+ All Categories
Home > Business > Insights into cyber security and risk

Insights into cyber security and risk

Date post: 29-Nov-2014
Category:
Upload: ey
View: 345 times
Download: 2 times
Share this document with a friend
Description:
 
16
1 Cyber insurance, security and data integrity insights
Transcript
Page 1: Insights into cyber security and risk

1

Cyber insurance, security and data integrity insights

Page 2: Insights into cyber security and risk

2

As cyber threats have become more pervasive, persistent and sophisticated, information security has become a business imperative for all industries. Unlike companies in other sectors, however, insurers must gain a deeper understanding of cyber threats as they develop cyber liability policies. These products are evolving to include not just technology companies, but all organizations that collect, store and process data from their customers.

When it comes to information security, insurers must stay ahead of the ever shifting cyber threats by maintaining the triad of confidentiality, integrity and availability of systems and data.

No one escapes cyber risk. Every company is vulnerable to cyber threats. In the vibrant global cyber insurance market of the future, risk management of a data breach must be built into policy at the board level, and not just a concern of the IT departments. This will give the reinsurance industry and capital markets confidence, and confirm to regulators and rating agencies that enterprise risk management (ERM) has been included in cyber liability coverage.

Executive summary: insights into cybersecurity and risk Businesses must take a

proactive approach to cybersecurity rather than waiting for a breach to occur and then acting on it.

Page 3: Insights into cyber security and risk

3

Key actions for insurers to take

To achieve Cybersecurity, insurers must: To mitigate cyber risks, insurers must:

• Develop and implement a long-term, enterprise-wide security program that addresses processes, controls, organization and governance, as well as reporting, metrics, privacy and data protection

• Invest in cybersecurity and do a better job of articulating and demonstrating the value proposition

• Establish a framework of continuous improvement in analytics and reporting, people, processes and technology

• Design and execute solutions to measure, monitor and report on the effectiveness of security programs

• Refine strategies based on changing threats, risks and business imperatives

• Integrate cyber risks into a broader enterprise risk management approach, including risk modeling and transfer

• Gain specific understanding of risks related to data breaches, supply chains, emerging digital technologies and rapid-growth markets

• Track and monitor cyber liability regulation and rating issues and developments

• Accept that all insured infrastructure is a target, with the highest value assets the most frequent targets

• Remain alert to changing trends and emerging threats within the market and ensure that policy terms and conditions do not increase exposure

• Embrace a cyber risk center of excellence approach that extends across customer, risk-centric and financial activities

Page 4: Insights into cyber security and risk

Achieving cybersecurity

4

Financial institutions have developed applications for mobile payment and other transactions. While these applications represent innovation, the institutions never planned on supporting mobile banking. Consequently, digital exchanges via the mobile transaction network are at a higher risk of compromise and/or manipulation by exploiters with increasingly sophisticated tools and skills. Moreover, infrastructure and storage outsourcing efforts supporting these applications put organizations further at risk as cloud service providers have different security mechanisms.

Other challenges (and reasons for concern) for insurers:

• There is a large gap between the nature of new threats and the capabilities available to detect attacks, monitor (and stop) unauthorized exfiltration and secure information.

• Few insurers have direct insights into the cyber liabilities surrounding intangible digital assets.

• Many do not have the tools to provide the direct real-time awareness necessary to calculate risks to insured digital assets stored by cloud service providers or enterprise networks.

• There is increased awareness that companies should be accountable for private records and the security of data collected from their customers.

• Insurers should expect that insured infrastructure will be compromised at some point. The more important and valuable the data assets are (IP, customer and supplier base, etc.), the more likely a compromise will occur.

As exposure has evolved, so have policies. Since exposure exists for any organization that handles private information, insurance companies have been tasked with creating a new type of policy. The rapid adoption of mobile and digital devices in emerging markets is fostering new product development, along withnew security and privacy measures.

Emerging cyber threats

Research shows:

• Nearly 95% of all enterprise networks have been compromised by external attackers .

• Only 3% of organizations felt safe against insider threats .

• Hundreds of millions of consumers have had their identity information compromised.

• The financial and reputational losses to businesses and shareholders stretching into the tens of billions of dollars annually.

Page 5: Insights into cyber security and risk

5

Achieving cybersecurity

Maintains the accuracy and consistency of systems and data

over the entire lifecycle – the most critical pillar but a gaping hole today

Pillars of information security

Security model

Availability

Confidentiality

Integrity

Prevents the disclosure of information to unauthorized individuals or systems

Makes sure that computing systems, security controls and communication

channels are functioning correctly

Page 6: Insights into cyber security and risk

6

Achieving cybersecurity

Data Integrity

Data integrity is the ability to independently prove what happened in a digital infrastructure, determine the impact of a security incident and distribute the liability for a data breach. This proof is currently hard to obtain from internal systems, and it becomes increasingly complicated with organizational reliance on outsourced cloud infrastructure and “trusted” administrators.

New methods are needed to definitely identify the cause of compromise, the assets affected, when the compromise occurred and if insured assets were exposed outside the organization.

• It’s a prerequisite for ensuring confidentiality.

• Without it, encryption is worse than useless, bringing a false sense of security that can lead to a breach.

• It brings auditability and transparency of evidence to governance frameworks (for both public and private sectors).

What it is:

Why it matters:Data integrity enables an independent audit of digital assets prior to a data breach and clearer visibility into impacts when breaches occur.

6

Page 7: Insights into cyber security and risk

7

Achieving cybersecurity

7

Most breaches today go unnoticed until long after they occur and the damage has been done. Active integrity involves continuous verification of the integrity of data in storage using keyless signatures. A disruptive new technology standard, keyless signature infrastructures (KSI) can effectively address some cyber liability issues by enabling mutual auditability of information systems add clearer visibility into the cause of a breach incident. Further, KSI mitigates the risk of breach escalation in real time and provides indemnification against subrogation and other legal claims.

How KSIs work:

• Unlike digital certificates, keyless signatures never expire.

• People are not required in the signing process.

• Use of keyless signatures strengthens legal non-repudiation for data at rest.

• There are no keys to be compromised and/or keys to revoke.

• During a breach, active integrity can be provided with cyber alarms and correlated to other network events by auditors, network operations centers and security operations centers — delivering real-time, continuous monitoring and verification of data signed with keyless signatures.

Getting to data integrity: keyless signature infrastructure

Keyless signatures change the security paradigm by ensuring visibility into the cause of breaches.

A “managed security service” resulting from the implementation of KSI, marks a new era for insurers.

101010101010101010101010101010101010101010101010101010101010101010

= + Keyless ignature

101010101010101010101010101010101010101010101010101010101010101010

11110101010010100101000000010101011011000

Signed lectronic ata Electronic ata

10 2009-01-21 16:39:02 2009-01-21 16:39:02 10 6 suporte6 pam_unix(cron:session): session closed for user root

11 2009-01-21 17:09:03 2009-01-21 17:09:03 10 6 suporte6 pam_unix(cron:session): session opened for user root by (uid=0)

12 2009-01-21 17:09:15 2009-01-21 17:09:15 9 6 suporte6 (root) CMD ([-x /usr/lib/php5/maxlifetime ] && [-d /var/lib/php5 ] && find /var/lib/php5/ -type…

13 2009-01-21 17:09:17 2009-01-21 17:09:17 10 6 suporte6 pam_unix(cron:session):session closed for user root

14 2009-01-21 17:12:03 2009-01-21 17:12:03 10 5 suporte6 mauricio: TTY=pts/1 ; PWD=/etc/rsyslog.d ; USER=root ; COMMAND=/usr/bin/killall kmysqladmin

15 2009-01-21 17:17:02 2009-01-21 17:17:02 10 6 suporte6 pam_unix(cron:session): session opened for user root by (uid=0)

16 2009-01-21 17:17:03 2009-01-21 17:17:03 9 6 suporte6 (root) CMD ( cd/&& run-parts –report /etc/cron.hourly)

17 2009-01-21 17:17:03 2009-01-21 17:17:03 10 6 suporte6 pam_unix(cron:session): session closed for user root

18 2009-01-21 17:39:01 2009-01-21 17:39:01 10 6 suporte6 pam_unix(cron:session): session opened for user root by (uid=0)

19 2009-01-21 17:39:01 2009-01-21 17:39:01 9 6 suporte6 (root) CMD ([-x /usr/lib/php5/maxlifetime ] && [-d /var/lib/php5 ] && find /var/lib/php5/ -type…

20 2009-01-21 18:09:01 2009-01-21 18:09:01 9 6 suporte6 (root) CMD ([-x /usr/lib/php5/maxlifetime ] && [-d /var/lib/php5 ] && find /var/lib/php5/ -type…

21 2009-01-21 18:09:01 2009-01-21 18:09:01 10 6 suporte6 pam_unix(cron:session):session closed for user root

22 2009-01-21 18:09:01 2009-01-21 18:09:01 10 5 suporte6 mauricio: TTY=pts/1 ; PWD=/etc/rsyslog.d ; USER=root ; COMMAND=/usr/bin/killall kmysqladmin

23 2009-01-21 18:17:01 2009-01-21 18:17:01 10 6 suporte6 pam_unix(cron:session): session opened for user root by (uid=0)

24 2009-01-21 18:17:01 2009-01-21 18:17:01 9 6 suporte6 (root) CMD ( cd/&& run-parts –report /etc/cron.hourly)

25 2009-01-21 18:17:01 2009-01-21 18:17:01 10 6 suporte6 pam_unix(cron:session): session closed for user root

26 2009-01-21 18:39:01 2009-01-21 18:39:01 10 6 suporte6 pam_unix(cron:session): session opened for user root by (uid=0)

27 2009-01-21 18:39:01 2009-01-21 18:39:01 9 6 suporte6 (root) CMD ([-x /usr/lib/php5/maxlifetime ] && [-d /var/lib/php5 ] && find /var/lib/php5/ -type

009-01-21 16:39:02 2009-01-21 16:39:0

009-01-21 17:09:03 2009-01-21 17:09:0

009-01-21 17:09:15 2009-01-21 17:09:1

009-01-21 17:09:17 2009-01-21 17:09:1

009-01-21 17:12:03 2009-01-21 17:12:0

009-01-21 17:17:02 2009-01-21 17:17:0

21 17:17:03 2009-01-21 17:17:0

21 17:17:03 2009-01-21 17:17:0

21 17:39:01 2009-01-21 17:39:0

-01-21 16:39:02 2009-01-21 16:3

9-01-21 17:09:03 2009-01-21 17:09

9-01-21 17:09:15 2009-01-21 17:09

9-01-21 17:09:17 2009-01-21 17:09

-01-21 17:12:03 2009-01-21 17:1

01-21 17:17:02 2009-01-21 17:

21 17:17:03 2009-01-21

17:17:03 2009-01-

:39:39:39::39:39339::339:3333939:999:999::::02 20092 200902 200920092 200902 200900920092 200902 200902 20090902 2009000002 20002 2002 20002000 --0

:09::09::09:099::09::0:09::09::09:09:09::09000009 03 20093 200903 200903 2003 20093 20003 200903 200903 200903 200303 20003 200923 203 2003 2003 2003 200903 200903 200903 20093 233 200920093 2203 20093 0 0-000--0--0---0

:09:09:::09:09:09:09:0:0:090900009 15 20090990999099---00--00

Each record is signed by keyless

signature 20

20

20

20

009-0

009-01-

009-01-

009-01-

01-

Page 8: Insights into cyber security and risk

8

Achieving cybersecurity

8888888888888888888888888888888888888888

Estonia solved the data integrity issue following a disabling cyber attack in 2007. By integrating KSI into networks, every component, configuration and digital asset can be tagged, tracked and located with real-time verification — no matter where that asset is transmitted or stored.

With real-time awareness, incident response, data loss prevention, investigation and/or network resilience, it is now possible to detect and react to any misconfiguration, network, component or application failure in the country. It has irrefutable transparent evidence to independently verify and enable trust in transactions and interactions on their networks. No keys or encryption — just mathematical proof of everything that happened.

Estonia: NATO headquarters for Cybersecurity

KSI in action

Page 9: Insights into cyber security and risk

9

Achieving cybersecurity

Big data security challengesIn the past, large financial risk models and risk-scenario simulations have taken days to run, slowing the delivery of urgently needed information to the C-suite. Running models in the cloud across multiple processors, where the modeling software can process successfully across multiple cores, means large models can now be run in a matter of minutes.

But once the model data enters the cloud, can it be trusted?

Machine-to-machine and autonomous sensor data being managed by machines assumes the security protocols and handling of machine-generated data are rock solid and invulnerable to compromise. That’s a dangerous assumption.

Real-time, continuous integrity monitoring and tamper detection capabilities — like those enabled by KSI — are necessary to protect the big data repositories that make up the cloud. Further, KSI allows companies to manage big data through four dimensions:

KSI and emerging data integrity standards will change the perception that data in the cloud is less secure than in corporate data centers.

• Velocity

• Variety

• Volume

• Veracity

9

Page 10: Insights into cyber security and risk

10

Achieving cybersecurity

Insurance master databases are one of the biggest sets of data in any sector and are growing exponentially — thanks to telematics, social media, unstructured email data and the like.

Big data will undoubtedly reshape the insurance industry. For years, the industry has had big data but did not know it or use it. The wake-up call is here, and it is time for re-evaluating and re-tooling analytical capabilities.

More predictive modeling

Better forecasting through deeper in-depth statistical analysis across the enterprise

Moving beyond a simple one-on-one relationship of server to data storage

Those are the capabilities innovation through analytics can enable and how data can become a single holistic global and enterprise resource.

Innovation through analytics: the time is now Leading insurers are changing

their vision to a “management-by-data-analytics” approach to customers, risk assessment and financial analysis.

10

Page 11: Insights into cyber security and risk

11

Mitigating cyber risk

11

Insurers manage many risks aligned to their risk profiles and appetites. Visionaries and early adopters do so dynamically by use of mathematics (stochastically or actuarially) and simulations for the future based on the historical loss data in order to correlate all the risks of the enterprise into one holistic view. Factors to consider include:

Cyber risk. Operational risk affects every organization on an equal basis and is often quantified as a percentage of gross written premiums. Cyber risks are no different from any other risk in terms of risk management and transfer

Risk mitigation. Insurance and reinsurance are not alternatives to ERM. Risk transfer programs should be used to address structural residual risk, and risk management best practices can ease the process of finding the right cover at the right price — with reinsurance optimization. Such an approach must be applied to cyber risk.

Risk modeling. Dynamic risk modeling can enhance effective risk management best practices, modeling the likelihood of small claims from data breaches, as well as the impact of long-tail or “black swan” events.

Early adopters are also experimenting with other risk transfer mechanisms include cyber captives, special-purpose vehicles (SPVs) and sidecars. We are early in a long-term and necessary evolution — where cyber risk can and must be managed within the broader context of ERM.

Cyber risk in the context of ERM

Cyber risk must not be viewed as separate from other types of risks.

Dynamic risk modeling tools are necessary to gain detailed visibility into value at risk.

Page 12: Insights into cyber security and risk

12

Mitigating cyber risk

12

Security issues affecting reinsurers

As the stability mechanism for solvency in the insurance industry and the link to the capital markets and pension funds, the reinsurance industry must also be focused on cyber risks.

Emerging technology threat: the industry must model cyber risks in correlation to other risks, including in the solvency, risk-based capital arena with long-tail exposure reduction.

An incentive to invest: it is difficult for governments to determine if a cyber attack is an attack on a company or on a country. New mandatory data breach laws will force organizations to report data breaches within a specified period or face heavy fines (up to 10% of gross annual income). Ignorance that a data breach occurred is not an acceptable excuse.

Cyber catastrophe models and databases: nearly 60 insurers write some form of cyber insurance coverage outside of errors and omissions insurance (E&O). The reinsurance industry needs to look at the effect of large aggregated cyber attacks that can affect the capital and stability of the risk industry.

Cyber attacks and data breaches are black-swan events — not unlike natural disasters — that will:

• Help create cyber XL rates (excess of loss) for reinsurance to move away from quota share reinsurance

• Cause the cyber reinsurance industry to mature in the same way it did for natural catastrophe lines

• Include legal expenses, as these are particularly perilous to solvency and to the proper reserving of claims (the ability to pay) over a period

Reinsurers need to understand cyber risk independently of the insurer to create the right protection mechanisms, cyber models and rating bands.

Page 13: Insights into cyber security and risk

13

Mitigating cyber risk

Supply chain risk Cyber liability regulation and rating

Recent natural catastrophe events have shown what can happen to the global supply chain in terms of disruption.

A severe cyber-attack would affect the global supply chain, especially around commercial and industrial internet usage.

The insurance industry knows that the outsource service provider is the main cause of supply chain disruption, which often happens simultaneously when increasing weather disruption brings cyber and climate risks together in one event. When service providers outsource to each other, it sends a red alert to the industry.

Data integrity needs to be embedded in the enterprise, as well as with IT vendors they outsource to and those outsourcers in turn engage.

Rating agencies can have an economic effect on countries and corporations by making rating changes based on an event. The rating of insurers is also at risk if they do not provide mitigation advice to customers. They may struggle to get reinsurance capacity, expose themselves to more risk and lose access to “A”-rated capital. It is in everyone’s interest in the regulatory and rating space to understand the standards and value that they bring to the table.

Currently, rating agencies view cyber risk as a primary threat to solvency because of the significant, rapid and unexpected impact of an event and, in some cases, the ability to react to that event. For natural catastrophes, rating agencies look at the use of catastrophe event models that are created by third-party vendors and rely on vendor research and data accuracy.

However, in the case of cyber risk, the catastrophe is the data itself. That requires a broader rating approach — for example, with a data-scoring rating mechanism added to overall ERM ratings. Technology, in conjunction with cyber attacks

and service providers, makes up the majority of all supply chain disruptions.

The speed of regulatory change in data breach reporting will lead to increased cyber liability coverage and even mandatory insurance in some cases.

Page 14: Insights into cyber security and risk

14

Mitigating cyber risk

14

Best practices and the center of excellenceCyber risk leaders in insurance will likely embrace a center of excellence across customer, risk-centric and financial activities, thereby linking security analytics and big data with fraud investigations. This will further the trend toward intelligence-driven security plans in order to protect digital information assets.

The Center of Excellence for Insurance Big Data Security, Technology Governance and Compliance can help you create a holistic, technology-enabled, business-driven strategy.

CustomerNeed: trust

Risk centricNeed: knowledge

FinancialNeed: transparency

• Distribution channel cross sell/up sell • Underwriting • Rating and regulation

• Customer lead identifi cation • Product design and innovation • Asset liability matching

• Marketing campaign analysis • Pricing and deductibles • Reinsurance optimization

• Segmentation • Reinsurance strategy • Portfolio and asset optimization

• Know thy customer (KYC) • Telematics M2M • Risk-based capital pricing

• Lifetime value • Catastrophe models • Financial modelling

• Retention and lapse • Reserving and claims • Mac economics

• Fraud, SIU and forensics • Embedded value

• subrogation/recovery

Page 15: Insights into cyber security and risk

15

Mitigating cyber risk

15

How EY assists with effective cyber risk management

EY’s information security services help our clients to assess their security strategies, processes and infrastructure to manage risk and enable compliance with applicable laws and regulations. This includes testing for security exposures and business risks created by vulnerabilities or inadequate systems, applications and network devices.

Leading practices should include:

• A pragmatic, risk-based information security strategy that integrates solutions to address business needs, compliance requirements and ERM objectives

• Listening to what is going in the market, understanding security information trends and threats, and adjusting the risk assessment accordingly

• Continually reassessing new technologies and the threat landscape to confirm that focus is on the right priorities

• Executive and board support that leverages the expertise of partners and vendors and defines which security functions sit in-house instead of outsourced and in the cloud

• Assurance that information security is an integral part of the risk management function, not a stand-alone unit that fails to involve the business in the process

Page 16: Insights into cyber security and risk

Learn more

Key Contacts:

Shaun CrawfordGlobal Insurance [email protected]

David PiesseInternational Insurance Society (IIS) Ambassador for Asia Pacific and Insurance Lead at [email protected]

Mitigating cyber risk for insurersPart 2: Insights into cyber security and risk — 2014

For insights into cybersecurity — download Part 1: Cyber insurance, security and data integrity >

For insights mitigating cyber risk — download Part 2: Mitigating cyber risk for insurers >

EY.com/insurance/cyber

EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust andconfidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

© 2014 EYGM Limited. All Rights Reserved.

EYG no: EG0204 1408-1304669 NY

ED none

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.


Recommended