a new type of policy. The rapid adoption of mobile and digital devices in emerging markets is fostering new product development, along with new security and privacy measures. 4

Achieving cybersecurity Pillars of information security Prevents the disclosure of information to unauthorized individuals or systems Confidentiality Security model Availability Integrity Makes sure that computing systems, security controls and communication channels are functioning correctly Maintains the accuracy and consistency of systems and data over the entire lifecycle the most critical pillar but a gaping hole today 5

Achieving cybersecurity Data Integrity What it is: Data integrity is the ability to independently prove what happened in a digital infrastructure, determine the impact of a security incident and distribute the liability for a data breach. This proof is currently hard to obtain from internal systems, and it becomes increasingly complicated with organizational reliance on outsourced cloud infrastructure and trusted administrators. New methods are needed to definitely identify the cause of compromise, the assets affected, when the compromise occurred and if insured assets were exposed outside the organization. Why it matters: It s a prerequisite for ensuring confidentiality. Without it, encryption is worse than useless, bringing a false sense of security that can lead to a breach. It brings auditability and transparency of evidence to governance frameworks (for both public and private sectors). Data integrity enables an independent audit of digital assets prior to a data breach and clearer visibility into impacts when breaches occur. 6

Achieving cybersecurity Getting to data integrity: keyless signature infrastructure Most breaches today go unnoticed until long after they occur and the damage has been done. Active integrity involves continuous verification of the integrity of data in storage using keyless signatures. A disruptive new technology standard, keyless signature infrastructures (KSI) can effectively address some cyber liability issues by enabling mutual auditability of information systems add clearer visibility into the cause of a breach incident. Further, KSI mitigates the risk of breach escalation in real time and provides indemnification against subrogation and other legal claims. A managed security service resulting from the implementation of KSI, marks a new era for insurers. How KSIs work: Unlike digital certificates, keyless signatures never expire. People are not required in the signing process. Use of keyless signatures strengthens legal non-repudiation for data at rest. There are no keys to be compromised and/or keys to revoke. During a breach, active integrity can be provided with cyber alarms and correlated to other network events by auditors, network operations centers and security operations centers delivering real-time, continuous monitoring and verification of data signed with keyless signatures. Keyless signatures change the security paradigm by ensuring visibility into the cause of breaches. 10101010101 01010101010 10101010101 01010101010 10101010101 01010101010 + Keyless ignature = 10101010101 0 01010101010 10101010101 01010101010 10101010101 01010101010 10 2009-01-21 16:39:02 2009-01-21 09 01-21 16:39:02 10 6 suporte6 pam_unix(cron:session): session closed for user root 11 2009-01-21 17:09:03 03 2009-01-21 0 01-21 17:09:03 10 6 suporte6 pam_unix(cron:session): session opened for user root by (uid=0) 12 2009-01-21 17:09:15 15 2009-01-21 09-0 01-21 17:09:15 9 6 suporte6 (root) CMD ([-x /usr/lib/php5/maxlifetime ] && [-d /var/lib/php5 ] && find /var/lib/php5/ -type 13 2009-01-21 17:09:17 2009-01-21 17:09:17 10 6 suporte6 pam_unix(cron:session):session closed for user root Each record is 14 2009-01-21 17:12:03 2009-01-21 17:12:03 12:0 10 5 suporte6 mauricio: TTY=pts/1 ; PWD=/etc/rsyslog.d ; USER=root ; COMMAND=/usr/bin/killall kmysqladmin signed by keyless 15 2009-01-21 01-21 17:17:02 2009-01-21 17:17:02 10 6 suporte6 pam_unix(cron:session): session opened for user root by (uid=0) signature 16 2009-01-21 21 17:17:03 2009-01-211 17:17:03 9 6 suporte6 (root) CMD ( cd/&& run-parts report /etc/cron.hourly) 17 2009-01-21 21 17:17:03 2009-01-21 17:17:03 10 6 suporte6 pam_unix(cron:session): session closed for user root 18 2009-01-21 21 17:39:01 2009-01-21 17:39:01 10 6 suporte6 pam_unix(cron:session): session opened for user root by (uid=0) 19 2009-01-21 17:39:01 2009-01-21 17:39:01 9 6 suporte6 (root) CMD ([-x /usr/lib/php5/maxlifetime ] && [-d /var/lib/php5 ] && find /var/lib/php5/ -type Electronic ata Signed lectronic ata 20 2009-01-21 18:09:01 2009-01-21 18:09:01 9 6 suporte6 (root) CMD ([-x /usr/lib/php5/maxlifetime ] && [-d /var/lib/php5 ] && find /var/lib/php5/ -type 21 2009-01-21 18:09:01 2009-01-21 18:09:01 10 6 suporte6 pam_unix(cron:session):session closed for user root 22 2009-01-21 18:09:01 2009-01-21 18:09:01 10 5 suporte6 mauricio: TTY=pts/1 ; PWD=/etc/rsyslog.d ; USER=root ; COMMAND=/usr/bin/killall kmysqladmin 23 2009-01-21 18:17:01 2009-01-21 18:17:01 10 6 suporte6 pam_unix(cron:session): session opened for user root by (uid=0) 24 2009-01-21 18:17:01 2009-01-21 18:17:01 9 6 suporte6 (root) CMD ( cd/&& run-parts report /etc/cron.hourly) 25 2009-01-21 18:17:01 2009-01-21 18:17:01 10 6 suporte6 pam_unix(cron:session): session closed for user root 26 2009-01-21 18:39:01 2009-01-21 18:39:01 10 6 suporte6 pam_unix(cron:session): session opened for user root by (uid=0) 27 2009-01-21 18:39:01 2009-01-21 18:39:01 9 6 suporte6 (root) CMD ([-x /usr/lib/php5/maxlifetime ] && [-d /var/lib/php5 ] && find /var/lib/php5/ -type 7

Achieving cybersecurity KSI in action Estonia: NATO headquarters for Cybersecurity Estonia solved the data integrity issue following a disabling cyber attack in 2007. By integrating KSI into networks, every component, configuration and digital asset can be tagged, tracked and located with real-time verification no matter where that asset is transmitted or stored. With real-time awareness, incident response, data loss prevention, investigation and/or network resilience, it is now possible to detect and react to any misconfiguration, network, component or application failure in the country. It has irrefutable transparent evidence to independently verify and enable trust in transactions and interactions on their networks. No keys or encryption just mathematical proof of everything that happened. 8

Achieving cybersecurity Big data security challenges In the past, large financial risk models and risk-scenario simulations have taken days to run, slowing the delivery of urgently needed information to the C-suite. Running models in the cloud across multiple processors, where the modeling software can process successfully across multiple cores, means large models can now be run in a matter of minutes. But once the model data enters the cloud, can it be trusted? Machine-to-machine and autonomous sensor data being managed by machines assumes the security protocols and handling of machine-generated data are rock solid and invulnerable to compromise. That s a dangerous assumption. KSI and emerging data integrity standards will change the perception that data in the cloud is less secure than in corporate data centers. Real-time, continuous integrity monitoring and tamper detection capabilities like those enabled by KSI are necessary to protect the big data repositories that make up the cloud. Further, KSI allows companies to manage big data through four dimensions: Velocity Variety Volume Veracity 9

Achieving cybersecurity Innovation through analytics: the time is now Insurance master databases are one of the biggest sets of data in any sector and are growing exponentially thanks to telematics, social media, unstructured email data and the like. Leading insurers are changing their vision to a managementby-data-analytics approach to customers, risk assessment and financial analysis. Big data will undoubtedly reshape the insurance industry. For years, the industry has had big data but did not know it or use it. The wake-up call is here, and it is time for re-evaluating and re-tooling analytical capabilities. More predictive modeling Better forecasting through deeper in-depth statistical analysis across the enterprise Moving beyond a simple one-on-one relationship of server to data storage Those are the capabilities innovation through analytics can enable and how data can become a single holistic global and enterprise resource. 10

Mitigating cyber risk Cyber risk in the context of ERM Insurers manage many risks aligned to their risk profiles and appetites. Visionaries and early adopters do so dynamically by use of mathematics (stochastically or actuarially) and simulations for the future based on the historical loss data in order to correlate all the risks of the enterprise into one holistic view. Factors to consider include: Cyber risk. Operational risk affects every organization on an equal basis and is often quantified as a percentage of gross written premiums. Cyber risks are no different from any other risk in terms of risk management and transfer Cyber risk must not be viewed as separate from other types of risks. Risk mitigation. Insurance and reinsurance are not alternatives to ERM. Risk transfer programs should be used to address structural residual risk, and risk management best practices can ease the process of finding the right cover at the right price with reinsurance optimization. Such an approach must be applied to cyber risk. Risk modeling. Dynamic risk modeling can enhance effective risk management best practices, modeling the likelihood of small claims from data breaches, as well as the impact of long-tail or black swan events. Early adopters are also experimenting with other risk transfer mechanisms include cyber captives, specialpurpose vehicles (SPVs) and sidecars. We are early in a long-term and necessary evolution where cyber risk can and must be managed within the broader context of ERM. Dynamic risk modeling tools are necessary to gain detailed visibility into value at risk. 11

Mitigating cyber risk Security issues affecting reinsurers As the stability mechanism for solvency in the insurance industry and the link to the capital markets and pension funds, the reinsurance industry must also be focused on cyber risks. Emerging technology threat: the industry must model cyber risks in correlation to other risks, including in the solvency, risk-based capital arena with long-tail exposure reduction. Reinsurers need to understand cyber risk independently of the insurer to create the right protection mechanisms, cyber models and rating bands. An incentive to invest: it is difficult for governments to determine if a cyber attack is an attack on a company or on a country. New mandatory data breach laws will force organizations to report data breaches within a specified period or face heavy fines (up to 10% of gross annual income). Ignorance that a data breach occurred is not an acceptable excuse. Cyber catastrophe models and databases: nearly 60 insurers write some form of cyber insurance coverage outside of errors and omissions insurance (E&O). The reinsurance industry needs to look at the effect of large aggregated cyber attacks that can affect the capital and stability of the risk industry. Cyber attacks and data breaches are black-swan events not unlike natural disasters that will: Help create cyber XL rates (excess of loss) for reinsurance to move away from quota share reinsurance Cause the cyber reinsurance industry to mature in the same way it did for natural catastrophe lines Include legal expenses, as these are particularly perilous to solvency and to the proper reserving of claims (the ability to pay) over a period 12

Mitigating cyber risk Supply chain risk Cyber liability regulation and rating Recent natural catastrophe events have shown what can happen to the global supply chain in terms of disruption. A severe cyber-attack would affect the global supply chain, especially around commercial and industrial internet usage. The insurance industry knows that the outsource service provider is the main cause of supply chain disruption, which often happens simultaneously when increasing weather disruption brings cyber and climate risks together in one event. When service providers outsource to each other, it sends a red alert to the industry. Data integrity needs to be embedded in the enterprise, as well as with IT vendors they outsource to and those outsourcers in turn engage. Technology, in conjunction with cyber attacks and service providers, makes up the majority of all supply chain disruptions. Rating agencies can have an economic effect on countries and corporations by making rating changes based on an event. The rating of insurers is also at risk if they do not provide mitigation advice to customers. They may struggle to get reinsurance capacity, expose themselves to more risk and lose access to A -rated capital. It is in everyone s interest in the regulatory and rating space to understand the standards and value that they bring to the table. Currently, rating agencies view cyber risk as a primary threat to solvency because of the significant, rapid and unexpected impact of an event and, in some cases, the ability to react to that event. For natural catastrophes, rating agencies look at the use of catastrophe event models that are created by third-party vendors and rely on vendor research and data accuracy. However, in the case of cyber risk, the catastrophe is the data itself. That requires a broader rating approach for example, with a data-scoring rating mechanism added to overall ERM ratings. The speed of regulatory change in data breach reporting will lead to increased cyber liability coverage and even mandatory insurance in some cases. 13

Mitigating cyber risk Best practices and the center of excellence Cyber risk leaders in insurance will likely embrace a center of excellence across customer, risk-centric and financial activities, thereby linking security analytics and big data with fraud investigations. This will further the trend toward intelligence-driven security plans in order to protect digital information assets. The Center of Excellence for Insurance Big Data Security, Technology Governance and Compliance can help you create a holistic, technology-enabled, business-driven strategy. Customer Need: trust Risk centric Need: knowledge Financial Need: transparency Distribution channel cross sell/up sell Underwriting Rating and regulation Customer lead identification Product design and innovation Asset liability matching Marketing campaign analysis Pricing and deductibles Reinsurance optimization Segmentation Reinsurance strategy Portfolio and asset optimization Know thy customer (KYC) Telematics M2M Risk-based capital pricing Lifetime value Catastrophe models Financial modelling Retention and lapse Reserving and claims Mac economics Fraud, SIU and forensics Embedded value subrogation/recovery 14

Mitigating cyber risk How EY assists with effective cyber risk management EY s information security services help our clients to assess their security strategies, processes and infrastructure to manage risk and enable compliance with applicable laws and regulations. This includes testing for security exposures and business risks created by vulnerabilities or inadequate systems, applications and network devices. Leading practices should include: A pragmatic, risk-based information security strategy that integrates solutions to address business needs, compliance requirements and ERM objectives Listening to what is going in the market, understanding security information trends and threats, and adjusting the risk assessment accordingly Continually reassessing new technologies and the threat landscape to confirm that focus is on the right priorities Executive and board support that leverages the expertise of partners and vendors and defines which security functions sit in-house instead of outsourced and in the cloud Assurance that information security is an integral part of the risk management function, not a stand-alone unit that fails to involve the business in the process 15

Learn more Key Contacts: Shaun Crawford Global Insurance Leader scrawford2@uk.ey.com David Piesse International Insurance Society (IIS) Ambassador for Asia Pacific and Insurance Lead at Guardtime david.piesse@guardtime.com Mitigating cyber risk for insurers Part 2: Insights into cyber security and risk 2014 For insights into cybersecurity download Part 1: Cyber insurance, security and data integrity > For insights mitigating cyber risk download Part 2: Mitigating cyber risk for insurers > EY.com/insurance/cyber EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. 2014 EYGM Limited. All Rights Reserved. EYG no: EG0204 1408-1304669 NY ED none This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback